Better late than never, we are finally hearing more people starting to talk about GDPR. Whether you are preparing for the changes or not, you will hopefully at least be aware that they are coming. In this ever-changing regulatory environment, who can be blamed for having focused efforts elsewhere?
 
Let’s be honest, it’s not the most thrilling of topics but it’s certainly one to be taken seriously. I will be aiming to break this down into bitesize chunks by producing weekly articles that look at key points of GDPR from an adviser’s perspective.
 
I am still being asked two fundamental questions about GDPR, without answers to which I believe you are unable to begin truly preparing for the upcoming changes. Thankfully the answers are nice and simple.

Question 1: Will GDPR affect everyone? 
The GDPR will apply to all businesses operating in the UK, including all directly authorised intermediary firms. Whether a business is multi-national or a sole-trader, the new rules will be applicable. Likewise, this will include several of your clients’ businesses.
 
Question 2: Will Brexit mean GDPR won’t apply? If so, why should we bother preparing?
The GDPR will apply in the UK from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. The new rules will be brought in as planned.
 
Finally, to start preparations, we need to understand what data we are referring to and specifically what you hold about your client bank. The GDPR Regulation defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (click here for source). As a result, it’s clear that personal data goes far beyond just having someone’s name listed somewhere, and this must be considered as you begin to audit the data you presently hold. For example, where you more than likely will hold your clients’ contact details, address, national insurance number, mortgage reference number, possibly health/medical details for life insurance, the list goes on…
 
Ultimately it is important to remember that the GDPR is solely designed to give individuals greater protection and to ensure that their data is secure and not misused or shared inappropriately.  Whilst it may be a long and complicated task to become GDPR compliant, as individuals who most likely deal with several EU companies on a daily basis, we will personally derive benefits from this in the same way that our clients will.
 
Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

In last week’s article, we established that the GDPR will be applicable to all businesses operating in the UK from 25th May 2018, irrespective of the UK’s decision to leave the EU. The next logical step is to undertake an audit of the personal data you hold.
 
There are many ways you may wish to do this. From our experience, we would start from scratch and consider every single place that data is held or processed, what format the data is in, who has access to it and what happens once it has been processed.
 
This can be a daunting (and boring!) task but the sooner you start, the better. I would recommend using an excel sheet or something similar which will allow you to have several columns to record various factors about the data you are auditing. I have noted a very small and basic example below which will assist you in mapping out all of the data you store.
 
Don’t forget that this needs to be done at a company level, i.e. capturing all of the data held by your colleagues and team members, and not just you as an individual. It’s really important to make sure that every individual fully captures all of their data, in order that you can assess if it is GDPR compliant or not. Failing to do so could mean you leave yourselves open to a breach, which will have repercussions both financially and reputationally, and will mean all of your hard work in preparing for the changes will have been wasted. Auditing in this way means it is very easy to add additional items to the list as and when you think of them. I know when we did it, items were continually added for a number of weeks, and I now feel confident we have a comprehensive understanding of the data we’re dealing with.
 
Going through this process should also help you to have a bit of a ‘data detox’.  Data that you no longer need or are holding on to unnecessarily can be removed from the black hole of documentation we all have!
 
Once the audit has been done you will then be able to identify areas in which you already comply with the new legislation, or start to think of the next steps and the processes/ policies which will need to be implemented to become GDPR compliant ahead of the deadline.
 
Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

If you have looked at the ICO’s ’12 steps to take now’ document - hopefully you have, but if not click here! - you’ll recall that they identify the first step as ‘raising awareness’, by which they mean ensuring that key personnel within your organisation know what the GDPR is, the changes it requires in order to comply and the timescales in which this must be done. There is no doubt that this is important, but it doesn’t address what I believe is a crucial step: all other staff must be fully briefed and trained too.

In last week’s article I discussed that when you carry out your data audit, this needs to be done at a company level, capturing all of the data held by your colleagues and team members, and not just you as an individual. It’s essential that every individual fully captures all of their data, in order that you can assess if it is GDPR compliant or not. Clearly by bringing your team on board with these activities, they should be able to assist: whether they help identify ways in which your firm stores or processes personal data that you may have forgotten or even may not be aware of – (such as administrative functions that are undertaken but you would never get sight of) or assist in identifying potential issues/areas requiring additional security.

Getting team members involved from the start, so including them in the data audit process (which is arguably essential) and then the subsequent changes which are required in your business, will be extremely beneficial for the successful implementation of these changes and ongoing compliance with the new regulation.

Every company will have different approaches to how they get staff members involved and I won’t try to teach you to suck eggs but your plans to do so should ultimately achieve the following goals:

  • Staff understand the key elements of the GDPR and how this differs to existing law
  • Staff understand the importance of adhering to the new law as well as how their actions can have consequences
  • Staff know who to report potential issues and concerns to

Once this has been achieved, it will also be important to establish ways in which you will maintain GDPR compliance within your team. You may wish to provide team members with a statement to sign they understand what is required of them, likewise you may wish to revisit this - for example, on an annual basis - to demonstrate ongoing compliance. If you’re feeling mean (!) you could ask staff to read your data protection policy and what is expected of them, and follow this up with a mini test. Any measures that can be taken to keep GDPR at the forefront of everyone’s mind will help to reduce the risk of a breach.

Similarly, you may wish to establish steps for onboarding and training new members of staff to ensure they are aware of your expectations relating to GDPR compliance and any relevant company policies and procedures. Whilst this may previously have been a ‘please sign here’ at the bottom of a page of writing, you may wish to rethink this approach going forward.

I don’t wish to scaremonger but quite simply, failing to communicate the changes to everyone within your business could mean you leave yourselves open to a breach. This would have repercussions both financially and reputationally, and will mean all of your hard work in preparing for the changes will have been wasted. Communication is key! Maybe not a topic for your work Christmas party though….

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

This article does not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhanced activities you are undertaking to become GDPR compliant.

I hope you have all had a wonderful festive period and enjoyed some relaxing time off before the madness begins again for 2018 (if it hasn’t already). This year as an industry we face several regulatory challenges that will keep us on our toes and each will require careful attention in order to successfully implement the necessary changes. Of course, one of these challenges is the GDPR. With just 140 days to go until this takes effect, my top tip for starting the new year is to undertake a data detox! Quite simply, minimising the data you hold and process will minimise the risk of mis-using or losing this data under the GDPR.

Of course, there is what we can call ‘essential’ data which has a specific purpose for your business. Whether it is your clients address or a copy of their passport required to process their mortgage, this is data you need in order to carry out your job.

As discussed in my second article you will hopefully have undertaken a full audit covering all of the data held by all team members within your firm. I would be extremely surprised if, as a result of this audit, you had not identified what we might call ‘non-essential’ data that is being stored. I would define this as any data that is still being stored despite no longer having a purpose or use, that will not need to be referred to in future, or perhaps a duplicate of data that is being stored in a GDPR compliant way elsewhere. For example, you may have downloaded documents which contain personal data and these could sit in your documents on your PC, your downloads, or even in your recycle bin – yet they are still available on a password protected site online meaning the downloaded version does not need to be saved elsewhere. Simply deleting these versions would minimise the risk that you could breach GDPR standards, and you can be safe in the knowledge that the information is still available should you require it. Indeed, ‘My Downloads’ and the ‘Recycle Bin’ (or ‘Trash’ if you’re fancy and using an Apple device!) are often forgotten when we think of places that personal data may be stored, and it may well be about time we had a bit of a spring clean!

Data and the GDPR are going to be a much-talked about subject over the coming months. Start working now on getting ready for the changes and do ‘future you’ a favour.

Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

This article does not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhanced activities you are undertaking to become GDPR compliant.

 

Probably my most frequently asked GDPR Question in the last two weeks: do we need to have a Data Protection Officer (DPO) under GPPR? In this article I’ll try and outline the requirements and considerations and hopefully you’ll still be awake by the end of it…

Whilst there are new obligations relating to DPOs in the regulation, for the vast majority of readers from intermediary firms, I expect the answer will be no. To confirm, you must appoint one if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

Source: Click here

Some of you might be wondering what a DPO is actually required to do. The minimum requirements are specified as:

  • To inform and advise your company and employees about their obligations to comply with the GDPR
  • To monitor compliance with the GDPR, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities (e.g. the ICO) and for individuals whose data is processed (such as existing or prospective clients).

Source: Click here

Of course, you may already have a DPO in place and just because you are not required to have a DPO, you may still choose to appoint one. Either way, you must ensure that your organisation has sufficient staff and skills to comply with the GDPR.

Whether you formally appoint a DPO or simply have someone who will cover these tasks, there are two options: choose to contract the role of DPO to an external individual or choose an existing employee so long as their current job role would not have a conflict of interests in doing so. An example of a conflict of interest in this instance might be someone such as an IT manager who may be responsible for the implementation of cyber security programs and software that will protect your data.

Assuming you are a firm that is not required by GDPR to have a DPO, contracting an external individual to do this role would certainly require careful consideration. Not only would there be an expense involved, but you would need to ensure that the individual in question becomes sufficiently embedded in your firm to carry out this role and can demonstrate their ability to effectively monitor your compliance and carry out staff training.

So, should you appoint a DPO?

If you do decide to appoint a DPO, this person must report directly to senior management with regards to data protection matters and should be provided with adequate resource to carry out this role. Under the GDPR, the DPO cannot be dismissed or penalised for carrying out the expected tasks duties. However, to be clear, they are still liable for their actions and therefore they could be dismissed or penalised for failing to adequately carry out the DPO role.

In order to carry out a DPO role, no specification has been made on qualifications that you would be expected or required to have, however someone formally designated as a DPO is required to have knowledge and experience of data protection law. This is to be ‘proportionate’ to the type and quantity of the data you handle/process/store, although no definition is given as to what would be considered proportionate.

Perhaps most importantly, whether you have a DPO in place or not, it is imperative that steps are taken sooner rather than later to ensure that the relevant members of staff are fully briefed and trained to ensure your compliance with the GDPR.

Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

This article does not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhanced activities you are undertaking to become GDPR compliant.

The procedure for making a Subject Access Request (SAR) under the GDPR is similar to that under the Data Protection Act; it’s not a brand new concept and probably doesn’t deserve all the attention it seems to be getting in the press! Fear not - hopefully you already have a process in place that can simply be tweaked in order to comply with the changes. If you don’t, you will certainly need to put one in place, but doing so need not be too difficult.

You will now be expected to deal with requests more quickly, potentially provide additional information and (almost always) do this free of charge. Clearly, the number of SARs that you get will determine the impact of this change on your business.

So, let’s recap the changes under GDPR:

You can no longer charge a fee to provide the information

  • You can charge a “reasonable fee” when a request is considered to be unfounded, excessive or repetitive. You will need to be able to justify this.

You now have one month to respond and provide the information (compared to 40 days previously)

  • If you hold extensive amounts of information you can ask them to specify what they actually want to know (they probably don’t want everything).
  • For particularly complex or extensive requests, you can extend the deadline to 3 months, but must explain to the client why the extension is necessary.

You must make it possible for clients to make SARs electronically (e.g. by email)

  • If requested electronically, you will then have to provide the data electronically, and must provide the information via a commonly used file format. You should also take steps to protect this data, i.e. by encryption.

Will people be encouraged to make SARs ‘just because they can’?

This question has been asked and discussed at length in the press and various other sources, and you could argue that some of this is scaremongering. There is no way of knowing how many SARs you will or will not get as a result of GDPR. However, there is no question that GDPR will continue to be well publicised between now and implementation, and there is a risk that this could be taken advantage of. Some sources have suggested that clients could be encouraged to make SARs in attempt to make a company breach GDPR by failing to comply in one way or another. In my opinion, there is not much point in speculating on this matter much further; all you can do is establish a water-tight process to deal with any that do come your way.

I’ve outlined some steps to take that will hopefully help you prepare for SARs; needless to say, my advice from previous weeks still stands – if you undertake a thorough data audit and then a ‘data detox’ to reduce the data you hold unnecessarily, you will minimise your risk as well as reducing the amount of data you may have to produce in the event of a SAR.

Checklist of steps to take

Update your procedures and get a plan in place for how you will handle SARs, ensuring the plan includes providing any additional information within the new timescales.
Train staff on how to recognise a SAR, and how to deal and respond to these appropriately and efficiently
Establish how quickly your firm can isolate data relating to a particular client and then subsequently provide that data in a way that is GDPR compliant

On this point, I would recommend two things;

Firstly, your data audit (which you have hopefully completed by now!) should act as a comprehensive map for you to identify where data is held. Using this, you should then be able to check each location for data meaning that no data gets missed. You could establish a checklist of locations to check and collect information from which would help any staff who deal with the SAR to be certain they have gathered all of the relevant data.

Secondly, I would recommend doing some trial runs with this. Perhaps choose a client at random and ask staff to follow the SAR process from start to finish, allowing you to check that the process works. You will need to assess all of the data collected to ensure it is comprehensive and nothing has been missed. Doing this with some time to spare will allow you to make any necessary changes to the process and then perhaps test again to ensure it works.

Develop template response letters/emails to use with clients to ensure that all elements of a response to a SAR under the GDPR are being complied with in a consistent and professional manner. For example, you could perhaps have one to acknowledge that you have received the SAR and will now deal with it within the timeframes and one to then be used when you send the data?
Clients will be entitled to receive the information in an electronic format which should be encrypted, meaning that you’ll need to look at encryption options in order to be able to do this. I’ll be looking at encryption in more detail in an upcoming blog post.

Remember; failure to provide full personal data details in the correct timeframe following an SAR will be considered a breach of GDPR.

Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

This article does not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhanced activities you are undertaking to become GDPR compliant.

Consent is going to be crucial for marketing post-GDPR. In fact, if you don’t have it, you quite simply will not be able to market to clients unless you have a legitimate interest or lawful basis/contractual obligation to do so. You’ll need to have - and be able to evidence - explicit and unambiguous consent from these individuals to contact them regarding new services or products that you offer – for example, if you start offering general insurance products or funeral plans that you did not previously offer and do not relate to your existing contract with a client. You will be able to contact clients without consent if it is necessary to do so as part of your contract with them, e.g. Paradigm sending you a proc fee statement email. Under GDPR, if you do not have this consent and continue to market to clients with no legitimate interest, this will constitute a breach, for which you could be reported to the ICO.

It is therefore recommended, and certainly is best practice, to attempt to gather consent from your client bank prior to the GDPR coming in to effect.

The GDPR states that “the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language”.

 

So what are the Do’s and Don’ts for gaining consent

  • DO get consent ‘properly’; this means it should be sought separately to getting clients to agree to your T&Cs by ticking a box. Unconnected to the T&Cs, their consent should be asked for, ideally by making it clear that these are two separate things. You will not be able to make consent mandatory in order for clients to access your service unless it is necessary in order for you to carry out the service.
  • DO gather consent separately for different types of processing by allowing clients to select different options i.e. you could offer them marketing via email, post, text message, phone etc.
  • DO tell people that they can withdraw their consent at any time, and how they would go about doing this.
  • DON’T use pre-ticked boxes when getting consent from clients, you must use boxes which they have to tick or a similar opt-in method which involves them actively selecting to give their consent. Your tick boxes might say something such as ‘Yes please, I would like to receive communications via email’ and so on.
  • DON’T assume consent unless a client has explicitly given it. If you seek permission and no affirmative action is taken by the individual being contacted, you will be unable to contact that individual again unless it is to fulfil a contractual obligation or you have a legitimate interest to do so.

It would therefore be an extremely worthwhile exercise to start seeking explicit consent from your client bank now, if you do not already have it. This may be a time-consuming exercise hence we recommend starting early.

There is clearly a fine line with regards to content which may be considered contracted content or marketing – e.g. a newsletter which may give market/investment performance updates or similar may be something a client expects as part of your agreed and contracted service to them. If it is part of this contract, then we believe you would not require additional consent however you may wish to get further legal advice on this. However, if the newsletter also advertises additional new services that you offer, then this would be deemed marketing, for which you do require additional consent. It would be prudent in my opinion to err on the side of caution if you do not have consent in this instance. Ultimately, you may end up with a segmented database of clients who: a) you can contact for marketing and contractual reasons, b) you can only contact for contractual reasons or c) prospective clients with whom you have no contract but have consent to market to. As a result, you may take the above aforementioned newsletter and send out three versions tailored to the type of consent that you have.

 

What if clients don’t reply?

As I have mentioned, you cannot assume consent and if you continue to market to clients without consent and with no legitimate interest, you will be breaching the GDPR.

There is of course, a pretty high likelihood that you will end up with a smaller database of clients to market to because of this, however, there is surely value in knowing which clients are truly interested in hearing from you. If you do not get many responses, perhaps you should reconsider your marketing strategies and the content you are using for marketing your services. Can you create more engaging content which would generate more interest and therefore mean more people are interested in this going forward? In a future blog article, I am going to look at how to get prospective and existing clients to sign up post-GDPR.

 

Emails from Paradigm

What better time then for me to seize the opportunity to ask you for your consent for Paradigm to continue marketing our services to you post-GDPR? You can visit our GDPR Consent page here to give your consent (meaning we won’t keep asking you for the next 4 months!), plus you may be able to adopt a similar style page for use with your own clients.

Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

This article does not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhanced activities you are undertaking to become GDPR compliant.

Finally! We are starting to see and hear people talking about GDPR on a wide variety of platforms, and hopefully you’ve all at the very least been thinking about the changes you’ll need to make in order to comply. It’s certainly something you should be taking seriously, as failure to comply will mean you leave yourselves open to a breach, which will have repercussions both financially and reputationally. Plus, it will mean all of your hard work in preparing for the changes will have been wasted.

 

Big numbers

The GDPR brings new obligations to firms in terms of reporting data breaches in regards to notifying the supervisory authority (the ICO in the UK) and the individual(s) whose data may have been breached. If you fail to notify relevant parties about a minor breach when you were supposed to, this will result in a fine of up to €10 million or 2% of total global annual turnover (whichever is higher). If you fail to notify relevant parties about a major breach, this results in a fine up to €20 million or 4% of total global annual turnover (whichever is higher). A ‘minor breach’ would relate to a company failing to meet its obligations i.e. a data security breach. A ‘major breach’ would related to the infringement of an individual’s privacy rights. Needless to say, either of these fines are a huge increase by comparison to the £500,000 maximum available to the ICO at present.

Further details around this can be found in Article 33 and 34 of the GDPR. 

Not that I imagine this will affect anybody reading this, but to get an idea of the scale of these changes there is a great example raised in this article; in November 2017, Hilton were handed a $700,000 fine for a huge data protection breach. The fine however represented just %.00006 of Hilton’s annual revenue in the year of the breach. Had this breach occurred under the GDPR, they could have faced a fine of up to 4% of annual turnover ($46.7bn)– a pretty significant increase!!

Whilst naturally these new fines should be taken seriously, not every breach of the GDPR will result in such serious fines; the ICO will be able to impose these fines at their discretion and look at each case individually. They also have a range of other powers to ensure a companies’ compliance with the GDPR including issuing warnings or reprimands, banning them permanently or temporarily from data processing and ordering them to erase the data they hold.

Before imposing a fine, the ICO will consider aspects such as the type of personal data involved, whether the breach was intentional or due to negligence, any activities taken to try and reduce or mitigate the damage caused, the duration of the breach and its’ severity. They will also look at how long it took to report the breach to them or how they found out about it (if it was not reported).

 

Avoiding a breach

All of this comes back to taking comprehensive measures to ensure all staff comply with GDPR in the first place, establishing proper reporting procedures and investing in thorough staff training – all of which reduce your risk of a breach. As discussed in Article 3, getting team members involved from the start, including them in the data audit process (which is arguably essential) and then the subsequent changes which are required in your business, will be extremely beneficial for the successful implementation of these changes and ongoing compliance with the new regulation.

Staff training (including onboarding new members of staff) should ultimately achieve the following goals:

  • Staff understand the key elements of the GDPR and how this differs to existing law
  • Staff understand the importance of adhering to the new law as well as how their actions can have consequences
  • Staff know who to report potential issues and concerns to

Once this has been achieved, it will also be important to establish ways in which you will maintain GDPR compliance within your team. You may wish to provide team members with a statement to sign which states that they understand what is required of them. Likewise you may wish to revisit this - for example, on an annual basis - to demonstrate ongoing compliance.

Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

This article does not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhanced activities you are undertaking to become GDPR compliant.

Spring has finally sprung! With the arrival of March and the end of the snow (hopefully!), we now just have 77 days left until GDPR takes effect. I’ve said it before and no doubt will say it again… now is the time to get rid of personal data that you don’t need to hold.

As discussed in my second article you will hopefully have undertaken a full audit covering all of the data held by all team members within your firm. If you haven’t done this yet, it really is crucial that you do this in order that you’ll have time to react to your findings ahead of the deadline on 25th May.

I would be extremely surprised if, as a result of this audit, you have not identified what we might call ‘non-essential’ data that is being stored. By that I mean any data that is still being stored despite no longer having a purpose or use, that will not need to be referred to in future, or perhaps a duplicate of data that is being stored in a GDPR compliant way elsewhere. For example, you may have downloaded documents which contain personal data and these could sit in your documents on your PC, your downloads, or even in your recycle bin – yet they are still available on a password protected site online meaning the downloaded version does not need to be saved elsewhere. Simply deleting these versions would minimise the risk that you could breach GDPR standards, and you can be safe in the knowledge that the information is still available should you require it.

What better time for a spring clean of the data you hold?

Please feel free to visit our dedicated page here to find out more, and keep an eye out for next weeks' article.

Riona Mulherin
Head of Marketing & Operations
Paradigm Mortgage Services

This article does not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhanced activities you are undertaking to become GDPR compliant.

These articles do not constitute advice, and I would recommend seeking expert advice on any matters you are unsure of whether this is from a legal team or your compliance provider. All contents of these articles are merely intended to support, complement and possibly enhance activity you are undertaking to become GDPR compliant.