A practical guide to complying with the new regulations
As we saw in the first blog of this three-part series, the desire for consumers to have greater control of their personal data is the driving force behind GDPR, which comes into force on 25 May 2018.
If you are one of the firms who has been working on this for some time and feel confident that you will be ready in time, that’s fantastic. However, some experts are saying that as many as 30% of UK businesses have done nothing to meet the new EU regulations, and 10% are not planning on doing anything about it.
These are worrying statistics to say the least, when you consider that the potential penalties for non-compliance include:
- A warning in writing in cases of first and non-intentional non-compliance,
- Regular periodic data protection audits,
- Severe penalties of up to 4% of worldwide turnover or 20 million Euros (whichever is higher!).
But not taking GDPR seriously could also be professional suicide, with research showing that consumers actively avoid companies they don’t believe protect their privacy.
So, if your firm isn’t as advanced as you would like it to be, what can you do? It might seem like a mammoth quest to implement these changes! But don’t panic. Gary Hibberd, Managing Director, Agenci, has produced a practical 10-step plan you can follow to ensure you are compliant in time.
His white paper goes into much more detail, but here is a summary of the steps involved:
- Initiate the project by establishing a cross-discipline team with board level sponsorship
- Raise awareness with a campaign that educates everyone about the impact of GDPR
- Analyse your data to understand the information you have and the associated risks
- Establish and close any gaps in your policies and procedures related to data
- Create a privacy notice that explains how you will use data from employees and customers
- Know the rights of data subjects and make sure you can satisfy them
- Ensure you are within the law when it comes to processing personal data
- Identify an incident management process and crisis management team
- Ensure your Data Protection Officer (if you need one) has the right skills and autonomy
- Make sure you can respond rapidly to subject access requests
As well as the people and processes involved in data privacy, it is also sensible to review the technology you have and how well it supports your GDPR efforts. Re-configuration of the processes and controls within your systems will almost certainly be necessary. At LexisNexis, for example, we offer a GDPR Readiness Review for both our Lexis InterAction and Lexis Visualfiles solutions.
GDPR is a major issue for law firms, both from a compliance perspective and for maintaining good employee/customer relationships. The clock is ticking and there is a lot to do. However, by starting now and following these steps methodically, there is no reason why you cannot be compliant by the deadline of 25 May 2018.
In the last of our three GDPR blogs, we’ll look at another key issue for GDPR success – getting partners and the Board to take it seriously.
To download the full 10-step GDPR Action Plan by Gary Hibberd, Managing Director, Agenci, click here.