General Data Protection Regulation (GDPR)

After 20 years since the Data Protection Act came into force, the law on data protection is changing with the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018.

GDPR has come direct from the European Union and will apply throughout all EU member states.  Despite the fact that Britain has voted to leave the EU and will cease to be a member state from March 2019, GDPR will still apply to the UK and the British Government has confirmed that the data protection standards required by GDPR will be passed into UK law in time for when Britain has left the EU.  Furthermore, GDPR requires any non-EU entity to comply with the regulations if they are to handle personal data relating EU citizens.

The main objectives behind GDPR are:

1. To bring data protection requirements up to a standard which makes them fit for purposes in today’s data-driven world, where thanks mainly to developments in technology there are now vast amount of personal data available and the means of using and exploiting that data are more extensive than ever before and as a consequence present increased risks to the wellbeing of citizens.
2. To make firms demonstrate a clear justification for obtaining personal data and how they use it, and to ensure that the protection of personal data is made a top priority and is placed at the very heart of how they operate.
3. To give citizens more power and control over how their personal data is used by increasing transparency and by handing individuals more rights which firms must respect by law.

At IPM we have always understood how important it is to safeguard the personal information which it is necessary for us to have about our clients.  Without sufficiently robust systems and controls in place to keep this information secure, there is a significant risk or loss or harm affecting our clients through fraud, identity theft and many other crimes.

Furthermore, we recognise that individuals have a fundamental right to privacy which means their personal details should not be used in ways they are not aware of.  As such, IPM has long taken its obligations under the Data Protection Act seriously and we have well developed systems and controls to comply with that legislation and regulate the way in which the firm handles personal data to ensure the risk of it being lost, stolen or misused is kept to a minimum.

With GDPR, the data protection bar has been raised higher still.  Our view on this is that it is a necessary change to update the data protection regulations so that they align with the reality of today’s world, which has seen vast changes in the way personal data is collected, used, stored and shared.  Most recently, this has been illustrated by the allegations levelled at Facebook about the lack of transparency concerning what they do with their users’ data, as it has come to light that personal information was shared with a third party who then used it in an alleged attempt to influence how people voted at political elections.  In truth, however, it is not just the large tech firms who will feel the impact of GDPR but all companies across the spectrum with access to personal data, who will need to look at how they treat data protection and ensure that they have appropriate measures in place to meet the new standards.

In the light the new regulations and the guidance issued by the Information Commissioner’s Office (ICO – the UK supervisory authority on data protection) IPM has undertaken a comprehensive review of its policies, processes and procedures to make sure that these fully reflect the main GDPR objectives mentioned above.  This has precipitated a number of changes which will strengthen our approach to data protection, both in terms of data held in ‘hard’ paper form and ‘soft’ electronic form.  Among the changes we are implementing are more detailed privacy notices which provide our clients with a full explanation as to why IPM needs their personal data, how we use it and who the data is shared with, as well as systems designed to allow clients to freely exercise their right to view the personal data we have on them within 40 days of requesting it.

The requirement to make explicit the purposes for personal data processing has required us to focus on why we need to obtain personal data and exactly what type of personal information is justified by those reasons.  As a result, we now have a clear idea as to the extent of the personal data we require and the extent to which we can utilise it.  Anything which goes beyond these parameters must be considered unlawful and treated as a data protection breach.

To put all of this into practice, IPM has put each member of staff through a programme of training so that they have a detailed understanding of GDPR, how it impacts IPM and what is expected of them as they use clients’ personal information to provide a service on a day to day basis.  As the first line of defence against a data security breach, it is essential that they are well versed in how to handle personal data and clients’ rights in this respect.  Our systems and controls can only work effectively if they are understood and implemented correctly.  The staff training programme is a vital part of our efforts to further embed a culture which places data protection at the forefront as a key consideration in how we deliver an effectual and efficient service.  The fact that David Sutcliffe, the managing director of IPM, is also the firm’s Data Protection Officer is a demonstration of how this culture comes from the very top of the company.

Overall, IPM is confident that we are GDPR ready but, with data protection being a moving target as the risks evolve over time, we will continue to monitor our processes and procedures to make certain they are as sturdy as they can possibly be and keep abreast of the latest guidance from ICO on best practice under GDPR.  This way, we are doing all we can to keep the information our clients entrust to us safe and secure.

A copy of our Privacy Notice can be downloaded here.