• Home
  • Visit
    • Plan your visit
    • Meet the team
  • Content
    • Key themes
    • Agenda
    • Related content
  • Speakers
  • Partners
  • Register Now
  • CO-LOCATED WITH:
  • Future Identity FinanceFuture Identity Finance

Fintech Talents

Fintech Talents

Kallyas is an ultra-premium, responsive theme built for today websites.

T (212) 555 55 00
Email: sales@yourwebsite.com

Your Company LTD
Street nr 100, 4536534, Chicago, US

  • Home
  • Visit
    • Who attends?
    • Steering committee
    • Meet the team
  • Content
    • Key themes
    • Agenda
    • Related content
  • Speakers
  • Partners
  • GET INVOLVED

Content

STAY TUNED

10 Steps to GDPR Compliance: Part 5

by Our Community / Tuesday 25 May 2021 / Published in Blog, Community & Events, Content, Featured, Regulation

A warm welcome to the fifth and final post in the series 10 Steps to GDPR Compliance. In each post, we’ve covered two Steps to help you to become GDPR compliant. By following along and completing these 10 Steps, you’ve been building out the Privacy Framework that will power your ongoing Privacy Governance.

This series is brought to you by Keepabl, named to the RegTech100 for 2021 as one of the world’s most innovative RegTech companies that every financial institution needs to know about in 2021.

Congratulations! We’re into the last two Steps to put in place your Privacy Framework and then you’re into BAU (business as usual). Last week, in Steps seven and eight, we looked at key areas of Data Subject Rights and Processors.

This week, the two Steps we’re covering today continue building out your Privacy Framework:

  • Step 9: Privacy Notices, and
  • Step 10: Training & Awareness

And we have a surprise bonus Step 11 for you – Reaping the Rewards!

By the end of this post you will understand what Privacy Notices are, when you need them, the importance of training & awareness to building that culture of Privacy by Design and by Default, and how to quantify and capture the rewards from good compliance.

(We’ll use ‘GDPR’ for both the UK and EU GDPRs as the obligations here are almost identical.)

Step 9: Privacy Notices

Let’s get some terminology out of the way.

Privacy Policy

The document you’ve had on your website for years that tells people everything about what personal data you process. You’ll also have a separate Cookie Policy (or Cookie Notice) – not all countries demand they’re separate, but it’s the right thing to do anyway: it’s clearer and it’s easier to update.

Both do the heavy lifting in providing the bulk of the required information to data subjects and you typically link to them in a layered manner, from your Data Collection Notice …

Data Collection Notice

The Data Collection Notice, or DCN, is the short, initial, just-in-time notice people see when you collect their personal data, for example when they sign up to your newsletter: ‘We’ll use your email to send you our newsletter in accordance with our Privacy Policy. You can withdraw consent at any time.’

It’s the first part of the layered approach we mentioned above, starting with a short DCN at the point of collection, linking to the more detailed Privacy Policy.

Privacy Notice

What GDPR calls the information you give people with everything about how you process their personal data. Some have tried to call Privacy Policies ‘Privacy Notices’ instead, but it’s not stuck. Privacy Policy is what’s on your website, alongside your Cooke Policy. Privacy Notice is the combined information you give data subjects, typically in a layered approach as above.

Transparency

Privacy Notices were there before GDPR, but it’s one of those areas that received a lot of focus since GDPR, particularly as they’re the primary way you ensure transparency in your processing by giving full information in a clear, intelligible way to individuals.

Privacy Notices are also the first thing people see, and easy to check for your prospects, investors etc. So, along with cookie notices, they were the focus of a frenzy of activity when GDPR came into force in May 2018.

And of course there’s the increased fines, which have been dished out for lack of transparency regularly – starting with the famous €50m fine on Google in January 2019.

As ever, your Data Map helps you draft your Privacy Notices, because it tells you the processing you do, about whom, who you share with, and more.

The Clarity Conundrum

The challenge with your Privacy Notices is to meet GDPR’s requirements of providing all relevant information across a range of topics while making the notice short, easily readable and understandable.

Keeping it Separate

First of all, you can’t bury important information deep in your Privacy Policy, you have to bring it forward to the Data Collection Notice. For example, if you’re relying on consent, you have to say they can withdraw their consent at any time, in the top layer. You also need to bring any unexpected or particularly key information up to that DCN.

Second, you can’t put your Privacy Notice in your Terms & Conditions, they have to be separate so people will easily see them.

And third, if you’re relying on consent, you need to separate out the consent for different purposes as appropriate. Which is why cookie policies post-GDPR have separated out cookies into categories such as Necessary, Functional, Performance and Marketing.

Specific Notices

It’s not just about the Privacy Policy on your website. You’ll need an HR Privacy Notice for your employees, and we recommend separate ones for job-seekers, option holders and others.

Typically, you keep your website Privacy Policy for members of the public, and keep less public information in these separate notices for particular populations.

Step 10: Training & Awareness

Congratulations -you’ve arrived at Step 10! Over the last few weeks, you’ve:

  1. Identified your Key People
  2. Identified and used your Benchmark
  3. Created your personal data inventory, your Data Map
  4. Carried out projects all based on Remediation and Risk Management
  5. Chosen and implemented your Privacy Framework, including the following steps…
  6. Reviewed your Security and prepared for a Breach
  7. Enabled and prepared to respond to Data Subject Rights (DSRs)
  8. Reviewed and done due diligence on your Processors
  9. Used all this great work to draft your Privacy Notices so everyone knows what you’re doing with their personal data.

Now it’s the final step to make all this come alive: Training and Awareness – making sure this whole Privacy Framework gets put into into practice in the right way by the right people.

Training

We should all have had that ‘all hands’ training on Data Protection and Security. There’s a very good reason: every single person in your organisation has an impact on your compliance.

Most personal data breaches are not CyberSecurity Incidents (or CSIs), they’re non-CSIs such as sending emails and mail to the wrong people.
And the UK ICO’s ‘Report a Breach’ form does ask: ‘did the people involved have data protection training in the last two years?’.

So you need to do those ‘all-hands’ training programs, on Privacy and on Security. We recommend the basic training is an annual event, with awareness and training refreshers along the way.

As to ‘who gets what training’, we suggest categorising everyone into 3 levels so you can train them appropriately:

Level 1 – everyone

Everyone gets the basics, so they know GDPR’s principles as they apply in practice, they can recognise a breach or DSR and they know who to go to for more information. Of course, this is the largest group to train.

Level 2 – those needing specialist training

The particular groups and extra training will vary depending on your organisation. However, for example:

  • you’ll want to train Marketing, Investor Relations, and similar teams on cookies, on cold calling, cold emailing etc.
  • IT and Security will need training on the specifics of personal data breach response.
  • Customer Support needs training on recognising data subject rights.

Level 3 – those running the Privacy Framework

Those running the Framework will need a broad, and deep, understanding and so will need the most training. This will be the smallest group of people.

Awareness

Awareness isn’t just about training, so you’ll use various methods to increase adoption and cultural change and do this throughout the year. You’ll likely have people with great experience on this, and you’ll consider using humour and gamification, in all your training and awareness activities.

Humorous posters, messaging or even interactive events to bring it home in a playful manner. ‘War-gaming’ or ‘table-top exercises’ (where you run through a DSR or breach with relevant teams, throwing in different challenges as you go) are usually well received and very effective.

Step 11: Reap the Rewards!

The benefits of GDPR compliance are now clear for all to see. For example, Capgemini’s study revealed that a whopping 81% of respondents who declared themselves compliant reported positive impacts on reputation and image.

While much of the activity may at first feel defensive in nature, GDPR compliance has been shown to deliver many positive benefits. As well as an average 1.9X ROI on privacy spend, Cisco’s study confirmed that two-thirds of respondents reported significant benefit in each of these 6 areas, all areas Finance are discussing at present in fields such as digitisation, challenger banks, and digital identity:

  1. reducing sales delays,
  2. mitigating losses from data breaches,
  3. enabling innovation,
  4. achieving operational efficiency,
  5. building trust with customers, and
  6. making their company more attractive.

We’re here to help!

Do refresh your knowledge on all things Privacy by subscribing to our Privacy Kitchen YouTube channel! For example, you can see our 10 steps to GDPR compliance video, summarising the 10 Steps in less than 10 minutes.

And don’t forget our award-winning SaaS solution helps make GDPR simple and intuitive for Financial Services organisations from Canaccord Genuity to MML Capital. Our Privacy Policy Pack has all the policies, procedures, templates and checklists you need for GDPR compliance.

Contact us to see how we can turn GDPR into a revenue engine for you and, as always, good luck with your Privacy Framework!


Tagged under: Community Series, GDPR, Keepabl, Splash

Recent Posts

  • Knitting together the future of a more sustainable industry

    Martin Sladecek , Director of Digital Strategic...
  • A beginner’s guide for brands: What is embedded finance?

    ...
  • Financial activism – can fintech save the world?

    Can fintech save the world? We ask Paul Trotter...
  • The value of connectivity for fintech

    Karen Bradbury, FS Sector Lead from Invest NI p...
  • A fintech is born

    Hear from Charlie Platt , President, EMEA, SAP ...


  • Home
  • Events
    • FTT Lending 3.0 2023
    • Future Identity Finance 2023
    • Fintech Talents Road Trip – Paris 2023
    • Fintech Talents Road Trip – Stockholm 2023
    • Fintech Talents Road Trip – Berlin 2023
    • FTT Embedded Finance Europe 2023
    • Customer Alpha Europe 2023
    • FTT DeFi 2023
    • Fintech Talents North America 2023
    • Fintech Talents Festival London 2023
    • Future Identity Festival 2023
    • FTT Building Societies 2023
    • FTT Embedded Finance North America 2023
    • See all events
  • Content
    • All Content
    • Interviews
    • Opinion
    • Videos
    • Digital Reports
  • VC INNOVATIONS – Accelerated Marketing
  • facebook
  • linkedin
  • youtube
  • twitter

GET IN TOUCH

T 0208 0045 517
Email: info@vcinnovations.co.uk

VC INNOVATIONS
1 Quality Court, London WC2A 1HR

Open in Google Maps

QUICK LINKS

  • Home
  • About VC INNOVATIONS

Connect with us

  • facebook
  • linkedin
  • youtube
  • twitter

RECENT POSTS

  • Knitting together the future of a more sustainable industry

    Martin Sladecek , Director of Digital Strategic...
  • A beginner’s guide for brands: What is embedded finance?

    ...
  • Financial activism – can fintech save the world?

    Can fintech save the world? We ask Paul Trotter...
  • Privacy Policy
Fintech Talents

© FintechTalents 2022. All Rights Reserved.



TOP
Fintech Talents Road Trip - Paris 2023 - Complimentary Pass


Fintech Talents Road Trip - Berlin 2023 - Get Involved


Fintech Talents Road Trip - Berlin 2023 - Complimentary pass


Fintech Talents Road Trip - Stockholm 2023 - Get Involved


Fintech Talents Road Trip - Stockholm 2023 - Complimentary Pass


Fintech Talents Road Trip - Paris 2023 - Get Involved


Fintech Talents NA 2023 - Register your interest


FTT Lending 3.0 2023 - Get Involved


Get your Rockstar Pass

Download the Report



This website uses cookies to give you the best experience. Agree by clicking the 'Accept' button. Read our Privacy Policy.