What have you done to ensure that your firm is ready to meet the new rules governing personal data?
Before you can start any process, you need to assess the rules and regulations that you have to adhere too and how it will affect you and your business. However, once you have gone through the initial analysis of GDRP and realise that the ball is firmly in your court, you will need to plan out what needs to be done and start the process of making your firm GDPR compliant ready!
The following information will help you identify some of the initial stages that you will need to appraise and will assist you to begin the initial stages of your GDPR roadmap.
We will touch upon some of the key points you will need to consider, and cover the Who, What, Where, Why and How of your initial assessment of GDPR.
The general consensus is that the legislation applies to ANY personal data you hold within your organisation. This would include, clients, prospects, sales leads, partners, suppliers, employees etc.
The next assessment that you will need to address is “What” data does the regulation affect. This specifically applies to any personal data that can be associated or identified with an individual. This will apply to any information you hold such as; contact/security information, emails, letters, paper files, contracts, marketing lists, any information/details supplied by, or internally produced, or gathered for, the individual.
Now you have the Who and What, now you need to assess “Where” this information is within your organisation. This is where it can get messy, this type of information can be spread across the whole firm. Therefore, you need to identify all the areas of the firm that can house this information.
Firstly, you will need to identify and assess every element of software you use and all the systems that could potentially hold any information; front and back office applications, CRM’s, email systems, databases, spreadsheets, external portals, servers and the folders contained, local desktops, laptops, tablets, mobiles devices, any pen drives or external devices. Not forgetting, digital and paper archived information and filing/storage cabinets, including off-site archives.
As you start to expand your understanding and scratch the surface of GDPR, you will start to see the mammoth task that lies ahead and the potential disruption the regulation could cause and how widespread its impact could be to your organisation.
To add even more pressure, you only have a 30-day window (down from 40 days) to meet the SAR (Subject Access Request) deadline. That’s just 22 working days to identify and collate all that information!!
This is why you need to start to build in processes to deal with any SAR applications now. This means providing clear and easy access to your GDPR statement, detailing how to submit a SAR and your compliance procedures.
From this point, you will need to create an internal process to manage the submitted SAR. This may require key staff, if not all staff to be aware of the SAR request. It may well be that several staff are required to action and review departmental systems to ensure that all areas have been assessed and checked for the SAR related information. Once all data points have been identified a report can be produced identifying what data is held, why it has been held and where it is located.
An effective way to help manage submitted SAR’s is to systemise some of the process. Especially, when it comes to tracking the application and its status.
Our recommendation is to produce a SAR submission on your website. From here you can, at the very least, know when the SAR is submitted. However, to really manage the whole process you will need a good CRM solution with workflow capability.
With a CRM workflow, any SAR submission from your website can be processed via a workflow which automatically notifies and assigns a task to a lead manager and/or multiple tasks deployed to any group or member within your organisation. This way, everyone that needs to be involved with the SAR is aware and has instant visibility of the submission and the time left to its final deadline.
Each member can be responsible for managing their task list and its status to completion. From a reporting perspective, managers can identify outstanding tasks and act upon them before they reach a critical stage. To add another level of safety, email reminders can be automatically triggered to individuals and managers for late and outstanding completions.
With FibreCRM’s integrations to IRIS software and MS Outlook, accountancy firms can add a whole other level of functionality. FibreCRM can centralise all IRIS client data and your MS Outlook irradiating the need for multiple excel spreadsheets. If you would like to discuss this subject in more detail, please reply to me or contact FibreCRM.
The Data Protection law and the new rules applying to GDPR legislation is not about catching businesses out or even applying hefty fines. It’s more about making businesses aware of their obligation and duty to manage and control personal records in a safe and responsible manner.
And more so, for professional firms, like accountants that need to lead the way, and for them to look at this as an opportunity to evaluate their current processes and procedures and to put in measures that protects them and their client data.
Purely due to the nature of the business, Accountancy firms especially, need to take GDPR seriously as “NOT doing the right thing” or failures in managing client data can result, not just in potential fines but more importantly, can seriously damage a firm’s reputation… No one wants to do business with a firm that cannot securely look after its client’s information.
Should you and your staff be storing personal information on any business systems? Could this compromise any future GDPR obligations?… It would be interesting to hear your thoughts?