The GDPR, coming into effect this month has been a topic of hot debate for some time now. There is speculation as to its potential impacts on how organisations operate, and within those companies, how different business functions will react and adapt. There are obvious consequences for IT infrastructure teams and marketing operations. Legal teams will also be impacted as compliance efforts ramp up and organisations strive to both understand legal implications of the new regulations and put programmes in place to ensure compliance.
With this in mind, we spoke to Neil Brown whose legal firm decoded:Legal specialises in advising telecoms, internet, and technology companies. Neil was head of privacy at Vodafone for many years, and now provides privacy advice to a broad range of businesses.
Are structural changes necessary?
First of all, apart from ensuring that the relevant staff are up to date with the GDPR and able to advise on it, there is unlikely to be the need for any significant structural or organisational changes. One area where firms may be looking to bring people in however is in the Data Protection Officer role (DPO). In the last year we have certainly seen an increase in the number of DPO roles we are briefed on, most of which featured GDPR prominently in the job description.
These DPOs will be expected to manage the relationship with the regulators and decide on when and how to report any breaches. Firms which routinely handle special categories of data, such as health related data, or those which process data relating to criminal convictions, will need to check the framework under which they handle this, to ascertain whether they will need to appoint their own data protection officer.
Aside from working with clients seeking advice on new processing clauses, or on the privacy implications of their operations, some firms may want to offer the facility to act as an outsourced data protection officer. Given the regulatory framework for solicitors, firms considering this option will need to ensure that they can meet both the requirements of the GDPD and their professional regulatory obligations, as it can be difficult to square these off.
How can business leaders in the legal sector ensure that their teams are equipped?
Here at Michael Page Legal, many of our clients have utilised contractors to assist with process reviews and GAP analysis in order to put into place a framework for data compliance. Business analysts, programme managers and change professionals, have all been in high demand for some time now and have often proved invaluable in this process. Depending on requirements, we have seen clients employ single independent contractors as well as larger consultancies.
A whole host of skills are required for effective GDPR compliance. This does not necessarily mean the need to bring in a host tech savvy people and data professionals. Each firm will have different needs dependent on the type and volume of work they undertake. There are however some areas which are worth your consideration. Neil Brown gives us more on a selection of skills and competencies which may be worth thinking about:
Information Security – Issues such as the sharing of data and documentation with clients require a more strategic approach. Email is inherently insecure and firms which don’t already, would be highly advised to look into encryption. Security professionals will have strong capability in this area and it is certainly something to be considered. This will drastically reduce the ability of a hacker to view what is being shared. Secure file transfer platforms may also be a good option. Finding a combination of security and usability, while maintaining a high level of service to your clients can be a challenge, so looking into skills in this area can make a difference.
Auditing – Ensuring that a firm is keeping on top of regulatory requirements, and crucially that it can evidence this, is as important as ever. In a climate of changing regulation, having someone with strong auditing experience, who understands how to take a methodical, structured approach to assessment and documentation, can be a real boon.
Communications experts – bearing in mind that privacy notices and data subject facing communications need to be concise and intelligible, it may not be that a lawyer is the best placed to get the message across. Dense paragraphs of legalese are unlikely to cut the mustard, and thinking carefully about your communications from a client experience perspective will be increasingly important.
It is essential to consider how secure the data you process is. However, this is not exclusive to databases, I regularly see lawyers working with privileged documents in inappropriate settings; on trains or in cafes for example. It can be as simple as speaking too loudly on a phone in a public place. Simple things such as training lawyers to be aware of their surroundings might be the most important step you take in ensuring your organisation is mitigating risk.
If you have any questions or would like to explore resourcing options please get in touch with data protection and compliance recruitment specialist Heather Ninnes, Business Manager at Michael Page Legal.