Personal Data & GDPR
What is it & why is it important? Any data relating to identifiable individuals – employees, suppliers, clients Names Addresses Email addresses Telephone numbers Sensitive information Covered by the Data Protection Act 1998 which sets out legal conditions which must be satisfied in relation to Obtaining Handling Processing Storing Transportation Destruction of personal information
Personal Data Protection Risks Breaches of confidentiality e.g. information being given out inappropriately, lost or overseen Failing to offer choice e.g. individuals should be free to choose how the company uses data relating to them Reputational damage e.g. TFA should suffer if hackers successfully gain access to personal data. Clients should expect us to look after their data securely and in a professional manner, regardless of any regulations! The DPA 1998 sets out 8 enforceable principles of good practice Processed fairly and lawfully Processed for limited purposes & in an appropriate way Adequate, relevant & not excessive for the purpose Accurate Not kept for longer than necessary for the purpose Processed in line with data subjects rights Secure Not transferred to people or organisations in countries outside the EU or without adequate protection
So what if ? ULTIMATELY RISKS OUR FINANCIAL STABILITY Breaches have to be reported, significant to the ICO Potential fines for TFA, and! … the relevant adviser as Data Controller Reputational damage, Due Diligence risk Potential for TFA to be struck off panels e.g. Mortgage Panels Potential for investigations by FCA into TFA’s compliance ULTIMATELY RISKS OUR FINANCIAL STABILITY
Future of Personal Data Protection Act 1998 GDPR The Data Protection Act 1998 is being repplaced by the much more stingent General Data Protection Regulation in May 2018
GDPR- What’s New? General Data Protection Regulation – Effective from 25th May 2018 A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable information Applies across all member states of the EU Applies to all organisations processing the data of EU subjects – wherever the organisation is geographically based Specific and significant rights for data subjects to seek compensation, rights to erasure and accurate representation Compensation can be sought against organisations and individuals employed by them Fines of up to 20,000,000 Euros or 4% of global annual turnover
What are we doing about it? Future proofing our business, top down review of our practices, guidance and advice from Legal and Tanist New policies to comply with DPA 1998 & fit for GDPR Data Protection Policy, Data Storage & Cloud Computing Policy, Clean Desk Policy, Email Use Policy, Software Installation Policy Future audit by ICO Changes to working practices required in order to comply Common sense! nothing more than you would expect of YOUR data being held or used
Key Changes to our working practices New Data Storage Rules Electronic Paper New Data Use Rules New Data Accuracy Rules Additional New IT Security Requirements Bluetooth & mobiles Software installation Email use Internet use WiFi To ensure compliance a number of changes to the way we work are required and these can be sumarised by the new rules we have introduced.
Data Storage Rules Paper Based Store securely where un-authorised people cannot see it, think BDM’s, family, friends, cleaners and contractors. Under lock and key when not in use Remove all documents with personal data immediately from communal areas such as printers Dispose of securely Upload all client files to IO and dispose of paper files securely upon completion of transaction. There is no reason to keep paper, it is a RISK
Data Storage Rules Electronic Any personal data must be protected from un-authorised access, accidental deletion and malicious hacking attempts All personal data to be stored within the EU All personal data is to comply with the 8th principle when being transferred, i.e. not outside the EU
Data Storage – Where? TFA Approved Electronic Storage TFA Microsoft OneDrive Storage facility for electronic client files/documents prior to uploading to IO Phone scan, web based, backed up, secure, share facility IO Store ALL client files in IO and delete all other paper and electronic copies upon completion of the transaction. Do not store any client personal data on your PC/Laptops hard drive, handheld & mobile devices, external storage devices. Remove all client data from your PC/Laptop, any other external storage devices and non compliant cloud storage locations TFA OneDrive – This not only meets the requirements for data protection but offers you a modern way to conduct business. Other cloud systems such as iCloud and DropBox do not conform and should not be used. OneDrive enables you to synch your documents on your desktop in the cloud so that you can access it from a number of devices (You need to ensure they are secure devices). It also enables us to back up these files and therefore comply with Data Protection regulations. The documents you store within OneDrive can be shared when appropriate to do so with your colleagues within TFA. You can share the actual document or you can share a link to the actual document and allow your colleagues to edit this document. With the app for your phone which accompanies OneDrive you can always access your documents. Within the app you can also scan a document via your phone and upload this directly to OneDrive. This means that your clients personal data is automatically stored securely and is not being held on your phone as a photograph. Once back in your office you can upload this from OneDrive to IO. Once your clients data is stored successfully in IO we recommend removal of the files from OneDrive as the requirement under GDPR is to hold personal data in as few places as possible.
Data Use Rules Lock screens when unattended, do not share personal data informally Electronic Client Communications Use PFP Secure Messaging Encrypt Emails Do not transfer data outside of the EU Only access data via secure WiFi networks Take reasonable security measures when using personal data. It is not acceptable to informally share personal data with friends and colleagues. Personal Data must only be shared with those that need to have the information. This is not about you our us not trusting someone. It is the law that personal data is only shared with those that need to have it. When communicating with your clients ensure that you do so securely. Email is an open form of communication. Use PFP when communicating with clients. If this is not possible and you choose to use email then this must be encrypted.
Data Accuracy Rules The law requires TFA & Advisers to ensure data is kept up to date and accurate by Minimising storage locations. Client data to be held in IO & Microsoft OneDrive only as per the Data Storage Rules Update data at every opportunity & correct inaccuracies Provide clients access to update their details via PFP All marketing data to be compliant. Advisers to complete marketing consent section within the fact find and ensure it is recorded that clients have ‘opted in’ to receive marketing communications from TFA It is essential that we minimise the locations where personal data is stored to ensure compliance. It is also important that you take ownership of your clients personal data and update it at every opportunity. In order for us to be able to communicate with your clients regarding any financial promotions, newsletters etc your clients will need to have opted in to receive such information. Please ensure that you are discussing this with your clients and completing the fact find appropriately and updaing IO appropriately. Without this consent we are unable to market to your clients on your behalf.
New IT Security Requirements In addition to the changes in practices for Data Storage, use and accurate recording please ensure the following: All PC & Laptop hardrives are encrypted, (New Windows 10 and Macs have built in - turn on!) Delete old emails with un-encrypted personal data Set strong passwords - see TFA Password Policy for examples Do not use Personal Storage Devices (USB sticks, external hard drives) Cloud Based Applications – Where personal data is entered only use those identified within the TFA Cloud Computing Policy Email & Internet Use – Common sense approach Wifi - new networks in TFA offices for guests Hard disks must be encrypted General Housekeeping – go through your old emails and delete old emails with un-encrypted personal data. Work through your electronic records and ensure that in the first instance they are transferred to OneDrive and no longer stored elsewhere. As the Data Protection rules stipulate client data should be held in as few different places as possible therefore please remove as much as possible and store on IO. No external storage devices to be used – USB sticks, external disc drives etc Only use those Cloud Based Storage solutions approved by TFA – this is One Drive. Cloud based Applications – Only use TFA approved applications where personal data has to be entered. All the cloud based applications within the TFA Adviser section of the website are approved as they comply with the relevant data protection rules. WiFi – new networks for guests have been introduced. Never give guests access to our secure Wifi networks. These are for TFA advisers and employees only.
IT Support Adviser Compliance TFA to provide Microsoft OneDrive facility TFA to provide email Encryption with WinZip PC/LapTop hard drive encryption – BeCrypt cost £45 per device IT Support – Dan Massey at Tanist Drop in sessions Plymouth – 19th April 10am – 2pm St Austell – 21st April 10am – 2pm Telephone Support from Tanist at a time to suit you We are here to help you become compliant. We will help install the relevant software onto your hardware and help transfer your files to the new OneDrive system. Support is available from Dan at Tanist and also Charlotte. Specific sessions have been set up when you can come into the office with your technology. Alternatively you can install these yourself with instructions provided by us or with assistance from Dan at Tanist over the phone/internet.
In Summary Future Proofing our business in short! Secure where client data is stored paper free – IO & OneDrive Secure how you send clients personal data – PFP & WinZip Secure how you access & update clients personal data – BeCrypt, Secure WiFi, Secure Bluetooth Only hold client personal data that is relevant for the purpose Only market to clients lawfully & in line with their rights – Marketing ‘Opt-In’