GDPR compliance for professional services firms: time to get on track

The General Data Protection Regulation (GDPR)’s compliance deadline is looming. Every organisation that processes personal data must be in compliance with the new law by 25 May or risk substantial regulatory fines from the Information Commissioner’s Office and legal action from aggrieved data subjects.

If you haven’t already, your firm must start your compliance project straight away or risk being in non-compliance. Make no mistake: this is a complicated activity that will significantly affect how your firm does business, and the clock is ticking.

A good approach is to assess your firm’s current workflows, processes and procedures to identify the compliance gaps that you need to fill.

Below is a checklist of ten essential areas of the GDPR that you will need to review as part of your firm’s project.

  1. Data protection governance – the extent to which data protection accountability, responsibility, policies and procedures, performance measurement controls and reporting mechanisms to monitor compliance are in place and operating throughout your firm.
  2. Risk management – is privacy risk included in your corporate risk register? What corporate arrangements are in place for privacy risk management across your firm? To what extent does the corporate risk regime incorporate information-specific risks? Which risks to the rights and freedoms of natural persons are addressed?
  3. GDPR project – the extent to which an appropriately staffed, funded and supported GDPR project is in place, and capable of delivering realistic objectives by 25 May 2018.
  4. Data protection officer (DPO) – is a DPO mandatory, has one been appointed, is the role positioned appropriately and is the individual capable of delivering against the GDPR requirements?
  5. Roles and responsibilities – the extent to which roles and responsibilities are defined and established through your firm, including necessary training and awareness.
  6. Scope of compliance – the scope of compliance must be clearly defined, taking into account all the data processing in which your firm has a role, whether as a data controller or as a data processor, as well as any data-sharing activity. In order to determine the scope of compliance, you also need to identify all the databases that hold personal data, as well as all extraterritorial/cross-border processing.
  7. Process analysis – it is essential to identify the extent to which each of the data processing principles are established for each process that involves personal data. Lawful basis for processing is a key area of consideration. Are there any processes for which a data protection impact assessment (DPIA) is mandatory, and for which processes might a DPIA help establish data protection by design and data protection by default?
  8. Personal information management system (PIMS) – there is a wide range of documentation that is necessary to ensure you can effect and demonstrate compliance with the GDPR, such as a data protection policy, a data breach notification procedure, subject access request forms and procedures, data protection impact assessments, and consent forms. The scale of the documentation should be appropriate to the size and complexity of your firm. The PIMS should also address staff training and awareness.
  9. Information security management system (ISMS) – the technical and organisational measures in place to ensure that there is adequate security of personal data held in hard copy or electronic form, or processed through your systems. This includes a review of methodologies for testing security, and established cyber security certifications, standards and codes of practice.
  10. Rights of data subjects – you will need processes that will enable you to both facilitate and respond to data subjects exercising any or all of their rights.

By approaching your GDPR compliance in this way, you can prioritise your project and plan to tackle each area within appropriate timeframes and budgets.

IT Governance is at the forefront of helping organisations globally to address the challenges of GDPR compliance. Our GDPR experts can help your firm with a variety of best-practice solutions, from evaluating your GDPR compliance position and developing a remediation roadmap, through to implementing a best-fit privacy compliance framework.

We offer comprehensive solutions, services and expertise to help you meet your GDPR compliance objectives, including training courses, books, compliance toolkits and software, staff awareness training and consultancy services.

Contact our experts here or call us on +44 (0)333 800 7000 to discuss your firm’s GDPR requirements.

More information on our GDPR solutions can also be found on our website. Find out more >>