Preparing for GDPR

The Bill, which aligns with the requirements of GDPR, will give individuals more control over their data, including the right for personal data to be erased. Firms will no longer be able to rely on default opt-out or pre-selected 'tick boxes' to give consent for organisations to collect personal data.

The cost of data breaches

The data protection regulator, the Information Commissioner's Office (ICO), can issue high fines, of up to £17 million or 4% of global turnover for major breaches, which is aligned to the financial sanctions set out within GDPR. If firms fail to report data breaches financial penalties could be up to 2% of annual worldwide turnover or £8.5 million, whichever is greater.

Data breaches could also cause reputational issues for firms and there a risk of follow on claims from private individuals for compensation. This means that senior management may end up focusing on remediation activities instead of pursuing the firm’s strategy. In an increasingly digital focused world with disruptive technologies and changes to the ways of working, having senior management focused away from developing and managing the organisation is potentially as harmful as the direct financial cost.

How we can help?

Whilst many professional practice firms are advising their clients on GDPR obligations and UK data privacy compliance, there is a real need to ensure that firms themselves are compliant.

Our services cover a full spectrum of GDPR advisory services from providing firms with assurance that what they are doing is compliant to full support for firms currently without a GDPR project plan in place and limited resources.

Examples of how we can support your firm with your GDPR plan include:

Firms who have not yet commenced their GDPR project or have limited resources

• conduct a readiness assessment against the ICO's, 12 steps framework
• develop a project plan and remediation plan
• cyber security diagnostic, in line with the Cyber Essentials accreditation
• undertake a personal data audit and mapping of data flows
• drafting policy documentation and Fair Processing Notices
• designing breach reporting processes
• education and awareness programmes for staff
• testing the processes.

Firms who have a well-established project plan and in-house team, which is resourced and progressing on track

• supporting aspects of the project plan, in line with the activities above
• providing assurance that any changes to systems and processes have become embedded
• testing the awareness of staff with regards to awareness of their responsibilities
• independent assurance regarding project governance and activities.

If you would like us to help you to comply with the upcoming GDPR requirements please contact Richard Evans or your usual Crowe contact.