GDPR aftermath: Sprout IT explores 'what's next' for legal businesses
Nearly 10 years after it was first discussed at the European Union, the General Data Protection Regulations (GDPR) are now law across 28 EU countries. To say that its introduction has been smooth would be a generous assessment. Up until the final few weeks, the Information Commissioner (ICO) was yet to publish guidance on some major aspects of GDPR and busily revising other advice they had previously pronounced on.
So, 25 May 2018 has come and gone and the sky has not fallen in; can we say that everything’s OK now and that we can get back to business? The answer is no – the likelihood is that we’re in the eye of a storm that will dominate not only the legal sector over years to come but other industries which rely on recording and processing personal data.
Late to the party?
A few months ago, it’s fair to argue that there was a certain amount of complacency within legal firms about GDPR. Writing in November 2017 in Computer Weekly, security editor Warwick Ashford wrote: “most law firms in the UK do not yet comply with the EU’s General Data Protection Regulation (GDPR) ... According to a report by managed services provider CenturyLink EMEA, only 25% of more than 150 legal sector IT decision makers said their firms were GDPR ready, despite the threat of fines of up to €20m or 4% of annual global turnover for serious data protection failings under the GDPR.”
The more worrying aspect of Warwick Ashford’s report is that the quarter of firms whose IT decision-makers reported that they were prepared were just giving their own opinion. This was not the opinion of an outside auditor with specific and deployable experience in readiness for, and compliance with, GDPR.
Things have changed since the time this article was published. There appears to have been an industry-wide concerted effort to get ready for GDPR at both board level and within individual firms’ IT teams. This drive has led to the publication and distribution within legal sector firms of many new policies, procedures, and best practice guidelines.
But have your staff been adequately trained on these new policies, procedures, and best practices? Do they even understand them, considering the length of time it has taken for the ICO to provide guidance that can be relied upon? Will staff adhere to new policies, procedures, and best practices when they’re processing personal information? And do they know what they need to do to protect that personal information?
The answer – and this answer is not just confined to the legal sector – is probably no. Individuals now have greater data subject rights than ever. Privacy advocates will argue that there are many benefits to these changes in that we can now feel safer sharing our information with organisations as the rules surrounding how that information is handled are a lot stricter than before.
However, it is this strictness that will cause companies the biggest headaches as they adapt not only their IT systems but the way their staff comply with these new rules.
Despite the best intentions and the fitness for purpose of new policies, procedures, and best practice guidelines, your staff present the biggest threat to your business under GDPR through their lack of knowledge and ongoing training.
Staff need to understand the regulations and their practical application both to your firm and their responsibilities. It will be your staff who manage and use personal information, so they must understand the processes and policies governing them and the reasons behind those processes and policies.
This will take time, patience, and ongoing training. Introducing and nurturing a culture among frontline staff compatible to GDPR compliance will mean that, through periodic testing and in reaction to real-life lapses, you can identify on an employee-by-employee basis whose knowledge is lacking and provide them with support.
Ongoing training will also be required to provide those who manage your staff with full knowledge of how the regulations apply to the responsibilities of their team or the department they are in charge of. GDPR brings tough new reporting requirements on data breaches and it’s critical that a manager recognises a potential breach because, even with training, a staff member may not.
GDPR requires organisations to complete a data protection impact assessment (DPIA) before carrying out any processing likely to result in a higher-than-normal risk to individuals’ interests. Many advisors argue that companies should perform DPIAs before any change in how data is processed as a demonstration of best practice.
Once a DPIA has been performed, the results should be shared with both frontline staff and their managers so that there is a wider awareness of those employees’ specific data processing responsibilities in an organisation.
Article 30 of GDPR requires your organisation to keep records of how it processes personal data. This should remain an ongoing exercise so that those responsible for compliance in your business understand what data is held, why it is held, and if those reasons are compliant.
Auditing is another important consideration in the GDPR era. Many recommend that an annual audit program is instituted across an organisation and its individual departments to ensure continued compliance with particular reference to how data is processed and its potential impact on the subject whose data you’re holding.
Your practice has been through the preparation stage – that was hard enough. Even harder will be ongoing implementation and compliance with a sometimes frustratingly complex set of regulations. And it will be these regulations which will make or break some firms in the legal sector.
For companies with 250 staff or more, outsourcing a data protection officer (DPO) until a full-time staff replacement is recruited is their likely course of action. For smaller firms, they will likely choose an outsourced DPO on a permanent basis to prevent future disaster. Either way, the world changed on 25 May and you’ll need to adapt to the new reality.
This article appeared in Briefing May 2018. Read the full edition of Briefing May 2018: Feel the path here.