10 tips for law firms preparing for GDPR - a journey not a destination.
So, if you haven’t heard about GDPR by now you must have been in hibernation for quite some time! It’s coming……soon….. but where are you on your journey?
A small percentage of you will have been aware of the General Data Protection Regulation (GDPR) since it was adopted in the EU in 2016. A larger percentage will probably have become aware around the start of 2017, maybe a few of you have genuinely only just heard about and are starting your preparations now.
In theory, if you are fully compliant with the Data Protection Act 1998 then you are already part the way to being compliant with the new regulation, but may firms will find that they were perhaps not as compliant as they first believed………do you have a large store room full of very old files for example?
I became aware of GDPR towards the end of 2016 when I attended a Data Protection for COLPs course. My firm, like many at the time, did not have GDPR on the radar so I went back to the office and began awareness raising, inadvertently volunteering myself to create a project plan and briefing for the Board and I have been managing our preparations since January 2017.
So what are my ten top tips?
1. It’s a journey, not a destination….
Preparing for GDPR is not about ‘tick-box’ compliance, its about making sure your policies and procedures are sustainable, and that you have a plan for checking your controls, policies and procedures work for your business and are being followed. Yes, you are working towards getting those policies and procedures in place to ‘switch-on’ on the 25th of May but you also need to ensure that they are sustainable.
GDPR enhances many of the provisions of the current DPA 98 but it also introduces new ideas and data subject rights. Are you fully up to speed on ‘the right to be forgotten’, ‘the right to data portability’ and ‘privacy by design and default’? If you are, do you understand what changes you need to introduce to your firm to ensure that you can have workable, sustainable procedures and processes AND to demonstrate accountability?
What is your legal basis for processing personal data? Do you need to rely upon consent or do you have a different legal basis? As a law firm you will be processing under a contract rather than relying upon consent but does all of your processing fall under the contract with the client? Do you process sensitive category data? You need to understand what data your business processes as well as the GDPR requirements for that data. Do you understand the definition of ‘processing’?
3. Information audit
The first, and one of the most important stages of preparation is to conduct a thorough information across all areas of your business – don’t forget that your employee’s personal data is also included for GDPR purposes, it’s not just about your client personal data. You need to document exactly what personal information you process, why you process it and how you process it. Consider any risks to the data during processing for each business area. Treat the audit as a GAP analysis – do you still think you are fully DPA 98 compliant or are there clear GAPs which need to be considered?
4. Plan, plan, plan
Once you have the results of your information audit you should be able to design a comprehensive plan for your preparations. If you have a Project Management Team, now is the time to get them on board! What resource do you have that you can dedicate to the preparations? Your plan will need to be a living, breathing document that you update on a regular basis. Your plan will evolve and grow as you work through the actions (and may grow longer before you know it!)
5. Data flow mapping
Do you know how personal data moves through your business? Can you clearly demonstrate the flow of data through your systems from on-boarding to file closure? It’s important that you have this mapped out (your IT department are your new best friends!) – how can you comply with a subject access request if you don’t know where to look for all the data subject’s personal data? Don’t forget your paper filing systems and off-site storage!
6. Third party systems
Do you use any third-party systems? Most law firms with a case management system will use a third-party system. Through your information audit and data flow mapping you should identify exactly what systems you use but it’s important to also consider where that system stores the data – is it on your network and server or is it held on the third- party server. Does it link to your case management system so you can easily access the data if your receive a data subject request?
7. Awareness and engagement
It’s really important to promote GDPR awareness throughout your business, to all departments and all levels of employees. Engage all business area heads at the earliest opportunity, they are the people who understand how your current processes work on a day to day basis, without them you will not be able to implement the changes you need to ensure compliance. Your IT department, whether internal or external, is a valuable asset – do you understand how your IT systems work on a technical level, probably not so make your Head of IT your new best friend and ensure they are fully briefed on GDPR requirements.
Engagement at the top will make your project run smoother – you will need investment in your project in the form of people resource and potentially a financial investment depending on the outcome of your information audit. You are more likely to secure this resource and investment if your Board, senior stakeholders and investors understand what GDPR means for the business. Remember, it’s not just about avoiding the potentially huge fines, by being compliant you build trust with your clients and professional partners and through better processes you can offer a high level of customer service.
8. Policies and procedures
You will need to conduct a thorough review of your data protection policies and procedures – this will include your retention policy and privacy risk should be included within your risk management framework. You will need to build new procedures for the new data subject rights.
9. Data retention
Law firms have a reputation for storing documents and files for much longer than required for legal and regulatory purposes so now is the time to ‘get your house in order’. Do you have a robust archiving, storage and retention policy? If you do, is it followed? Do you have a secure way to delete files once the storage period has come to an end? What about legacy systems and databases, and cloud systems? Can you securely data that is held on your third-party systems? Again, business area engagement is important to ensure that you meet your legal and regulatory obligations (which means you will have to delete some data).
You can have the best policies and procedures in the world, but they are useless if your employees do not know they exist or do not know how to put them into operation. GDPR is a difficult and dry subject so it’s probably best to break the training down into small chunks. Make it interactive and engaging (or get someone in who can do this for you).
So, after reading this, how do you feel about GDPR now? If you are a compliance ‘geek’ like me then you will feel excited and fired up ready to start your journey. Alternatively, you may be feeling overwhelmed and unsure where to start. Fear not! The ICO have some really useful (and free) resources (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr) or for additional support and quality service get in touch with us at Teal Compliance.