It’s been a year since the GDPR legislation came into force on 25 May 2018.
As we wish GDPR a very Happy 1st Birthday, now’s a good time to take stock. Consider how your firm has responded to the major legal changes that were introduced through the new regulation.
In the lead up to its implementation, GDPR dominated the news agenda. Businesses were told of the prospect of huge fines and sanctions for non-compliance. But, has this actually been the case?
Fines for non-compliance
Since it was enforced last May, reports say that European data protection agencies have issued fines totalling €56m for GDPR breaches. That’s from more than 200,000 reported cases. Around 65,000 were initiated on the basis of a data breach report by a data controller, while about 95,000 were complaints. Over half of the overall cases have already been closed, with 1 percent facing a challenge in national courts.
With the financial stakes for data failings being much higher than ever before, firms can’t afford to be complacent.
Take your pick of the surveys, but the general message is that many firms are still failing to be GDPR compliant. Therefore, putting their businesses at risk and leaving themselves open to fines.
How to be compliant
If you’re one of those firms, here’s a timely reminder of what action you should take to comply with the GDPR: –
1. Bring your partners on board
Being compliant with GDPR isn’t just a question of software. Software will play a major part but GDPR is also about considering privacy every time your firm processes personal data. You may find that some of your processes need to be reworked. Similarly, reinforce the broader understanding amongst your staff of how to manage data.
With your partners and leadership team on board, you will have the necessary support to devise the new processes your firm will need.
Working closely with your IT team, you’ll be able to implement these processes making the best use of the available technology.
2. Consider appointing a DPO
Some firms are obliged to appoint a Data Protection Officer. For other firms it may well be a prudent step to take. It may even be that you become the DPO! You or your DPO will take on the responsibility of understanding the nature of your data estate. Essentially this means all of your firm’s data. In addition, the DPO will work with your IT team to implement your agreed processes and procedures.
3. Understand your data estate
It’s vital that you work out what data have and make sure it adheres to your new working practices. You can think of data as managed or unmanaged.
Managed data resides in a database, with access controlled by permissions. It can only be accessed through a secure connection.
Unmanaged data is the rest of it – your emails, stored on your PC and phone and tablet. Also, documents saved locally or “kept safe” on a USB stick are probably not encrypted and can so easily be lost or misplaced.
It is unmanaged data that is likely to pose the greatest risks to your organisation. In short, understanding your data estate and taking steps to safe guard it couldn’t be more important.
4. Implement new working practices
Once you’ve worked out the nature of your data estate you need to bring this into line with GDPR working practices and ensure all new data generated is done so in line with your new working practices. This should be relatively straight forward if you’ve set up new working practices and provided your staff with the necessary training.
5. Monitor, review, report
Becoming GDPR compliant isn’t enough. One thing that many businesses may have learned is that GDPR compliance requires constant attention and resource. Law firms are processors of large quantities of personal data.
It’s critical that you have buy-in right across the business, as you need to ensure that you continue to document your policies and procedures efficiently. This should take the form of staff training, auditing of your systems and data and reviewing your working practices.
If you embark on a new area of work then design the whole process with privacy in mind and don’t be tempted to add it on at the end. Considering privacy from the outset will make the implementation of the new working practice fit seamlessly alongside your other GDPR processes.
How to survive – and thrive – under GDPR
By using the right software products your firm is in a strong position and you should be able to implement the vast majority of processes without having to disrupt the way you and your colleagues work.
GDPR is not designed to make our working lives more difficult. It’s about protecting data – and the rights of those individuals the data relates to.
Therefore, it’s essential to work with a software company that you can trust, that understands your responsibilities (and theirs).
In addition, they should appreciate your need to drive efficiencies and improve your services, whilst maintaining and increasing profit margin.
This is the key to surviving – and thriving – under GDPR.