Having recently attended Legalex, the UK’s largest legal event for lawyers and law firms, it is clear the sector is not fully prepared for the General Data Protection Regulations (GDPR) due to come into effect in May 2018.
During round table discussions about the preparations firms are making in advance of the GDPR, responses ranged from firms only beginning to consider the impact it will have, to those who haven’t thought about it, or who are adopting a wait and see approach.
In just over a year’s time, when the new regulations are implemented, the consequences of failing to adhere will be severe, and ignorance will not be an excuse.
With limited time left to prepare, firms need to be conducting data mapping exercises to identify all the touch points of their data to assess and counter data security risks. Touch points include users, cloud applications, software, and in some cases, third parties. Wherever sensitive data is held, firms will need to map the journey of this information and its lifespan to implement robust and appropriate data management systems.
For any medium or large organisation, this will take months to achieve. Complacency about preparing for the GDPR will put firms at significant risk of a personal data breach.
A personal data breach could have many origins. A targeted cyber-crime attack against your company could result in a hack of your firm’s systems. A former employee could retain access to sensitive information after leaving your firm if data management systems are not considered as part of your HR processes. A solicitor could lose a USB containing unencrypted data. Personal information that isn’t appropriately marked and classified could be kept longer than necessary, which would place a firm in immediate breach.
Preparations for the GDPR will require dedicated time and resource to undertake. Some firms may believe it to be easier to accept any fine should they find themselves in breach, than to complete the work outlined above.
However, the GDPR will replace, and have greater ramifications than the Data Protection Act. If a firm is found guilty of a personal data breach, they will be fined up to 4% of the company’s global turnover, or €20,000,000, whichever is greater.
In addition, there will be a significant increase in numbers of personal litigation claims, as unless a firm can prove personal data has not been breached, each individual whose data is breached will be able to sue the firm.
While the scale of the task and the time left to prepare seems daunting, engaging an external data security specialist now will provide you with the support you need to make appropriate plans to ensure compliance before it is too late.