99 problems but my GDPR strategy ain't one

Today it is officially 99 days until the EU General Data Protection Regulation - or GDPR as we all know it - comes into play on 25th May 2018. And it feels a bit like that point in the run-up to school exams where you are trying to work out how much revision everyone else has done and that sinking feeling that you should have started all this a little earlier…

Back in October last year, when this all felt comfortably in a different year, we pointed out some unsettling GDPR facts. Facts like “by the end of 2018, 50% of companies affected by GDPR will not be in full compliance with its requirements” (Gartner). So, if it’s you that has that sinking feeling, then at least you’re not alone.

By now we’ve all read and reread the definitions of GDPR and its implications, but in simple terms GDPR is trying to bring regulation up to date to protect the rights of us as individuals, given the data-heavy world in which we live, as well as providing a common set of standards for data privacy across the EU to support seamless processing across organisations. Altogether very sensible…and altogether very “giant fine waiting to happen”…

Less than 100 days to go, the ICO hanging around waiting to fine unsuspecting organisations, half of the industry won’t be compliant…this all sounds pretty scary right? And sure, it would be tempting to run around the room with our arms in the air for a while, but actually, the good news is that GDPR isn’t about starting from scratch. It’s about building on what most organisations should have been doing already to meet the Data Protection Act.

Becoming GDPR compliant starts with looking across the operating model when it comes to managing personal data. A second step is arguably realising that there are people out there who can help lighten the load. We recently worked with a global law firm to help them on their journey towards GDPR compliance. A law firm you might think - surely, they know what to do about GDPR… And when it comes to legal interpretation of the regulation, of course they do. However, this firm also recognised the benefits that being GDPR compliant could bring, both commercially and from a reputational perspective, and that they needed other skill sets to achieve that.

So channel a bit of Jay-Z, look away from that countdown, read our case study below and give one of our calm, reassuring experts a call to discuss how we can help you.


GDPR Readiness Assessment: Global Law Firm


Client challenge

Our client is a leading UK law firm with a large percentage of clients in the Insurance sector.

  • A key business driver for the firm is to ensure it can evidence compliance with the GDPR legislation by March 2018.
  • As a leading advisory firm our client places a high value on protection of its reputation within the legal sector and amongst its clients.
  • Insurance clients are also driven by the rigours of the FCA regime which even prior to GDPR was pushing members to evidence greater due diligence of controls in their supplier management practice.
  • Our client's business processes require that it is frequently responding to information security controls due diligence from Insurers – either as part of a new bid or ongoing supplier management.
  • Increasingly the questionnaires required evidence that our client is responding to prevailing financial services regulation and legislation.
  • With this business background and a shortage of available specialist resources our client engaged TORI to assist deliver of the firms GDPR compliance project.

What we did

The engagement has been separated into two phases of Readiness Assessment followed by Remediation and Compliance.

  • Readiness Assessment requires that TORI subject matter experts from our Risk & Control and Technology Infrastructure teams collaborate with peers on the client side
  • 10 work streams were established to perform a gap analysis between the current and target compliance state. The work streams are fully aligned to the guidelines of the GDPR legislation and the UK Information Commissioners Office (ICO):
    • Leadership, culture and governance
    • GDPR project structure, due diligence and controls
    • Scope of the compliance (legal entities and cross border)
    • Risk management
    • Roles and responsibilities
    • Data Protection Office
    • Process Information Management systems
    • Process and applications analysis
    • Information Security Management systems
    • Rights of the data subjects
  • A compliance tool was developed by TORI to act as both a project dashboard and evidence of the due diligence and rigour in the project
  • The current state assessment required TORI to collect data from multiple sources including flowcharts, data maps, structured interviews, contracts, applications interrogation, audit reports and policy/procedures
  • At every stage the client interaction was fully inclusive and collaboration ensuring the our client has full ownership of the project supported by TORI subject matter expertise

The result

  • Full GDPR compliance status is required by April 2018 and our client will achieve that
  • The Readiness Assessment phase will complete during August 2018
  • The phase report will:
    • Confirm the scale of the remediation gap
    • Compile a detailed remediation plan with timescales, roles and costs
    • The prioritisation of the plan is driven by a full risk assessment approach
    • Ensure that controls are in place to ensure the management of the evidence based due diligence is embedded into firms day to day business operations
  • Remediation activities are to be prioritised with factors such as the firms risk appetite and the prevailing compliance guidelines from the ICO