In the first two blogs of this three-blog series, we looked at the reasons behind GDPR, its impact on law firms and the ten steps organisations can take to prepare for its introduction on 25 May 2018.
As we have seen, there is a lot to do. GDPR is a major project that is wide-ranging. Therefore, just like any other major project, it needs the commitment of the board/partners to ensure it is completed successfully. So, if you are the one responsible for enabling compliance, how can you make sure you gain that commitment? Here are a few tips.
- Tell the GDPR story with a ‘winning’ delivery style. It will make your case more persuasive and memorable
- Ensure you clearly set out, not only the requirements and risks associated with non-compliance such as fines, loss of professional standing, damage to your professional reputation; but also the benefits including more trusted customer/employee relationships, greater propensity for clients to do business with you
- Make sure you know your stuff and can provide both summary and detailed answers to any questions partners may have
- Go in asking for a blank cheque. Have a plan and budget prepared
- Overwhelm your audience with needless detail
- Scaremonger unnecessarily. Just make sure your audience is aware of the facts and penalties
Some boards may dismiss GDPR as an issue for the IT department. However, the reality is that nothing could be further from the truth. GDPR is about information security, not just data security. Although many law firms have embraced new technology, a significant amount of information is still held in hard copy.
In fact, the Information Commissioner’s Office (ICO) reported that the loss and theft of paperwork accounted for 26% of data security incidents in 2015/16. Data being posted or faxed accounted for 17% of incidents. Under GDPR, these are data breaches that can be fined.
Some boards may also think that GDPR won’t apply to UK firms after Brexit. However, the fact is that the UK won’t have withdrawn from the European Union (EU) when GDPR comes into effect. In any case, GDPR will still apply to UK firms that collect personal data and provide services to EU countries after Brexit. Plus, post Brexit, it is likely that the UK will establish data protection legislation in line with GDPR to facilitate easier trading.
GDPR impacts every aspect of the firm and, as a result, the board is ultimately accountable. Consequently, the project needs a board level sponsor and advocate who is going to take the initiative seriously and wants to understand where and how data and information is being managed, processed and stored within the organisation.
By focusing on the positives – risk reduction and mitigation, building trust through clear and transparent data management, and cost savings through improved processes and reduced waste, data footprint, and archiving/storage requirements –partners will quickly see the advantages of supporting the project.
Putting GDPR on every board meeting agenda ‘before’ it becomes the agenda is essential.