With the General Data Protection Regulation now less than a year away most firms are beyond needing to understand the regulation. However some are still unprepared, risking potentially hefty fines.
For industries handling large amounts of sensitive information, such as the legal and financial sectors, the risks of being unprepared are even greater. With this in mind we’ve put together 8 questions professional service firms should be asking:
1. Has a Data Protection Officer (DPO) been appointed?
Although in some circumstances appointing a DPO is not obliged under the regulation, appointing one helps to ensure your firm is able to carry out your obligations. Your DPO can be a current member of staff and is responsible for advising the organisation on the regulation and monitoring compliance.
2. Have you made preparations for implementing and performing Data Protection Impact Assessments (DIPA)?
All professional service firms deal with highly sensitive data day in day out. Under the new regulation this means that all professional service firms must complete a Data Protection Impact Assessment before the GDPR comes into force.
3. Have you assessed all points of data collection to ensure that explicit consent is properly requested in each case?
The GDPR requires firms to obtain more explicit consent when holding peoples data. For example individuals must make a deliberate action to “Opt in” to their data being processed. One exception to this rule is where you have a contractual relationship with the individual or the organisation. For most professional service firms this will remove the headache of getting your clients to “re-opt in”.
4. Have you prepared, documented and communicated processes for managing subject data access requests?
Several changes are being implemented that will affect the way subject data access requests are handled. For example companies will not be able to charge for the requests and only a month will be allowed for the request to be executed. As legal and financial firms are often subject to data access requests this part of the legislation will be particularly impactful.
5. Have processes been developed to allow individuals to amend or delete their personal data?
Whether you’re a family law firm or an enterprise level practice individuals must be able to amend or delete their data at their own request. Unless you can show evidence of this process you may be in breach of the GDPR.
6. Have data retention and destruction procedures been reviewed for all data (including offline) as used by your organisation?
The regulation obliges firms only to hold data for as long as it is necessary. Although this sounds vague it’s important to define a retention and destruction policy to ensure that you are compliant under the regulation. In some instances law firms are required to hold their clients data for longer, particularly if it forms part of your professional indemnity insurance policy. If this is the case you should speak to your insurer about how your policy might be affected .
7. Have you made preparations to detect and report breaches as part of a response plan?
Most organisations will have heard about the potentially astronomical fines that the regulation can impose. However less people know about the need to report any data breach in less than 72 hours since it is first noticed. If a breach is not reported within this time frame it’s far more likely that a fine will be imposed. That is why it is so important to set up a response plan before any potential breach occurs.
8. Have you prepared for regular compliance audits or reviews to identify and fix issues?
Regular compliance audits should form part of your strategy to protect your business from any potential penalties. Only by regularly accessing your data security and protection polices can you ensure that you are protected.
Although these 8 questions should set you on your path, your journey to compliance will span far wider. All aspects of your business will need to be reviewed to ensure compliance, including your IT, document management and company policies. With just months to-go this may seem like a daunting task, however there is lots of help out there to get your firm GDPR ready. Click the banner below to download our GDPR webinar run in conjunction with document management expert’s iManage.