A GDPR intervention

Morna Grandison, Director of Interventions at the Law Society of Scotland, talks about how her team is dealing with implementing the General Data Protection Regulation (GDPR).

Part of this year’s work plan in the Interventions team was to allocate time for the implementation of GDPR.

This was an interesting task for the team as we quickly realised that as well as adopting the Law Society’s new processes and procedures designed to achieve compliance, we also had to consider how the new regulations affect the Society’s Judicial Factor appointments, as I hold my own separate data controller registration for these appointments.

What’s it all about, Alfie?

...to quote the famous song - we needed to appoint a team guru to take the lead. In our case, 'Alfie' became Cath.

Creating our plan

We identified the areas of work we needed to address and allocated tasks to the team according to skills and knowledge, then set about delivering on specific areas.

The team recently changed technology platforms and part of the thought processing was to identify how we could use the new system to drive better compliance and change working practices which were not compliant.

Achieving compliance – some of our challenges

1. As Judicial Factor appointments, we are accountable to the courts. So we need to ensure that the policies we develop, particularly in relation to the destruction of files and papers collected from firms, acknowledge the potentially conflicting guidelines laid down by the Accountant of Court, the Law Society and GDPR.

2. The firms to which I am appointed may not be compliant at the time of my appointment meaning:

• data held by the firm may not be complete and up to date with the risk that we use incorrect addresses when writing to clients about their papers, files and ledger balances
• we don’t know who has access to the firm’s data after the Factor’s appointment, which is a challenge for ensuring the security and integrity of the data
• we don’t know what (or how secure) the firm’s storage arrangements are
• the firm may have advised their clients what will happen to their data in the event of the firm ceasing to trade. We have to know what has been communicated and whether we can comply

3. A prosecution before the Scottish Solicitors Discipline Tribunal and a report to Crown Office could occur after my appointment as Factor. This would involve collating material evidence which can be both personal and sensitive. What is best practice for our communications and passing of documentation? Each organisation has different policies/technological solutions for transmitting material securely which are often not compatible, individuals may want material delivered in specific ways and some have not even thought about the issue of transferring the material securely!

4. Separately, we have the Law Society’s revised policies to adopt and familiarise ourselves with.

(It feels like) We’ve only just begun

In all, this year has been a steep learning curve as we move towards to compliance, but we have made progress. We have:

• date documented our processes and our risks
• already identified changes in our procedures which will drive compliance
• consulted with stakeholders to ensure that our revised policies will dovetail with their systems and policies
• taken steps to destroy material which we have no requirement to hold at this time
• identified specific risks we have which are on our risk register

Road To Nowhere?

Sometimes it feels like this. We are on the same journey to compliance as the profession and feel their pain as we all wrestle with the busy day job. Yes it’s been hard going, but our processes and systems are in a much healthier state having gone through the exercise and ultimately that will serve us well.  Roll on May 25^th!

Finally, remember how Kelly Clarkson sang it – What doesn’t kill you makes you stronger!