GDPR – Getting started in 6 steps
Our Getting Started in 6 Steps process takes you through the stages to help you to reach GDPR compliance.
Step 1- The Data Audit
The first steps in our Getting Started in 6 Steps is the Data Audit, This is the foundation of our GDPR for lawyers process. In this step we look at the categories of data you process – where they come from and what you do with them. We look at which Data Policies cover them and surface areas where you need to consider the Lawful Basis for Processing. Are there any special categories of data you deal with? If there are, what are they and how do you deal with them? This is the start point and listing all categories of data is essential. Remember, too, you’ll have employee data that you also need to consider.
Step 2 – Lawful Basis for Processing
There has been a huge amount of focus on Consent as a Lawful Basis for Processing, so much so, that firms are failing to take an objective view of the available Bases of Processing. Although there are 6 Lawful Bases for Processing, only 4 of these can be used by law firms. Whilst you much consider Consent, you must also Contract, Legal Obligation and Legitimate Interests. You also need to be aware that different Lawful Bases of Processing apply to different categories of data. For instance, personal contact data may be processed on the basis of Contract if that personal contact data belongs to a client of the firm. However, personal contact data belonging to someone who’s signed up for email communications on your website and who isn’t a client will have their personal data processed on the basis of Consent.
Step 3 – Working with third parties
If you have some of the personal data you hold processed by a third party, you need to have a written contact in place with that third party. You must also make sure the contact contains specific measures as required by the GDPR. It’s also possible that you process data on behalf of a third party. If this is the case, you’ll have to create your own data processing contract and provide this to the organisation on whose behalf you process that data. You’ll also have to make reference to third party processing in your Privacy Statement.
Step 4 – Data Policies
Underpinning all of this is the principle that personal data belongs to the individual. Your data policies will set out how you manage that data, who can access is and how. They’ll also address how long you retain the data and what methods you employ when you destroy it. You need to remember too that we’re also talking about the data you store in paper files as well as the data you store electronically.
Step 5 – The Privacy Statement
Your Privacy Statement explains how you deal with personal data. You’ll also need a Privacy Statement for your employees. The Information Commissioner recommends you take a “layering” approach. Serve your Privacy Statement up to readers in bite size pieces. Allow them to read as much or as little as they like. You’ll normally publish your Privacy Statement on your website but you’ll also need a paper copy to hand to clients if asked.
Step 6 – Data Adequacy
You’ll review the data you have in this final step. Review your data – if it’s inaccurate, rectify or delete it. If it’s outwith your data retention policy, delete it. The principle behind this advice is that if you can’t justify having the personal data, you have to delete it. We set out some recommendations on how you comply with this element of the GDPR.
We believe in providing practical help for law firms through our GDPR for lawyers Guide. Our Guide and Workbook, supported by our Samples Booklet help you achieve compliance. It follows a step by step process and we have examples you can draw on to fit your own situation.