We will help you to prepare for GDPR
We are pleased to tell you about our swift and structured approach.
And, the option of private training sessions for your organisation or clients.
One size definitely does not fit all. Whilst GDPR has a uniform set of rules to follow, every organisation, including yours, uses data in different ways and many organisations already have some form of governance in place in respect of data.
Consequently, we urge any organisation that is offered 'template' policies or an 'IT solution' to exercise great caution about the risk they are not unlikely to be running. In recent years, our legal sector auditing team has recorded more non-compliances than we can easily count due to organisations using template plans, policies and procedures!
Our approach is far more comprehensive and tailored to each organisation. We offer a diagnosis before we propose a treatment!
Phase 1: We conduct a fixed price gap analysis of your organisation and provide you with a detailed report, including details of what you need to do or consider to plug any gaps. Having received our report, some organisations feel happy to then amend their governance documents for themselves, but for those that would like us to assist, we move to Phase 2.
Phase 2: We visit your office to meet with the relevant key people in your organisation to discuss and map as to how your organisation uses data and would like to use data. Then, back at our own offices, we draft the new plans, policies and procedures for you (or augment your existing ones). Critically, before delivering the the new/revised documents to you, we also review the data control aspects for Lexcel or SQM compliance if your organisation holds either of the standards.
Phase 3: Training and support (if required). The most common cause of data breaches is human error; it's one thing to rewrite the rulebook, but it's often something else entirely to actually implement it and affect changes in staff behaviour to meet it. We provide training and support at all levels to help you to embed your new plans, policies and procedures with your staff.
Simply training: Training sessions just for your organisation. We are pleased to provide training sessions (from 90 minutes in duration to up 2 days) with a syllabus ranging from a 'grounding on the real world implications of GDPR' to 'expanded specialist sessions' that delve into the fine detail of the requirements of GDPR.
Demonstrate that you have prepared
The organisations that we have assisted to the conclusion of Phase 3 are presented with our 'GDPR Prepared' mark.
There's no underestimating the importance of effective preparation for GDPR; this mark communicates to your staff, clients, suppliers and others that you have put in place processes intended to support best practice for data protection.
Having received the mark, you can choose to display it on your website, in email signatures, on business cards and stationery, in social media and elsewhere.
About GDPR: GDPR comes into force on 25 May 2018.
It has implications for every organisation in the UK that handles personal data and whilst many organisations are complying with the existing legislation (the Data Protection Act) a fresh approach is required to meet the requirements of GDPR.
We hear, daily, myths circulating around GDPR, such as:
- ‘Don’t do anything yet, wait for May 2018 or final guidance from Information Commissioner’.
- ‘Brexit means this EU regulation won’t apply to the UK’.
- ‘My IT system / network is secure, I don’t need to do anything’.
- 'This only applies to the marketing team; they can deal with it'.
For organisations that do not comply with GDPR, the financial penalty can be severe, but that pales almost into insignificance by comparison with the reputational damage. The legal sector, more than most, trades on its reputation and integrity; a dent in either will have serious, perhaps even irreparable, consequences.
Further, the legal sector is already tightly regulated. A breach might not incur the scrutiny of only the ICO. For solicitors, the SRA Code (2011) is clear in this area. Examples of relevant sections of the Code include:
- Outcome 4.1: you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client
- Outcome 4.5: you have effective systems and controls in place to enable you to identify risks to client confidentiality and to
mitigate those risks.
- Outcome 7.2: you have effective systems and controls in place to achieve and comply with all the Principles , rules and
outcomes and other requirements of the Handbook, where applicable.
- Outcome 7.5: you comply with legislation applicable to your business, including anti-money laundering and data protection
- Outcome 7.6: you train individuals working in the firm to maintain a level of competence appropriate to their work and
level of responsibility.
The latter of the above Outcomes is particularly pertinent as human area is the most common cause of data breaches.
Please get in touch with us to discuss your concerns and requirements.
You can read some of our recent articles on LinkedIn, here.
PDA Legal was delighted to deliver a presentation on GDPR to the the Warwickshire Law Society in March 2018. Our session set out, in 'real life' examples and terms, as to what GDPR entails and what organisations, especially law firms, can do (or at least think about) to assist with their preparations for GDPR becoming 'live' in May 2018.
by clicking here for the PRINT-FRIENDLY version.