• EU General Data Protection Regulation
• Effective from 25 May, 2018
• Reinforced with a strict and significant
• Affects any organization globally
• Brexit has no effect
• UK Information Commissioner will
insist on same standards
• Anything associated with a name or
• Health, financial, criminal history,
travel history, etc.
• Passport is personal data and is stored
for each of your clients
• Photos, documents, videos, scans
• Data stored on your system plus that
of data storage providers
• Financial threats from failure to
implement - penalties
• Prevent the endless escalation of data
• Implement better search facilities for
• Correct implementation adds to
• Your technology can’t support the
• By Design
• All systems should include privacy
requirements in design
• By Default
• All data should automatically be stored
securely and privately
• Organizations are now held
accountable for both
Personal Data shall be processed fairly and lawfully
Personal Data shall be obtained only for specified purposes
and not used for other purposes
Personal Data shall be relevant and not excessive
Personal Data shall be accurate and kept up to date
Personal Data shall not be kept longer than necessary
Personal Data shall be processed in accordance with
rights of data subjects
Appropriate security to prevent loss of data or
Personal data cannot be transferred outside the EU
without the same level of protection
• Right to Access
• Right to Erasure
• Right to Portability
• Right to Rectification
• Data Breach Notification
• Right to request all data
• Level 1 – Up to 2% of revenues
• Reputational cost on top of that
• Not just for a data breach – lack of
documentation means you can be fined
during an audit
• Level 2 – Up to 4% of revenue or
• Only if negligent – as in you did nothing
to prepare for GDPR
• Must be signed off by business owner –
no longer only an IT issue
• You must find ALL documents with an
• This is not just information in your
CRM – it’s documents as well
• You must provide these documents
with relevant redaction
• How do you find them?
• Scanned documents? Emails? Faxes?
• How do you provide them?
• Collate documents, redact, report?
There’s no doubt you’ve heard of GDPR – it’s a very hot topic at the moment. But do you know what you need to do to be compliant? What follows is an overview of the requirements of GDPR. It will also detail what we see are the threats to your organization in ignoring or not planning for its introduction, and the opportunities that can come from this in improving the efficiency and effectiveness of your systems.
GDPR is a very large subject so we are going to focus on the high level concepts and practical solutions. I’m not going to focus on quoting legislation and legal documents – I am going to outline in a practical sense what GDPR is and how it will affect both your organization and your customers.
We will also cover the impact of Brexit, how to manage the data you hold and how to respond to requests for access to that data.
The EU’s General Data Protection Regulation (GDPR) comes into effect by May, 2018. It is the most significant development in data protection worldwide in the past 20 years. GDPR covers the securing and availability of personal data. It ensures personal data is no longer stored indefinitely without the ability for a citizen to request this information be removed.
The IT world has changed how information is stored. Every organization and government department is now storing massive amounts of data about its customers more easily than ever. Organizations have tended to opt for the ‘let’s keep every bit of information in case we need it’ scenario.
Some regulated industries – particularly tobacco and pharmaceuticals – have put in place ‘data retention rules’, but this is rare.
The EU recognizes that citizens have a right to enquire as to whether their information is held and, if it is, to have it returned to them or deleted if there is no good business reason to retain it.
But wait a minute – isn’t the UK leaving the EU? For a start, these regulations come into effect before Brexit will be finalized. Secondly, this affects any organization that does business in the EU. If you have customers in the EU, regardless of where your business is located, you are affected.
If a post-Brexit UK wants to do business in the EU it will need to implement the same levels of data protection for their clients in the EU. This means data protection laws in the UK will mirror the EU – or the UK will lose out to the EU in global trade.
GDPR affects both small and large businesses and, as such, the fines are in direct proportion to the size of the organization.
GDPR is all about personal data, or information that is associated with a person’s name.
This could be their address, age, health details, financial information, and criminal record.
GDPR is not specifically related to company information – rather, personal information.
So, you are a law firm acting for a corporation – what is the personal data you are holding?
The first thing you get is the passport of the client/representative. This is personal data – a photograph with personal details attached.
This personal data must be able to be searched and retrieved when requested. More on this later.
GDPR has implications both for your own organization and any organization you use for offsite data storage (e.g., in the cloud or hosted).
There is good and bad in GDPR – with both threats and opportunities available to those who take it seriously.
Implementing GDPR practices can stop the endless escalation of data storage from organizations never deleting anything. This change means you can stop your data storage requirements getting out of control.
Getting data storage right will add to your organizations credibility, and will be a key influencer for other companies to do business with you. Companies will ask their law firm if they comply and go elsewhere if they can’t assure them.
The technology you need to support GDPR isn’t just about compliance. It will significantly improve overall efficiencies, control and client satisfaction.
GDPR brings into focus two key concepts – Privacy by Design and Privacy by Default.
Essentially, Privacy by Design means that any new system introduced into your organization or any change in systems should, ‘by design’, consider the privacy and security of the information.
Think about encryption of documents. Pseudonymisation is not really possible in documents.
Privacy by Default means that any new data should automatically be stored with the highest level of security and privacy settings.
Organizations are held accountable for both and must show they have planned for GDPR and requests for data.
There are eight key principles of GDPR:
Personal data shall be processed fairly and lawfully
Personal data shall be obtained for a specific purpose and not then used for some other reason
Personal data shall be relevant – you can’t store data you don’t need
Personal data shall be accurate – if you do store it, customers have the right to correct it if wrong, delete, or view it.
5. Personal data can’t be kept longer than necessary
6. Personal data should be processed in accordance with the rights of the subject
7. There must be appropriate security on that data to prevent loss or misuse
8. Can’t be transferred out of the EU without the same protection
The Controller is your organization – it controls the customer data you hold.
The Processor is the organization that processes the data. It could be you or an external party. They have to comply as well.
An individual can request all data your organization holds on them, including any records that have their names and other personal information.
The individual could be an employee, ex-employee, customer, or subject of a legal matter (whether you acted for them or not).
There is no longer a 10 GBP fee for this – meaning there is less impediment to request.
There is a right to erasure – a little like the Google right to forget. It means you can’t hold information on people forever.
You have 30 days to respond to any request to provide all documents (redacted where necessary). Users can then request that you delete parts of their personal data.
An organization can refuse to provide the information for good. You can refuse if the information also contains other people’s personal information, or you can choose to redact that other information.
An individual has the right to see all that information, request it be rectified if in error, deleted, and the right to portability.
So, all emails, documents, and photos can be requested in a machine readable format – PDF is usually easiest.
The right to delete data does not override other laws.
Law firms must keep information for 7 years for legal liability reasons. Financial information must be kept for 5 years.
Financial penalties are now significant. Where previously organizations paid to register with the Information Commissioner's office, now there will be no fee. So where does the office get their revenue from? Penalties.
Penalties occur for each breach of compliance and vary depending on whether an organization has planned for GDPR.
So, you have to be able to find ALL documents and data. In your DMS, in your email system, wherever you store it. Even documents that are scanned – how would you find them now?
Yes, you can find this information in your practice management system or CRM - but documents are harder.
Then, you need to review all the documents you have found and put them in a document format your client can read. You need to review them to make sure you are not disclosing someone else’s personal data, and redact if needed.
You then need to collate it and send to the client – or at least tell them what you have.
Lastly, they may ask you to delete it – you decide if you need to.
So, how can DocsCorp help?
The biggest issue for any organization storing documents is making sure they are searchable. Regardless of what DMS you use, you will have the same issue.
Emails with attachments and scanned documents, for example, are not searchable.
A member of our team can run a free audit of your DMS and tell you how many documents within are not searchable. contentCrawler can make sure 100% of your documents are searchable. At the end of the day, if your documents are not searchable you will fail GDPR audits.
Once you have found the documents you then need to gather, redact, collate and present them to your client. pdfDocs Binder integrates with your DMS to help you do this.
Want to then email the documents to your client? cleanDocs removes all the hidden metadata so you don’t end up disclosing more than you need to.
Doing something about GDPR is the first step.
Carry out a GDPR Impact Assessment to evaluate your risks. Use it to find out where your data is stored, how you can find it, where your data is coming from and if it is secure.
Next, develop a GDPR compliance plan. This plan and its implementation must be signed off by business owners.
Work backwards in your planning from May, 2018 and start implementing. Raise awareness with the key stakeholders in the business so they understand what is required.
For example, if you want all of your documents to be text searchable to comply with GDPR, don’t wait until the day before – it’s a big job and takes time.
Assess all Cloud Service Provider Contracts. Work with your current third-party service providers to seek assurance as to their GDPR compliance and understand what contract changes are needed.