We will help you to prepare for GDPR
Before you read on to hear more about why GDPR involves you and your organisation, allow us to set out how we can support you to be ready for it.
One size definitely does not fit all. Whilst GDPR has a uniform set of rules to follow, every organisation, including yours, uses data in different ways and many organisations already have some form of governance in place in respect of data.
Consequently, we urge any organisation that is offered 'template' policies, to exercise great caution about the risk they are not unlikely to be running. In recent years, our legal sector auditing team has recorded more non-compliances than we can easily count due to organisations using template plans, policies and procedures!
Our approach is far more comprehensive and tailored to each organisation. We offer a diagnosis before we present a cure!
Phase 1: We conduct a fixed price gap analysis of your organisation and provide you with a detailed report, including details of what you need to do or consider to plug any gaps. Having received our report, some organisations feel happy to then amend their governance documents for themselves, but for those that would like us to assist, we move to Phase 2.
Phase 2: We visit your premises to meet with the relevant key people in your organisation to discuss the gaps and how they should be resolved according, specifically, as to how your organisation uses data.
Phase 3: We draft the new plans, policies and procedures for you (or simply amend your existing ones). Critically, before delivering the the new/revised documents to you, we also review the data control aspects for SRA compliance (and Lexcel or SQM compliance, if the organisation holds either of the standards).
Phase 4: Training and support (if required). The most common cause of data breaches is human error; it's one thing to rewrite the rulebook, but it's often something else entirely to actually implement it and affect changes in staff behaviour to meet it. We provide training and support at all levels to help you to embed your new plans, policies and procedures with your staff.
GDPR comes into force on 25 May 2018.
It has implications for every organisation in the UK that handles personal data and whilst many organisations are complying with the existing legislation (the Data Protection Act) a fresh approach is required to meet the requirements of GDPR.
We hear, daily, myths circulating around GDPR, such as:
- ‘Don’t do anything yet, wait for May 2018 or final guidance from Information Commissioner’.
- ‘Brexit means this EU regulation won’t apply to the UK’.
- ‘My IT system / network is secure, I don’t need to do anything’.
- 'This only applies to the marketing team; they can deal with it'.
For organisations that do not comply with GDPR, the financial penalty is severe, but that pales almost into insignificance by comparison with the reputational damage. The legal sector, more than most, trades on its reputation and integrity; a dent in either will have serious, perhaps even irreparable, consequences.
Further, the legal sector is already tightly regulated. A breach might not incur the wrath of only the ICO. For solicitors, the SRA Code (2011) is clear in this area. Examples of relevant sections of the Code include:
- Outcome 4.1: you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client
- Outcome 4.5: you have effective systems and controls in place to enable you to identify risks to client confidentiality and to
mitigate those risks.
- Outcome 7.2: you have effective systems and controls in place to achieve and comply with all the Principles , rules and
outcomes and other requirements of the Handbook, where applicable.
- Outcome 7.5: you comply with legislation applicable to your business, including anti-money laundering and data protection
- Outcome 7.6: you train individuals working in the firm to maintain a level of competence appropriate to their work and
level of responsibility.
The latter of the above Outcomes is particularly pertinent as human area is the most common cause of data breaches.
Please get in touch with us to discuss your concerns and requirements.
PDA Legal was delighted to deliver a presentation on GDPR to the Society of Will Writers in September 2017. Our session set out, in 'real life' examples and terms, as to what GDPR entails and what organisations can do (or at least think about) to assist with their perparations for GDPR becoming 'live' in May 2018.
You can download a summary version of our presentation for free, by clicking here for the PRINT-FRIENDLY version.