The FinTech team at City law firm Fox Williams has prepared a GDPR action list setting out all pertinent actions for FinTechs and finance providers.
The FinTech team at City law firm Fox Williams has prepared a GDPR action list setting out all pertinent actions FinTechs and finance providers should be taking to get themselves ready for this regulatory change. This special report looks at a couple of critical issues – privacy notices and data breach reporting.
GDPR will almost certainly require you to update your privacy notices. This would also be a good time to think about designing the customer journey around privacy, putting the customer’s interests first and allowing them to easily understand how their data will be used. This table summarises the key GDPR issues and a list of actions to consider:
What the GDPR says
Much of the information to be supplied is the same as under current law, but some additional information must be provided depending on whether you are collecting the information directly from data subjects or from a third party, including details of:
• the data protection officer;
• the legitimate interests relied on, where applicable;
• transfers to third countries and safeguards;
• data retention periods;
• data subject’s rights, including new rights of portability and erasure (right to be forgotten).
✔ Review privacy notices to make sure they include the required additional information.
While there is a requirement for more detail, privacy notices must also be:
✔ concise, transparent, intelligible and easily accessible; and
✔ written in clear and plain language.
✔ Consider use of layering (providing brief summary information with links to more detailed information), just-in-time information, privacy dashboards, use of icons etc. as part of a customer journey built around privacy concerns.
A “personal data breach” refers to any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It may be as a result of a sophisticated hack, or is more likely to be an everyday issue such as falling for a phishing email, or losing a laptop or storage device containing unencrypted personal data.
The legal requirement to notify a personal data breach is one of the more significant changes brought in by the GDPR. Because of the enormous impact a data breach can have in terms of damage to reputation as well as the level of fines involved, it is crucial that businesses do all they can in the run up to GDPR to: (i) reduce the risk of a data breach and (ii) be prepared in case a data breach occurs.
What the GDPR says
You must notify the ICO of a data breach without undue delay and where feasible within 72 hours, unless the data breach is unlikely to result in a risk to individuals.
If the breach is likely to result in high risk to individuals, you must also inform data subjects “without undue delay”, unless an exception applies.
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
✔ Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
✔ Develop (or update) an Incident Response Plan for managing data breaches.
✔ Set up a personal data breach register to record the facts relating to any breach, its effects and the remedial action taken.
✔ Put in place a response team including compliance, tech, marketing, PR, financial, legal.
✔ “Rehearse” the plan to make sure everyone understands what is required.
✔ Review data breach / cyber insurance and consider if it needs to be updated.
With only a few months to go until the GDPR comes into effect on 25 May 2018, it is essential that businesses get on track with their GDPR compliance programmes. We provide clear, commercially pragmatic advice on data protection compliance and preparation for the GDPR. We can carry out a comprehensive GDPR readiness assessment, with gap analysis and recommendations to help determine which business processes you will need to review and implement in preparation for the GDPR. We provide strategic advice on:
• Drafting privacy policies, data retention policies, and incident response plans
• Data processing arrangements, including due diligence on vendors, and drafting and negotiating data processing agreements
• Data protection and HR, including drafting staff data protection polices, communications monitoring, recruitment and selection
• Advising on personal rights, including the right to be forgotten, data portability and subject access requests
• International data transfers, including implementation of Model Clauses, Privacy Shield and Binding Corporate Rules
• Compliance with e-marketing and cookie regulations
• Carrying out a data protection impact assessment or compliance audit
• Provision of data protection training to staff
• Dealings with the ICO and other regulatory authorities, investigations and proceedings
• Second opinions and checking post-implementation changes
In the event of a data security breach incident we provide rapid legal support to mitigate legal risk including compliance with reporting requirements, communications to data subjects, service providers and other stakeholders, and handling legal claims. In the event of such an incident, please contact us.
Nigel Miller is a founder partner of Fox Williams LLP and leads the firm’s data protection, privacy and cyber security work. Nigel is a Certified Information Privacy Professional – Europe (CIPP/E)). He can be contacted at firstname.lastname@example.org