Industry with interview with Archive Document Data Storage: What's up, Docs?
This blog post was also featured as an industry interview in the September 2017 issue of the Legal Practice Management magazine GDPR supplement. To read the issue in full, download the supplement.
The General Data Protection Regulation (GDPR) is less than a year away and practices must know how to process data ‘correctly’ if they want to survive. But where to start?
Natasha Rawley, aka the File Queen at Archive Document Data Storage (ADDS), says GDPR preparation is an enormously complex task for most businesses – and even more so for law firms that are run on client data.
“Law firms store vast amounts of personal and sensitive information on clients. A fairly standard document might include passport information, addresses or dates of birth – and all of those are considered sensitive pieces of data under the new regulation.”
She adds that every firm will be expected to store, maintain and protect data in an accountable way – but that may be particularly challenging for SME firms which have limited resources compared to their larger counterparts.
Fortunately, says Rawley, there are steps firms can follow to help smooth the path to compliance. “Legal businesses can create an information asset register, register IT equipment assets, classify files, create a retention schedule and become ISO 27001-certified – a security standard which helps prepare firms for some GDPR requirements.”
Practice managers are capable of implementing these changes themselves, she adds, but there are resources and organisations they can turn to for help.
“There is an enormous amount of information on GDPR compliance out there from organisations such as the Information Commissioner’s Office and ADDS. But firms also have the option of hiring GDPR experts, such as our team, to help them tackle their new compliance requirements.”
IDENTIFY AND FORGET
Rawley says legal businesses are used to regulatory upheaval and should be able to meet the GDPR’s requirements by May 2018 – as long as they start preparing now.
“Firms know all about regulation change but they shouldn’t underestimate the scale of effort needed to become GDPR ready. New processes will need to be introduced and embedded across the business, and that takes time.”
But businesses can’t begin to implement new processes until they know what data they’re accountable for. As such, Rawley says, the first and perhaps most important step is creating an information asset register – a record of what information the firm holds (including documents), what form it’s in and where it’s held.
“Data transparency is enormously important for GDPR preparation. An information assets register will help the business not only understand where information is and in what format, but what the risks are as well,” says Rawley.
She adds that hard-copy documents should be barcoded and tracked by software to form an audit trail – enabling the business to track when they’re signed in and out. A similar process should also be undertaken for the business’s IT equipment assets, so the practice knows where the equipment is and who it is assigned to.
“Laptops or USB sticks with databases on them will need to be managed in an accountable way as much as central filing systems.”
Once a record has been created, firms will find it easier to search for data if a client requests to access information held on them or wants to be forgotten. Rawley says: “The right to be forgotten is a key component of the GDPR – firms must know what data is stored on an individual, and where, to ensure it’s all deleted.”
Once firms know what types and forms of data they hold and where it’s stored, they need to determine how long the information can be kept.
“The GDPR is going to change how long firms can keep data – which will vary depending on what the information is and who it is held on.” As such, she adds, firms need to develop a retention schedule to determine when data should be destroyed – which should be applied to employee as well as client information.
A key way to ensure the firm stays compliant once it knows more about what to do with data and documents is to become ISO 27001 accredited. This qualification is the international standard and demonstrates that a business is following information security best practice.
“ADDS became accredited in 2013 – it involves using an audit company to check that the firm is compliant, though practice managers can run internal audits as well.” These audits are buttressed by the firm’s information assets register which, taken together, will demonstrate to the ICO that the firm has taken steps to ensure compliance with the new regulation.
“The fines for a data breach under the GDPR are severe – 4% of global annual turnover or €20m, whichever is larger. But the ICO has said it will take business’s compliance efforts into account if they’re breached, so it’s enormously important for them to demonstrate that they’re taking it seriously.”
GDPR YOU LOST?
But if practice managers are unsure about how to get the ball rolling, help is at hand. Rawley says there are numerous online resources which can advise businesses on preparing for May 2018.
“The ICO has conveniently published its stepby-step programme to GDPR compliance – which can also be found via the ADDS website. ADDS also has a specific page on the regulation which includes blog updates, LPM articles on the GDPR and even an information asset register template.”
She adds that while these resources are excellent, firms may prefer face-to-face guidance from an external adviser on how to streamline GDPR compliance.
“As we all know, it’s one thing to read about something and another to get expert advice from trained professionals. ADDS, for example, will give firms a free consultation and advise them on how to prepare for the regulation.” This includes analysing the firm’s setup and how it handles sensitive data and documents – if it has a records management and effective retention policy in place – and making a series of recommendations for change.
GDPR compliance can seem like a daunting process, particularly when the punishment for a mistake could be so severe. Firms still have time to become compliant as long as they do their research and put the right processes in place now. Rawley says that if firms need assistance she and her team are on hand to help.