Business Development

126 | Why GDPR?

In order to consider the viewing of Akademia videos as structured learning, you must complete the reflective statement to demonstrate what you have learned and its relevance to you.


  • Rob Walton, Chief Operating Officer, Intelliflo

Learning outcomes:

  1. Why GDPR has come about
  2. What is the GDPR breach
  3. The main challenges facing firms and how to overcome them


Business Development
Learning outcomes: 1. Why GDPR has come about 2. What is the GDPR breach 3. The main challenges facing firms and how to overcome them PRESENTER: The General Data Protection Regulation known as GDPR, which comes into play on the 25th of May 2018, will have huge ramifications for the financial advisory industry, and in fact any firm that handles data and/or engages in any form of marketing to consumers needs to prepare itself to comply. So in this Akademia unit we’re going to be looking in more detail at this with Rob Walton, Intelliflo’s COO. There’s three key learning outcomes, why GDPR has come back, what is a GDPR breach, and the main challenges facing firms and how to overcome them, but first I asked Rob to explain what exactly is GDPR and why it’s been designed. ROB WALTON: So GDPR, what exactly is this and why was it designed? ROB WALTON: So GDPR is the new data protection regulation. It’s called the General Data Protection Regulation; it’s come from the EU. The reason it’s come about is that it’s necessary to bring the data protection rules up to date to modern society. So if we look at it in the context of our current regime, it was written 1998, the Data Protection Act. It would have been impossible for anybody to have any kind of foresight of where we would be today. And over the last 10, 15 years there have been many examples where it’s become clear that the current data protection legislation, certainly within this country and across the world really, is not really appropriate for this world that we live in, where we have the proliferation of services provided over the internet, interconnected systems, all of our data going everywhere all over the world. And when you look at some of the things that have happened recently with hacking events, it’s certainly clear that people need much stricter guidance and potentially a slightly bigger stick to make sure that they look after people’s data appropriately. Another key part of it has been around this harmonisation of the data protection rules across Europe. Now this GDPR was ratified in April 2016, so it was before the Brexit vote. Now obviously I think most people understand now that GDPR is coming regardless of Brexit, of us leaving Europe, and actually it’s already been, or it’s been written into force under the new Data Protection Bill, which comes into force aligned with Europe on the 25th of May 2018. Fundamentally when you actually go through it it’s a really good piece of regulation. And that isn’t just me saying it; that was also stated in parliament when they were actually talking through the Data Protection Bill. When you actually go through the pieces of regulation and you start to think around if this was my data how would I feel about it, common sense pretty much comes into play and for most of it you go actually this make absolute sense. PRESENTER: Now you did say it was ratified in 2016 and it comes into play May this year, so how prepared then would you say firms are for it? ROB WALTON: A lot of the market is way behind the curve of where they would need to be to be fully compliant with the new regulation come 25th of May 2018. We come across a lot of firms where they’re only now even starting to think about it. They haven’t trained staff. They don’t really understand what the differences are between the existing data protection framework and the new data protection framework. PRESENTER: Well obviously the landscape has changed tremendously since the original piece of legislation was in place, so what sort of changes are firms looking at? ROB WALTON: I guess the big change to the regulation is that what it’s trying to do is to give much more knowledge, give much greater insight to the data subject and give them much increased control over their actual data. It brings in extended rights. So things that the data subject can ask of people who are holding their data. But also to balance that off as well, it also expands and gives much greater guidance to data controllers - so advice firms, technology firms - what are the lawful bases for which they should be processing data. It also expands on some of the key principles that are in the current data protection regime, and it brings something into play around accountability and governance. So when we talk about the principles, we’re talking that data is capturing and processed lawfully, fairly and transparently; that the data that is being captured is specific for the purpose that it’s being processed, so not extra things have been taken; that the data being captured is also adequate, so there’s sufficient data that’s being captured to provide an effective service to the data subject. But it also brings into things like data accuracy. So it says that data should be kept accurate where possible, every reasonable step should be taken to ensure that data is accurate. Data should only be held in the form that it can identify somebody for the period of time that it’s actually needed to provide the service. And then it also talks about security. So it says that data controllers have to ensure that they have the right security and processes in place to make sure that the rights and freedoms of the data subject are protected in relation to their data. Now the final bit it adds to that is that it isn’t OK to just say oh yes we comply with all of that. It actually says that you have to be able to show, you have to be able to evidence that you comply with all of that. So one of the things that you may have to do, or firms will definitely have to do is train their staff on the new data protection regulation, train their staff on information security awareness, fishing. And not just people who do regulated activities, everybody in the firm. But you will need to be able to evidence that that has occurred. And that’s a key part of GDPR, and it’s something that flows all the way through. When you extend that further there’s also the concept of data protection by design and by default. So what that means is that firms will need to think about data protection every time they change a process, every time they add a new process in. They will need to risk assess that in the context of how does this affect the rights and freedoms of the individuals, what’s the risk that there could be a data breach with this policy? And obviously then that moves on to the big headline grabbing pieces, which is around the fines. The fines have been reported as being very large. But there isn’t just the fines that you can get from the regulator, there’s also the fact that within GDPR it brings in the ability for the data subject to sue the data controller. So not only can you be fined by the data regulator, you could also be sued by the data subject as well. And in the context of then do we report a breach? You have to report a breach within 72 hours of becoming aware of it. PRESENTER: Well there’s certainly a lot to think about, but before we go any further earlier Rob came in to give a presentation to explain what exactly is a breach. ROB WALTON: So when we talk about data breaches, people naturally start to think around the big security events related to hacking, so things like Uber and TalkTalk. But it’s important from a GDPR perspective that people understand that a data breach isn’t just the security things that we naturally think about. It also relates to other areas of data management. And what I’m specifically talking about here is the concept of CIA. I’m not talking about the US Intelligence agency; what I’m talking about is confidentiality, integrity and availability. So what does that mean confidentiality? Fairly obvious, somebody only has access to data or has only had access to data that they should have had access to. Obviously a hacker getting in and gaining access to your system, that would be a breach of confidentiality. Integrity: the data is of appropriate quality for the function that is required to undertake. So it hasn’t become corrupted, it hasn’t been changed by mistake. And finally availability, that the systems are available such that the data is available to provide the service to the data subject at the point when they require the service to be provided to them. Now the second piece that we need to consider in relation to breaches is also around the rights and freedoms of individuals. So when we think about this it’s important because when it comes to actually reporting an issue to the regulator, it only needs to be done when there is a risk to the rights and freedoms of the data subject. But you might also have to tell the data subject, and that would be in the situation where there’s a high risk to the rights and freedoms of the data subject. Now what does risk to the rights and freedoms mean? What’s a high right that would cause you to have to tell the customer? Remember all of this has to be done in 72 hours. Well the article 29 working group, the central European body that’s overseeing the delivery of the GDPR regulation, have given some really good guidance on what they see as a breach, and what they see as a risk to the rights and freedoms, and the high risk to the rights and freedoms. And what I’m going to go through now is I’ll go through some examples. We’ve moved into the world of financial services, financial advice, taking some of those examples, and give you some examples so that you can understand what is a breach under those different areas of confidentiality, integrity and availability. So C confidentiality, fairly obvious, this relates to somebody getting access to data that they shouldn’t have access to. Also that somebody might have access or the ability to access data that actually they don’t really require for their job or function. Integrity, this comes down to the quality of the data. Has it become corrupted? Has it been changed such that it’s not therefore going to be able to allow the data subject to have the service provided to them? And finally availability, so availability quite simply comes down to is the data available such that the service that the data subject is relying on, is expecting, is that data going to be available so that the data subject will get the service that they want when they want it. So let’s talk about confidentiality-type breaches. So obviously hacking, somebody breaks into your system, they get access to the data, that’s very obvious. Moving on to a slight extension to that, we have fishing. Now potentially fishing email could be sent to one of your staff, they might divulge some personal information as part of that, even before actually fraud occurring or something being installed onto the machine; just the exposing of a data subject’s personal information could be deemed as a confidentiality breach and may be reportable to the ICO. Then we start moving on to things that are more specific to the financial advice business. So one of the big things that people need to consider and that the Intelliflo working group considered was around staff essentially surfing the system and looking at data subjects and the data around data subjects that they don’t possibly need to. That might be somebody who lives near them. It might be a famous person. From the perspective of the ICO and the data subject that would definitely be a reportable breach. And it’s very important that appropriate training is given around that to make sure that people understand that they definitely should not be doing that. So an interesting example that was picked up by the Intelliflo GDPR working group, and is an example that’s actually given in the article 29 breach notification guidance, is around where a document relating to a data subject is sent via post to the wrong address. So in the example in the GDPR working group we used a portfolio report. And we talked about it being sent, and the postman doesn’t put it through the data subject’s letterbox, it goes to the neighbour. Now, why is this a breach? Well when you think about it, the data subject has a right for their next door neighbour to not have a piece of paper that tells them all about their net worth. And it was agreed and it was also covered in the article 29 guidance that in such an instance that would need to be reported to the ICO, and you would also have to tell the client as well. So when we think about integrity we think around data quality. And a key aspect within a financial advice business is the portfolio valuation, so we think about valuations. There’s potential there that that may not be up to date. Now if incorrect portfolio information was provided to customer, and they were to take action on that, that could potentially be a breach because the integrity of the data meant that they were making incorrect decisions. Another example could be that you haven’t trained your staff correctly, and somebody has been working away and they’ve been making changes to data that now aren’t easily recoverable to put them back to the correct state. So staff training is really important, not just from a GDPR and security perspective, but also on the systems that your staff are working on. The final example is that similar to a poorly trained member of staff, you could have somebody who is maybe annoyed, leaving and have deliberately damaged data, deleted data, changed data. And that’s something that you have to consider once again around training, but also around the systems and controls that you should have in place to prevent that kind of thing from happening. So availability, as I said earlier, is all around the data and services being available for the data subject when they need them. So a really good example of this is actually the big want to cry ransomware attack. And when we talk about that people often think around the NHS. So this is also a good example where you start to understand that a data breach might not necessarily drop perfectly into one category, it could potentially be across multiple categories. So with the ransomware attack malware was downloaded onto machines, it encrypted the discs on the machines and it meant that the data on there couldn’t be accessed. There’s potentially a confidentiality issue there. We don’t know whether people accessed the data or it’s not believed that that did occur. But certainly from an availability perspective patients couldn’t have operations because data relating to them that would allow those operations to occur wasn’t available. A more obvious example relating to firms in the financial advice business might be around things like having paper documents in the office. If they are the only example of those documents and you have a fire or a flood that is without a doubt going to be an availability breach. And it’s very important that people think about what do they do with those paper documents: do you move them into electronic format or do you move them into secure storage? PRESENTER: OK Rob, so earlier you said that although this has been talked about for a while that a lot of firms are only now looking at things. So failure to comply, what would happen in this circumstance? ROB WALTON: Well there are two types of fines if you were to end up before the regulator, and I’ll go through how you can end up before the regulator shortly. But the big headline fine is that you could be fined up to €20m or 4% of global revenue in the event of a data breach. So that’s the big piece. But you could also be fined up to €10m or 2% of global revenue for systematic failure, so controls within the business. As I said before the data subject could also sue you as well. So if we look at TalkTalk. TalkTalk were fined £400,000 by the ICO, which was almost the max of what the ICO currently has available to them. So just for the data breach alone TalkTalk in 2016 if that was post-GDPR they could have been around £58m. So then if we add on to that as well if they didn’t report that breach within 72 hours, which is the new requirement, there could be another £29m on top of that. So suddenly we’re up to some pretty big numbers, we’re up to £87,000 pretty quickly. Then on top of that the data subjects can now sue, could sue TalkTalk, and it isn’t just for material loss, it can be anything down to distress, so there’s potentially a huge amount of exposure there. The reality is Elizabeth Denham, the Information Commissioner, she’s made it very clear, this isn’t about to turn into some new revenue stream for the Treasury. They’re very trying to position people with carrot rather than stick, and they’ve made it very clear that they’re not going to be looking to put business, put them out of business. But I think it’s fair to say that it’s going to be interesting to see what happens post the 25th of May, I think there will be some firms, and big firm will come along like a TalkTalk, like an Uber, and they are going to get hit with a big fine. Now how do you end up before the regulator? As I said you have to report breaches. So if you identify that you’ve had a breach, you have to report yourself to the regulator within 72 hours. Now that’s a pretty big change, because in the current data protection regulation what it says is that if there is a breach and you identify it, it’s best practice that you should tell the regulator. Now, we can tell that people haven’t been telling the ICO, because most of the breach examples, most of the fines relate to public institutions, like the NHS, doctors’ surgeries; whereas private companies appear much less frequently, only when breaches become public. Now the second way that you could end up before the regulator is if a data subject makes a complaint. As I said earlier on there are a number of rights related to a data subject, and there’s the potential that if they feel their rights are not being upheld or respected, they can make a complaint to the ICO. This is very interesting when we overlay it with the fact that as I keep saying the data subject can sue the data controller. So even if the ICO doesn’t fine you, there is the chance that the data subject could still try to sue you for not upholding one of the rights that are stated are available to them under GDPR. So there’s a real risk here that we might be looking at the next PPI, ambulance chasing-type industry, where people are going to be looking to set up businesses that test firms to see how they respond to a data subject trying to draw on their GDPR rights. And if they don’t respond appropriately are we then going to see that lots of these firms are going to be trying to do these no win no fee lawsuits against businesses. And it’s something that firms really need to consider. PRESENTER: Now you did say the rights of individuals were increasing; tell me a little bit more about those, how so? ROB WALTON: Before I go into the rights of individuals it's probably important that I explain the lawful basis for processing because it relates to some of those rights that I will cover in a second. So there are certain requirements that must be in place. You only need one, but it's better to have more than one reason for you to store process data that belongs to a data subject. So the first one is content. The data subject is giving you content for you to capture the data for you to store the data, that's fairly obvious. The second one is to meet a contractual requirement. So the data subject may have given you the data or you've got an obligation to provide a service to them, you need to store their data. The third one is around fulfilling a legal requirement, so this is where regulation comes in. This is one of the key areas where people talk around GDPR and FCA and MiFIID. GDPR doesn't overwrite FCA rules and force advisers to delete data for example that would expose them to a regulatory breach. So the fourth one is what’s known as legitimate interests. And it’s talking about the legitimate interests of the data controller. So say an advice firm. Now why this is important is important is that one of the legitimate interests is that a data controller, an advice firm, has the right to retain data if there is a chance that in the future they may have to defend a legal claim against them. The fifth and sixth examples are lawful basis for processing, more related to public services, so vital interests is that you have to hold the data because there’s a risk to somebody’s life. So for example we’ll talk about rights of erasure but you can have a member of the public come along and say I want you to delete all my health data, if there is something fundamentally wrong with them that might be required in hospital to save their life. The sixth example is in the public interest. So that relates to things like voting registers, tax, national insurance, but as I said those don’t really relate to private firms, mainly relate to the public sector. Now, the rights, many of them are already in the existing data protection regime, but they’re an extension. There’s a number of them which are extensions. So right of access is, currently now people can do subject access requests. Currently you could be charged £10; they have to be free going forwards. The next one is right to be informed. So the right to be informed is things like your privacy notice. That you have the right to know what data is being captured, why it’s being captured, where it’s being stored and how long it’s going to be stored for. And in those, in the data privacy notices it will be referring back to those lawful basis for processing that I talked about previously. You’ll actually be saying we’re going to capture this data, and this is why we’ll be storing, and it’s under this legal basis that we will be storing it. Then we start moving into some of the new ones, right to erasure, which has obviously received a lot of press. The data subject theoretically can ask you to delete the data. Then there’s a new one, an additional new one which is almost a watered down version of right to erasure, which is right to restrict processing. And what that means is that you can’t process the data anymore, you can only store the data and hold it for a period of time. The next one is right to object. So the right to object is also another new one. And what that means is that the data subject has the right to say I don’t think you should be storing my data anymore, you shouldn’t be processing my data anymore. And it’s especially important around where we talk about legitimate interests, where the firm is saying that they need to store the data for example to defend a legal case, or because they believe that it’s fair for them to have the data. And in that instance what happens is the data is then restricted from processing, very similar to restriction of processing. Another new one is the right to data portability, and this is going to be something that’s going to be very interesting to see how it impacts the financial advice business. Now data portability is very much like, you know when you switch your bank account, it’s meant to make it easier for the data subject to move their data from one service provider to another service provider. So like when we move electricity providers, when we switch our bank accounts. The obligation on the advice firm is that they need to provide all of the data that’s been given to them from the data subject in an easily readable machine format, so like an Excel format or something like that, that can then be given to another service provider that would allow them to switch. And the idea is that it increases competition in various markets by allowing it easier for the consumer to switch from one provider to another provider. But what the data subject can also ask is that the current provider should be responsible for providing the data securely to the next provider. So if we consider it from the perspective of a financial advice business, it’s very possible that a customer, current customer could come to that advice firm and say I want to move from you to this other firm, and you are responsible for taking my data, exporting it and providing it to the next provider so that they can then take on my service. PRESENTER: Well before we move on I want to just go back to rights of erasure because this has been making headlines over the past few months and even year. So what exactly does this cover? ROB WALTON: So background to right to erasure is that there was a case of a Spanish businessman who in 1998 had had some debt problems, his house was repossessed, and there was literally a 36-word article put into a newspaper and it was available online. Fairly reasonable for that to happen, that’s common practice in Spain. The problem was that many years later, so 10-15 years later, the guy’s now a successful businessman, but the problem is is that every time somebody Googled his name, this was one of the most prominent things that came up and it was damaging for him. So he requested that Google remove it. They didn’t accept that straightaway, so he had to go the European Courts of Justice, where he got the ruling in his favour. The ironic thing is that him asking for it to be removed and be forgotten, and it’s kind of the Barbra Streisand effect that he wanted it to be removed and now every time anybody talks about right to erasure it’s all about his house being reclaimed because of debt. So that has been pulled into GDPR, and it was one of the key factors for actually pushing GDPR forward and the designing of the regulation. So what it means is that a data subject can come along and say I want you to delete my data. Now a lot of the fear around financial advice businesses has been that well then that means that a data subject can come along and I have to delete their data. And if the regulator comes to me and asks me something I don’t have data, or what happens if they try to sue me in a pensions misselling-type thing, try to sue me in 15 years’ time, but the GDPR, it actually caters for this. And as I talked about the legitimate interests earlier on, we’ve got the fact that you have to comply with local regulations under the legal basis for processing the data. So if a data subject had taken a pension from you and then three years’ later they came and said you need to delete all my data, a financial advice business can quite reasonably turn around and say we can’t delete your data. It might be the case that they could potentially restrict the data, restrict processing of the data, probably not in that instance, they’d probably just say we can’t delete the data; we need it to continue to meet regulatory requirements. But then if we go past the regulatory requirements, we start to think around the financial services ombudsman, and when can a data subject or a consumer, when could they potentially make a legal claim against a firm? Typically it is the, if you look on the website and the guidance they give around timings of when they could, you can make a claim, is that six years after the original business was written. Or three years from the point when you would have reasonably become aware that you had a complaint that could be made. So that potentially could be at almost any point in the future depending on the specific instance of what’s been complained about, but even more than that they actually allow themselves the discretion to basically override all of that. For example it may be that the consumer became aware that they did want to make a complaint. On that day they get knocked over by a bus, they’re in a coma for four years. They wake up, the first thing they think about is ah I need to make that complaint to the financial services ombudsman. And they would allow, in those special circumstances they would allow that complaint to go forward. So the reality of that is that essentially there isn’t really any backstop to when a complaint could be made. So when we go back to the lawful basis for processing and legitimate interests, a data controller does have the right to retain data to allow them to defend a legal claim. So if a client were to come to them and say I want you to delete my data, they’re going to be able to lean on that right of the data controller, the advice firm’s right quite heavily. But what they might have to do is instead of deleting the data, it might be appropriate that they actually apply the restrict processing rule, and that’s going to be very interesting and is going to be a key way in which firms going forwards, having that ability to restrict processing is going to be a key part for them to enable their compliance with GDPR going forwards. PRESENTER: So subject access requests, I’ve heard this mentioned, what exactly does that mean? ROB WALTON: So that’s been a pre-existing capability of consumers to be able to contact a firm and say what data do you have on me? And they need to respond with that data. They need to explain why they have the data, how long they’re going to hold the data for. Now, when we talked about the fact that a data subject can sue a firm, this is one of the key areas where we’re expecting that we’re going to see the legal firms, your ambulance chasers, pushing on firms to see if they respond to subject access requests in an appropriate time and that they provide the correct information. Now, one of the things that the GDPR actually brings in that it actually says that best practice for responding to a subject access request is to provide remote and secure access to the data. And this will probably be a key area that we think that firms are going to adopt customer portals. One because it means that they’re going to be able to provide the data securely, because obviously if you’re answering lots of subject access requests and you’re sending them off in the post, there’s a risk there you might be jumping out the frying pan into the fire. But also that doing, responding to subject access requests through a portal is probably going to significantly reduce the overhead of actually doing it, you know, printing everything off, putting it into envelopes etc. etc. PRESENTER: Well there certainly does seem a lot for firms to get their head around, so what sort of technological solutions are out there to help them? ROB WALTON: Without a doubt across all facets of businesses and industries there is a huge amount of technology that’s available to firms. Talking from a financial advice perspective, the back office systems are a fantastic place for firms to control the data, to control who has access to data. To leverage data quality tools that potentially go off to the third parties, going off to platforms and providers, pulling in the valuations in real time. And that area of capability is an example where even now we don’t see firms really harnessing the capability that they have available to them. We can see on our own platform that we have £12bn of assets that could be valued automatically electronically where people have manually updated them in the last year. That’s a huge amount of wasted time. I think the other aspect is also around how you actually get that technology. So obviously a key requirement is around security and ensuring that you have appropriate security in place. And when you look at like the National Cyber Security Centre’s guidance, they’re really pushing firms to use cloud providers. They’re putting a huge amount of really good quality content on there, where they’re actually going through how they’ve selected providers and why they have selected providers. So if the National Cyber Security Centre is using cloud providers, then other people definitely should do. And the big benefit is that the provider is going to be in a much better position to secure that technology than you are. And I think as people look for technology solutions, they should be looking for how can I get this from a cloud so that I’m only, my only overhead is as a user, rather than actually having to administer it at a lower level. Certainly from an Intelliflo perspective almost everything that we select for running our internal business is delivered via cloud. PRESENTER: And when it comes to GDPR and marketing, are there things that firms need to think about there? ROB WALTON: Yes, so I talked about consent earlier on. But consent doesn’t necessarily mean that you therefore have a right to market to people. You have consent to hold the data; you don’t necessarily have a right to market to people. And that, GDPR are bringing in a much stronger requirement for firms to get very explicit and clear consent that the data subject says that they want to be marketed to. Now if you haven’t got that so far, firms are probably going to need to go out to their customers and get that if they intend to market to them. Now that sounds like it’s potentially going to be an absolute nightmare, but I think it’s important for people to understand that what does marketing actually mean, and what’s the difference between marketing and actually providing appropriate information to customers about services that you already provide. So the thing that we worked through with the working group, our Intelliflo GDPR working group, was that there’s a clear distinction. So if you have a customer that’s got pensions and ISAs with you, it’s not beyond the realms of reason that you would provide information to them about other changes or other things that you’re bringing into that area. However, if you also acquire a car insurance business or a travel insurance business, and you start marketing to all of your customers, sending information about that to all of your customers, that is actually going to be marketing. So you would need permission for that. Having said that in the former example you still have to cater for the fact that you might provide your customer some information on some other ISA information or pensions, and they turn around and say I don’t want you to send me that information anymore. So they still would need to cater for that. But it wouldn’t necessarily be a breach of your marketing to them without them asking. PRESENTER: So overall then what would you say are the main challenges facing firms and what’s the best way for them to be prepared? ROB WALTON: The main challenge that we see right now is just awareness. Awareness within the firm, people understanding what GDPR means, what the difference is between the existing regulation and laws and the new one that’s coming in, and also around security as well. Because fundamentally the breaches that are going to get people into big trouble are security-related ones. For any firm out there right now, absolute base camp it train your staff. You need to have your staff trained on GDPR, everybody in your company. Security awareness, get them trained on things like fishing, because they’re the things that are more than likely are going to cause you problems. Then you also need to start thinking about what data have I got: where did it come from, should I be holding it, what’s my lawful basis to processing? GDPR has the requirement that firms need to have what’s called a data inventory, where you capture that type of information because it allows you to respond to subject access requests. If a customer or a member of staff comes along and says I want to know all about my data, you know exactly where to go. Equally if you have a breach, and you know that it impacted a certain system, you can immediately see what data is going to be impacted. And that’s going to be very important when it comes to this 72-hour framework that people are going to have to have a good handle to know this has happened, this is what it’s impacted. And then the final piece is that you need to think about the rights of the data subject, and have processes in place to allow you to respond to those. Each of those rights that I’ve stated you have to have a process in place that means that you would be able to respond to it in the requirement timeframe. I’d recommend people going to the National Cyber Security Centre’s website. They’ve got some really good blogs and guidance. Equally on our own website at we’ve got a number of papers around GDPR, the working group consultation papers that have been provided to our customers. So people can see how their peers are planning to deal with it. We’ve also got a huge section on cyber security that gives people indication of best practice things that they should be looking to take onboard too. PRESENTER: Well there’s obviously a lot for people to think about, and a lot of changes afoot, and nobody likes change, but overall it doesn’t sound like it’s necessarily a bad thing. ROB WALTON: No, absolutely, I mean we keep talking about the silver lining. There is a huge silver lining to GDPR. There are a number of things that you would put in place to respond to GDPR like getting rid of paper documents from your working practice, using portals. Aside from the security benefit of doing so, it simply reduces the overhead of running your business. You don’t have to pay for paper, printing, postage. It’s much quicker to get information to people, therefore the time required to service the clients, the round trip for getting contracts signed for example, is significantly reduced. When we think around data quality, pretty much all automation that you put into a business relies on having good quality data. What we’ve always seen is that for people to adopt those types of changes, there’s always been the, the barrier has been the effort of change. Well now if you run an advice business, you’ve now got a pretty good stick in which to actually get some of these changes in place, which can fundamentally reduce cost within the business, can increase profitability and increase the scale of the business. PRESENTER: Well we are almost out of time. So what would you say is the main takeaway for viewers today? ROB WALTON: The main takeaway I would say to people right now is get on training your staff, and making yourself aware of the new regulation. Whilst realistically the ICO is aware that it’s going to be a journey for people, they’re not expecting everybody to be absolutely perfect by the 25th of May. But you need to be on a journey, because if something were to happen and you were to report a breach, and what you end up saying is that we’ve done nothing, I don’t think that’s going to be well received. Whereas at least if you’ve started the process, you’ve started mapping out your data, you’ve starting training your staff, you’re going to be in a much better position. PRESENTER: Rob, thank you. In order to consider the viewing of this video as structured learning, you must complete the reflective to demonstrate what you’ve learned and its relevance to you. By the end of this session you’ll be able to understand and describe why GDPR has come about, what’s a GDPR breach, and the main challenges facing firms and how to overcome them. Please complete the reflective statement to validate your CPD.