There are lots of scare tactics being thrown about in the media at the moment, trying to shock businesses into paying out for expensive – and not always effective – GDPR services. But as lawyers will know all too well, there’s no one-step solution to achieving compliance.
So realistically, what should law firms – and other companies – be doing now, to prepare themselves and their systems for the new regulations?
The truth is that it’s different for every business, depending on the scale of data processing, the amount of marketing you undertake and the security of your existing procedures, to name just a few variables. But to help you along the way, we’ve put together a checklist of ten key boxes you’ll need to tick to get GDPR-ready:
Ensure employees are clued-upWhile any business-wide process amendments are likely to start from the top, ensuring that all colleagues are aware of the changes to data protection laws is key. Depending on the size of your firm and the volume of data that you’re using, this is likely to involve training managers and anyone who is responsible for collecting, processing and managing personal data.
Take stockAuditing is no one’s idea of fun, but collating an inventory of all data held by the firm is an essential step to getting on top of compliance. This should include details of how it was obtained and why, who has access to it, whether it is up-to-date and accurate, and whether it is still needed. And it’s important to note that this applies to all data, whether stored electronically or on paper. For law firms, examples include marketing lists, accounts system records, address books, online information and any deeds or wills.
Review privacyYou’ll need to make sure that all privacy policies within the firm are current, and update them if necessary. Ensuring that staff are aware of any changes and are trained in adhering to the new policies is then essential to upholding them and keeping sensitive information secure.
Understand individual rightsUnder the GDPR, the rights of the individual to have their data updated, transferred or erased must be observed. Ensure everyone in your firm is aware of these rights and that they know the correct procedures for implementing any of these requests.
Keep an eye on the timeThe set timescales to meet access demands under the GDPR will be much tighter than they are presently, so you’ll need to ensure everyone is aware of the need for a speedy response – and the financial penalties that a missed deadline will incur. Data Subject Access Requests, for instance, require the demanded information to be supplied within 30 days.
Check for consentRules surrounding consent will be tightening, so make sure you review how the firm currently obtains it and how clients are informed that their data has been collected. The ICO will be cracking down on misleading tick boxes and other unscrupulous methods of gathering information, so check that any data you are storing on your systems has been compiled with the full awareness and consent of the individual.
Ensure your files are secureAlong with resulting in hefty fines, data loss can be a nightmare for your data-to-day business operations too. So, it’s important to review the current protective provisions you have in place, particularly surrounding cyber security, taking files away from the office, own device use, remote working and business continuity if systems go down. In short, you need to ensure you haven’t entered a state of digital complacency.
Prepare yourself for changeThere’s no doubt about it – the GDPR will require you to make significant changes to what are probably firmly ingrained habits. If your audits and reviews do highlights areas for improvement, however small, make sure you know what your next steps are to implement these enhancements. And if they show up that certain uses of client data just won’t cut it under the new regulations – for marketing purposes, for instance – then consider what alternative methods you can use going forwards.
Turn problems into solutionsYes, remedying compliance issues can be a pain. But, if you focus on turning problems into solutions – before issues arise – you will benefit your firm in the long run. Not only will your information be safer, your systems will also be more efficient and your clients will know they can trust you to keep their data secure.
Review and repeatTaking action is crucial, but monitoring any changes is important too. Keeping your firm running like a well-oiled, GDPR-compliant machine relies on you and your colleagues keeping an eye on how all the parts are ticking over. So, make sure you have procedures in place to properly review how your plans have turned out in reality, and ensure that you remedy any glitches you identify along the way.
We know that lawyers have the legislative side of GDPR sorted, but if you’re in need of some IT expertise to help get your data storage systems and processes in shape, we can help!