GDPR 101

GDPR 101

Implementing the new data protection regulation successfully must be a priority for the whole firm, not just the IT department, advises Alex Loquens

On 25 May 2018, the new General Data Protection Regulation (GDPR) comes into effect. For firms that already have good governance around the data they hold on behalf of their clients, adopting the GDPR shouldn’t be a massive step change, as both the Data Protection Act 1998 and ISO 27001 provide excellent frameworks (if properly integrated with your business process and practices).

Is GDPR an IT issue?

If you’re responsible for IT services within your firm, then absolutely not! The GDPR must be raised at board level, and, if applicable, to your compliance team. The GDPR is about managing your ‘data’, bearing in mind ‘data’ will be captured in many forms by all departments, both electronically and physically.

Certainly, the IT team will play a crucial role in ensuring your firm meets the requirements of the regulation – for example, undertaking a full data-mapping process in order to understand where the data is, who has access to it, if it is shared, how it is managed and maintained, and by whom. Once the data is mapped, it is then about working with your software vendors to build in the GDPR requirements around the ‘right to be forgotten’ and the ‘right to transfer data’ (in a ‘common data format’).

This will cover data backups, long-term retention of data, how a ‘laser destroy’ across all backup media could be performed if requested by your clients – importantly a sound demonstration of good IT security posture – as well as penetration testing, IT threat detection, management and response, IT incident reporting, and a robust IT and security policy.

Checklist for the GDPR:

  • Statements of the information you collect and process, and the purpose for processing (article 13 of the GDPR).

  • Records of consent from data subjects or relevant holders of parental responsibility (articles 7 and 8).

  • Records of processing activities under your responsibility (article 30).

  • Documented processes for protecting personal data – an information security policy, network security policy, etc.

  • Critical documents – there are a number of these you will need in order to comply with the GDPR, including:

  • Mapping the flow of data across your organisation;

  • A procedure for conducting a privacy audit;

  • Clear and accurate privacy notices;

  • Data breach notification process and procedures;

  • Subject access request templates and procedures;

  • An international data transfer procedure;

  • Consent form templates;

  • Data protection impact assessment templates and procedures; and

  • Information security policies and procedures to keep your information secure.

What about fines?

I’ve heard the phrase “the DPA with teeth” to describe the GDPR, with a large emphasis on the fines.

By way of a recap, the possible fines for a ‘minor’ data breach – for example, if records are not adequately managed from a data protection standpoint, or are incorrect – could be up to €10m or 2 per cent of annual global turnover.

In the event of a ‘major’ data breach, which would constitute the loss of personal data, or the unauthorised transfer of data to a third party, the potential fine rises to €20m or 4 per cent of global annual turnover.

There is a 72-hour deadline within which to submit information of any incidents to the Information Commissioner’s Office, but do bear in mind those are not working hours.

Implementing GDPR

Having assisted with the implementation of both ISO 9001 and ISO 27001 in previous roles, I understand how daunting implementing new standards can be.

By taking a considered, pragmatic, sensible, and engaged approach, I’ve found such implementations to be both rewarding and far from a stressful process. The key is to ensure the business works with you to achieve any accreditation or regulation goal.

Particularly beneficial is engaging with the business early, and providing a factual and non-technical overview which can be easily understood and digested by all to set out what needs to be done, when, and by who.

As a battle-hardened IT professional, I strongly urge all firms to raise GDPR as a business risk rather than an IT project, which therefore is not ‘owned’ by the in-house IT team and function, but is instead logged against the risk register and managed accordingly by the business.

Alex Loquens is IT director and data protection officer at Lodders, and sits on the firm’s GDPR committee

AdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisement
Latest News

UN and coalition of NGOs write to Unilever to voice deep concern regarding victims of violence at Unilever tea plantation

Tue Sep 26 2023

Live Facial Recognition: How to Stay Within the Law

Tue Sep 26 2023

Ethics Institute launches taskforce to examine legal services to oligarchs and kleptocrats

Mon Sep 25 2023

Legal Departments See Higher Matter Volumes but Flat or Declining Budgets: Thomson Reuters 2023 Legal Department Operations Index

Mon Sep 25 2023

More Than 200 Employers Named And Shamed For Failing To Pay National Minimum Wage

Mon Sep 25 2023

Browne Jacobson collaborates with LGiU on report highlighting “critical” role of local government to hit net zero

Fri Sep 22 2023

BSB publishes new guidance on barristers’ conduct in non-professional life and on social media

Fri Sep 22 2023

The Chancery Lane Project expands to the USA

Thu Sep 21 2023

Delay in Final Report of the Infected Blood Inquiry

Thu Sep 21 2023
FeaturedThe Pre-Action Protocol review final report – full steam ahead?
The Pre-Action Protocol review final report – full steam ahead?
New report highlights the transformative effects of domestic abuse training on family lawyers
New report highlights the transformative effects of domestic abuse training on family lawyers
Asylum seekers stranded on Diego Garcia win challenge against return to Sri Lanka
Asylum seekers stranded on Diego Garcia win challenge against return to Sri Lanka
A solicitor’s stance on EDI in the workplace
A solicitor’s stance on EDI in the workplace
SJ Interview: Hannah Ambrose
SJ Interview: Hannah Ambrose
Whose human rights are more important, yours or mine?
Whose human rights are more important, yours or mine?