This article was originally featured as an industry column in the April 2018 issue of LPM. To read the issue in full, download LPM.
GDPR is here! Oh yes, May is around the corner and the GDPR legislation is lurking. It’s really not that scary, though, and you still have time to implement changes to help you become compliant.
Where are the tools you need to help you? Well, we’ve spent the last two years not only building up a great page on our website for you, but also creating a smart tool: a quick GDPR checklist centred around your record and information management processes. You can download it at www.archivestorage.net/news/gdpr.
Here are some extracts: Throughout the GDPR journey, the team at ADDS have been focusing on records and information and helping our clients prepare their processes to cover some of the elements we think will be required around GDPR.
- Information asset register – do you know what information you have? This includes both physical and electronic files. This is a great time to run a full audit of all the places your firm stores information – databases, hardcopy client files, client wills, deeds, laptops, practice management software, and so on. Use our toolkit to help: www.archivestorage.net/iar-tools.
- Now that you know what you have, how do you audit and keep track of this information? If you have company laptops, phones, USB sticks and hard-copy client files on your site, you should be barcoding all them and running audit checks. How will you know there’s been a data breach if you haven’t run an audit? The GDPR means not only knowing what you have, but also being responsible and protecting the information and data you hold. There’s a lot of software out there that can help you do this – there’s an overview of what you should be looking for on our site. Just click on the PDF link on this page: www.archivestorage.net/activeweb.
- So, you know what you have and audit it to check it’s safe. Now you need to make sure you’re destroying it when you need to. A large part of the GDPR is making sure your company isn’t holding on to information for longer than necessary. If you don’t currently have a record retention guide then you need to put one together, publish and share it and train your firm with buy-in from all levels. We know this can seem like a rather daunting task so we have put together a great page to help you. On this page is a template to download and populate, as well as some really useful links to pull together your firm’s retention guide. If you already have a retention guide in place it may be worth reviewing. We recommend all our clients review their retention guides every six months: www.archivestorage.net/news/file-retention-tips.
Also ask yourself whether your clients are aware of how long you hold on to their information? Is this stated in the letter of engagement? If not, it should be. Some firms have placed a link to a record retention policy page from their website in their letter of engagement in case the retention guide ever needs to be changed. This way clients can have direct access to the information. It’s also always a good idea to let the client know why you need to keep their data. So, there you have it – some quick tips to help you prepare for the GDPR from a record and information management point of view.