The following is a guest post from Emily Mahoney of Mason Hayes & Curran, the October MCO Webinar presenter. View all MCO Webinars here.
On 25 May 2018, the General Data Protection Regulation (GDPR) will be implemented. Although the GDPR is a European law, it will impact businesses all over the world. Financial services institutions (FSIs) and companies engaged in the Fintech industry, in particular, will need to pay close attention to the provisions of the new regulation. in order to avoid significant sanctions.
As a regulation, the GDPR will be immediately enforceable in Ireland, and the other EU Member States, without the need for domestic implementing legislation. This should reduce the level of national variation relating data protection law across the EU. It also recognises the so-called ‘one-stop shop’ which enables organisations with pan-European operations to benefit from primary regulation by a single national supervisory authority in just one EU state. This increased level of harmonisation across the EU combined with the ‘one-stop-shop’ should make it easier for FSIs and Fintechs that sell products and services across the EU to take a more unified approach to data protection compliance.
The GDPR will impact FSIs and Fintechs in areas such as capturing customer consent, transparency of data arrangements, accountability, data breaches and more. Organisations should consider the following five key steps to assist in preparation for the GDPR.
Gap and Compliance Analysis
Review data sets and their management, including how data is captured, where disclosures to third parties are made and when data is exported to outside the European Economic Area. Ascertain if current privacy notices and policies include a valid method for communicating these disclosures. Ascertain if consent has been obtained for such disclosures and exports where applicable. Review current legal bases relied on for processing personal data and determine whether they would still be valid under the GDPR.
Contracting and Policies
Identify third party contracts related to personal data and develop templates for: data processing agreements for third party service providers, intra-group data processing agreements, and joint control contracts. For contracts already existing with third party providers, consider whether liability should be renegotiated and apportioned differently in light of data processors’ direct accountability and litigation exposure to potential data subject claimants.
Governance
Develop an accountability programme and review process. Draft or amend internal suites of compliance documentation, including a data breach register, data governance records and privacy impact assessments. Where relevant, select and appoint a Data Protection Officer, who will assist with governance measures and general data processing hygiene. Duties of a DPO may include training personnel on data protection and developing an organisational compliance methodology, amongst others.
Security
Those in the FSI/Fintech space may already have in place robust security measures protecting personal data. Still, organisations should review security protocols, and consider integration of security measures specified under the GDPR including encryption and pseudonymisation. An organisation should also draft a template security breach notification and security breach response plan that incorporates response timeframes as required under the GDPR.
Privacy impact assessment and privacy by design
Privacy by design will require organisations to review their processing activities and ensure that data protection compliance is embedded within their services and business processes. Measures to protect personal data must be considered during the entire process of design of a product or service, rather than as an afterthought.
Fortunately, firms already compliant with the Payment Card Industry Data Security Standard (PCI DSS) may be a step ahead in their efforts to become GDPR-ready. The PCI DSS standards, which include ongoing assessment, audit reporting and information security systems requirements, may provide an existing framework from which an organisation can leverage toward achieving full compliance.
Should you have any questions on the above, or in relation to your broader journey to becoming GDPR-ready, contact Emily Mahoney, or another member of the Technology team at Mason Hayes & Curran.
Interested in more? Watch our Webinar, "Prepare Your Firm for GDPR"
Subscribe to our blog to stay updated on new regulation and enforcement priorities.
Are you GDPR ready? Leave a comment below.