12 steps to help your legal firm prepare for GDPR

As you will have seen in the news, legislation relating to data protection is drastically changing from May 2018 in the form of the General Data Protection Regulation (GDPR). We understand the importance of compliance for legal professionals and firms due to the nature of the sensitive work they undertake. This legislative change will affect every staff member within your firm and we hope the following will provide you with initial guidance on how to prepare yourselves for GDPR.

What is GDPR?

The GDPR was approved by the European Parliament in April 2016 and will replace the 1995 data protection directive. GDPR intends to strengthen and harmonise data protection for all EU individuals and applies to any company that holds information about an EU citizen, which means it can impact companies globally.

As the EU is the UK’s largest trading zone the UK will still be expected to adopt the GDPR, or something very like it, regardless of the eventual deal reached by UK Government as part of Brexit negotiations. Therefore, it is vital that all UK businesses start to prepare for the changes that are coming, especially as non-compliance can lead to hefty penalties of up to €20m or 4% of a company’s turnover, whichever is greater.

What can you do now to prepare?

The additional compliance requirements may be viewed as a burden, even costly and disruptive. However, regardless of size, businesses should also view GDPR as a great new opportunity to enhance their information security practice from technical, governance and legal perspectives.

To help prepare for GDPR, here are 12 steps that the Information Commissioner’s Office advises that you take now:

Awareness – Make sure that senior management and key people in your organisation are aware that the law is changing and the impact GDPR will have on your business.

Information you hold – Document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

Communicating privacy information – Review your current privacy notices and put a plan in place for making any necessary changes ahead of GDPR implementation.

Individual’s rights – Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Subject access requests – Update your procedures and plan how you will handle requests within the new timescales.

Legal basis for processing data – Review the various types of data processing you carry out, identify your legal basis for carrying it out and document it.

Consent –  Review how you are seeking, obtaining and recording consent and whether you need to make any changes.

Children – Start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.

Data breaches – Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

Privacy by design and impact assessments – Familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.

Data Protection Officers – Designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.

International – If your organisation operates internationally, you should determine which data protection supervisory authority you come under.

How MHA Moore and Smalley are preparing for GDPR

As a fellow professional practice, MHA Moore and Smalley are leading by example and making changes to prepare for GDPR. As such, we actively encourage you to update your contact preferences to ensure you still keep receiving all our latest news, blogs, reports and event information. To do so, simply click here enter your details, select your preferences and click the ‘subscribe now’ button at the end of the form.

A version of this blog originally appeared on the website of one our MHA association member firms, Carpenter Box.