GDPR: 10 things you should already be doing
It's been over 100 days since the GDPR came into force. Peter Wright explains 10 key actions your firm should already be taking to actively demonstrate your compliance.
1. Test your data breach response plan
By now, you should have a data breach response plan in place. The next key thing to do is to test your plan and make sure it works.
If your plan names specific individuals or roles, you might find in several months' time that people have moved on or roles may have changed. I've seen some plans collapse into recrimination at boardroom level as everyone tries to dodge responsibility for what's gone wrong. You will only get around this by testing the system regularly - ideally every six months at a minimum.
One thing people may overlook is to make sure they are aware of all the regulators that must be notified in case of a breach. Depending on the type of personal data involved, you may need to consider contacting regulators like the Financial Conduct Authority, in addition to the Solicitors Regulation Authority (SRA) and the Information Commissioner's Office (ICO).
You also need to prioritise the actual individuals whose data has been breached. Don't be tempted to focus so much on your own internal compliance and regulator guidance to the point that you ignore the people that have actually been affected.
The ICO will want to hear you're doing all you can to help the affected data subjects. Remember we could be talking about employees, clients or contacts - whoever it is, you've got to make sure:
- they are supported
- they feel they have not been taken advantage of
- you provide enough information that they can make their own enquiries should they wish
You need to look after them in the way you would a disaffected client. A collective shrug of the shoulders won't look good when the regulators ask you what you have done to look after the affected data subjects.
You may wish to set up a dedicated phone line or email address where people can contact you for information, or send out weekly updates to advise those affected of the progress of your own internal investigation into the data protection breach. Big breaches in 2018 like TSB and British Airways were exacerbated by a perceived lack of support provided to the affected individuals.
2. Review your internal and external communications
Are you using the most secure platforms? Do you have the right methods of security in place? Any system that is (a) unencrypted or (b) based outside of the UK or EU should have been updated by now. If you are using the freely available versions of Gmail or Dropbox for your communications, you may wish to make alternative arrangements.
You should also have stopped using systems like WhatsApp or Telegram by this point. Ensure that you have measures in place to demonstrate your compliance to the regulator should the worst happen.
3. Reconsider whether you need a data protection officer (DPO)
You may have decided in May that you don't need a DPO, but this is a decision that your organisation should collectively review on a regular basis. I'd recommend a review every six months or so.
- the current circumstances of your firm
- your growth plan
- the types of work you are doing
- the sensitivity and volume of the data you are handling
If you already have an existing DPO or your company gains one between now and the end of the year, they should focus on making sure that they understand their role and are going to be effective in the position. They should also register their details with the ICO immediately.
4. Carry out frequent privacy impact assessments (PIAs)
Firms should carry out a PIA on any new major project that involves personal data. This could include:
- new IT systems
- new websites
- new case management systems (CMSs)
- changing offices
- allowing staff to work remotely
The ICO has published a full code of conduct that includes a flowchart to help you determine whether a PIA is necessary.
Some people may feel daunted by the thought of undertaking a PIA. However, the task doesn't have to be onerous or hyper-detailed; it just needs to:
- identify the risks to the personal data associated in the project
- outline what appropriate measures should be carried out to reduce those risks
- detail how you're going to reduce the risks
Updating the PIA regularly will help ensure that responsibilities are transferred as staff leave the company.
5. Apply data retention policies
Firms should be regularly reviewing their archives, CMSs, databases and email inboxes to make sure that personal data is not being held for longer than they have stated in their data retention policies.
There can be very good reasons why some types of data are retained for prolonged periods (eg wills, deeds, notarised documents). However, if a breach occurs involving personal data over a decade old, yet the firm's data retention policy state that such data will be deleted after seven years, you might be left in an awkward conversation with the regulator. Ensure your policy is accurate and being applied uniformly.
6. Register your risks
Make sure your firm's risk register reflects all appropriate risks associated with the GDPR and data protection. The register should be reviewed regularly and updated as part of your firm's wider regulatory compliance activity. Again, I would expect this to happen every six months to make sure it is still compliant with data protection laws and takes account of any new ICO guidance and enforcement.
7. Run regular penetration testing
You should ensure that your firm's IT systems are tested regularly. This should be arranged by an external supplier to fully assess any risks associated with your IT, including:
- remote working
If any problems come to light, act on these straight away and minimise any risks identified.
8. Review remote working practices
Make sure your firm follows best practice in terms of remote working. For example, staff should know not to use free public wi-fi, nor engage in client work in cafes or on public transport (when your laptop screen or a sensitive file can be overlooked by the person sat next to you).
9. Train your staff
Your firm should have a registered training programme that should be refreshed on a regular basis and shown to all new employees as part of their induction.
In this training, you should give staff plenty of examples to help them identify 'social engineering' attacks such as phishing, where fraudsters pose as a familiar firm or organisation.
Bear in mind that attacks like this are no longer limited to emails, but can take place over social media, text message or other forms of media. I've seen examples of people impersonating local authorities over text, asking for council tax payments.
I have also seen emails mimicking voicemail systems. Many CMSs can now send a voicemail through to an email inbox. Fraudsters are now sending fake messages trying to get people to click on a link to apparently listen to a voicemail, while in fact this would install malware or allow access to the PC or mobile device.
10. Keep up to date with the latest guidance
As well as your regular SRA compliance, you should be holding regular risk review meetings to address new regulatory issues, including the GDPR. In these meeting you should monitor updates from the European Data Protection Board and the National Cyber Security Centre, for example. The ICO is producing further guidance on a regular basis.
You also need to keep an eye out for news around the GDPR and enforcement action. Facebook was fined £500,000 for its part in the Cambridge Analytica scandal, a figure that would have been higher had the breach taken place post-25 May.
We will start seeing enforcement action in the next few months following breaches that have taken place under the GDPR, such as the British Airways data protection breach that took place in late August and early September 2018.