Industry interview with Tikit: Up to data
This blog post was also featured as an industry interview in the September 2017 issue of Legal Practice Management magazine GDPR supplement. To read the issue in full, download the supplement.
The EU’s General Data Protection Regulation (GDPR) is less than a year away but are SME firms ready for it? The answer broadly, according to Tikit’s product director Adrian Jones, is no.
“GDPR readiness varies considerably between firms, but most SME legal leaders we’ve spoken to are only just starting to understand the regulation, let alone doing anything about it.” But, he adds, firms must come to terms with the scale of change required soon if they want to be compliant by May 2018.
"The legal landscape is going to change completely. Firms will need to become more transparent to demonstrate compliance and develop a better understanding of what data they hold, where it’s held, how long they can hold it for, and how they ensure data is accurate and genuine,” says Jones.
The EU developed these new rules to secure citizens’ rights over their data in an increasingly digital world – but, Jones says, technology is both the cause and solution to the GDPR. “Software solutions, such as Tikit’s Partner for Windows (P4W) practice and case management system, have been extended with GDPR in mind. The new compliance module in P4W helps firms streamline data handling processes and provide evidence that those processes are correct. They also help firms identify what data they hold and where it’s held in the event they get any data subject access requests or requests to be forgotten.”
SILENCE MEANS NO CONSENT
A key challenge firms face under the GDPR is distinguishing data types to ensure sensitive data is identified and destroyed in the right way at the right time. Jones says this may be challenging for firms that traditionally never destroyed information – but there is a way to streamline the process.
“Solutions such as P4W separate sensitive and personal data so it can be easily identified. If a firm transacts a remortgage, for example, the solution will identify sensitive information – such as a national insurance number, address or date of birth – and delete it when needed.”
But, he adds, data processing requirements will also be dictated by who the information is stored about. Firms will not only need to obtain consent from clients (past, present and future) to process their sensitive data but demonstrate consent was obtained in the correct way.
“Consent must be specific and granular and it’s vital to record this when it’s given. If firms don’t and a complaint is made, they could be fined up to 4% of their global annual turnover.” Fortunately, he adds, Tikit has developed a data protection area in P4W’s entity properties screen to record when data consent is received, by whom, the basis of consent and consent location inside the solution. The GDPR also states that individuals have the right to rescind consent at any point, which is why the system records the date it was rescinded, by whom and the reason.
It’s also important to remember that the individual’s age also dictates how consent is obtained and recorded, says Jones.
“Children are vulnerable persons under the law and the data of vulnerable individuals is subject to different GDPR rules. As such, P4W enables firms to verify individuals’ ages with a date-of-birth field that calculates age. If the subject is under 16 it also prompts the user to obtain parental consent.”
HOW TO FORGET CLIENTS
But perhaps more challenging still is processing data subject access requests (DSARs). Jones says that under the GDPR firms can’t charge individuals to access data held on them or to find out how that information is being used – meaning firms will likely be inundated with DSARs for a period after May 2018.
“Firms will need processes in place to handle DSARs – and P4W can help streamline those processes. The software provides Crystal reporting functionality that lists sensitive and personal data against each entity and shows what that data has been used for.”
And what about the right to be forgotten? Under the GDPR individuals will be able to request to have data on them destroyed – and, Jones says, that task will be difficult if businesses don’t know where all a person’s information is held.
“A firm may have a great PMS or CMS, but it also needs a way to search documents related to an individual. If it’s still using a physical document filing system or isn’t storing correspondence correctly, forgetting clients could be impossible.” The solution, he adds, is to manage documents with a document management system that makes any information held on an individual searchable.
“P4W, as an example, hosts third-party integrations such as with cloud-based NetDocuments, which categorises documents and makes them easily searchable, deletable and exportable from virtually anywhere. NetDocuments can be used as part of the P4W solution and allow firms to search sensitive data related to individuals under one system.” INTO
As well as extending individuals’ data rights, the GDPR broadens the definition of data breach to include the destruction, loss, alteration, unauthorised disclosure of or access to personal data. Jones says that the time firms will have to report such a breach will be shortened under the new regulation – meaning new processes will need to be introduced to ensure GDPR compliance.
“In the event of a major breach, the firm won’t be able to wait until the senior partner returns from holiday – it will need to be in a position to respond within 72 hours of notification. Firms need to be able to handle that scenario, but they should also do everything to stop it happening at all.” Jones adds that P4W has a risk register to help legal leaders to manage sensitive data, and that enables firms to lock down information to ensure only the people who need to access it can do so.
“If data is locked down, it reduces the chance of it being altered, stolen or lost – P4W achieves this with a pessimistic security model that doesn’t automatically give everyone access to a new matter. Instead, permissions are given.”
The GDPR is a complex regulation, but SME firms can become compliant in time for the May 2018 deadline if they use technology to help them. Jones says firms can use P4W and its third-party integrations to track processes, make sensitive data searchable and improve security – making them GDPR ready.