Following feedback from a recent ICAEW training webinar on the topic, you may have been forgiven for believing that the new General Data Protection Regulation (GDPR) was to take effect a year from now and not, as is actually the case, this month.
The majority of the webinar’s attendees had not begun vital measures to comply with the new regulation and, more shockingly, it was clear that many did not know where to begin at all.
GDPR comes into force from 25th May 2018. As my colleague Ian Plunkett notes in a previous post, if you have been adopting a ‘head in the sand’ approach to this far-reaching EU regulation, now is the definitely the time to emerge, and prepare for imminent changes in the way our personal data is obtained, handled and governed.
It is also worth bearing in mind that large professional firms are more likely to suffer harsher judgement for GDPR non-compliance, not only by the Information Commissioner’s Office (ICO), but by clients and associates. While GDPR can appear to be confusing and unwieldy at first sight, with no grace period for organisations to familiarise themselves with its requirements, immediate compliance will be expected.
As a starting point, it may be helpful to tackle the essential components of GDPR in a simple ‘step by step’ approach. The steps taken will largely depend upon the size and culture of your organisation, and will involve ensuring your policies are fully in line with GDPR requirements.
Begin with awareness
Start simply: by ensuring your company’s key decision makers and client-facing staff are aware of the regulation and its potential impact, such as in the case of a data breach. Training in this area is vital. If a risk register exists in your firm, this is a useful position to start from.
Additionally, it would be wise to appoint a Data Protection Officer or a GDPR lead, whose role it will be to raise awareness within the firm, provide training and advise of individual responsibilities.
Conduct a thorough information audit
A good grounding is provided by the existing Data Protection Act, and by auditing the information you currently hold within your firm, you will be best placed to identify any potential compliance gaps when GDPR comes into force.
Bear in mind that transparent processing is a key GDPR requirement, ensuring a strong need for appropriate data mapping and justification of processes.
Review privacy notices
Amongst other aspects, you will need to explain how personal data is processed in your firm, how long you will retain it for, and note that individuals have the right to complain to the ICO if they encounter any issues.
Privacy notices must be clearly and concisely written, and displayed on websites, in contracts and business terms, and in your firm’s written communications wherever appropriate.
Review access rights
Consider how easy it is for you to respond to clients’ subject access requests under your existing processes. This will help you review where changes may be necessary to accommodate GDPR.
Hopefully, the above guidance has provided a simple and useful starting point on your firm’s route to GDPR compliance. For further reference, The Law Society have developed a twelve-step checklist that covers the regulation in detail, and guidance is also provided on the ICO website.
For advice about general business planning, and how to incorporate new regulations into your firm’s strategy, please contact one of our specialist business advisers at Rickard Luckin.