Would your staff know what to do if data was lost or stolen?
What has your firm done about GDPR?
Along with cybercrime and anti-money laundering, data protection is one of the fastest-moving and vital areas of compliance. Information Commissioner Elizabeth Denham has warned businesses to prepare now for what she referred to as “the biggest change to data protection law for a generation“. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of GDPR.
Given the vast amounts of highly sensitive personal data handled by law firms, there is going to be a need for greater accountability and scrutiny on the profession to ensure these responsibilities are taken seriously. It is not just IT teams that will have to ensure that data is held securely with a clear audit trail, data controllers (those who actually use and manage the data) will need to be aware of their responsibilities and be prepared.
Businesses failing to comply with the GDPR could face dramatically increased fines. Currently the ICO can issue penalties of up to £50,000. In future, the upper limit will be 20 million Euros or 4% of turnover, whichever is greater.
Our experts assist firms to prepare for the GDPR with a comprehensive programme, including:
- a full data protection compliance assessment to analyse your firm’s current data protection measures, identify areas of deficiency and establish what measures will need to be taken to ensure compliance under the new regulations;
- a review of existing systems, policies and procedures against new regulatory requirements and provision of any necessary new systems, policies and procedures tailored to your firm’s circumstances;
- training of your firm’s Data Protection Officer (DPO) and staff at all levels of the firm to ensure they have sufficient awareness of how data protection relates to their particular roles.
Following the assessment, we can give you advice and support on all aspects of data protection compliance, in particular:
- rights of clients and staff in relation to their data held by the firm;
- client and staff consent;
- Subject Access Requests (SARs);
- changes to client care documentation/terms of business;
- steps to take to safeguard data and monitoring of procedures to keep track of data;
- physical security arrangements;
- practical steps to avoid data security breaches;
- changes to file opening, file management and file closing procedures, risk assessment procedures and file review procedures to ensure adequate consideration is given to data protection requirements;
- remote/home working;
- mobile devices;
- removable media;
- conflicts and confidentiality;
- procedures regarding data sharing;
- necessary steps to take when another company processes data on your behalf;
- retention and destruction of data;
- appropriate handling of data security breaches.
There is no time to waste when it comes to preparing your firm for the impact of the GDPR on your processes and to understand the practicalities of implementing any changes required under the new legislation.