The first GDPR fine has landed – are you next?
Ask yourself this, is your business managing its data in line with its own data management policies and procedures? Of course it is… Right?
There is every chance that in May 2018 you had a shiny new policy that covered your usage and storage of your client’s personally identifiable information. You would also have had a crack at making sure that your databases had a good prune to keep you in line with your new data retention rules. You may have also had a plan to visit your storage archive, where there are tens of thousands of archive boxes, stuffed full of old files. You might have added some of these items to the “too hard” pile, or the “in due course” plan and only if you were really diligent did you get it all done by May 2018.
As we rush into 2020 and bid farewell to the European Union, GDPR seems a dim shadow in our past. Ask yourself, did you do EVERYTHING to comply with your new policies? Pause for a minute and think about how many documents there are in your Document Management System. 10 million? 20 million? 100 million? Think about all those archive boxes – and then think back to your shiny new GDPR policies. Naturally the policies will opine about how you keep your data securely under lock and key. They will determine an appropriate retention period for this data and there’s every chance that is generally in line with the statute period for the matter type in question. Now think about all those documents in your Document Management System. All the financial data in your Practice Management System. All your historic matters in the case management system. Are you regularly purging old files? Do you fillet through all the old files to determine the compliance of the record against your new GDPR policies?
It makes me shudder to think how long it would take a team of staff to confirm the index dates for each archive box and then process each file to ensure compliance. Make no bones about it, the ICO are now conducting audits and following up on whistle-blower’s claims of inappropriate storage of personally identifiable information. On 17 December 2019, the ICO handed down it’s first GDPR fine, of £275,000 to a Doorstep Dispensaree Limited, a London pharmacy who had not stored its patients’ data in a suitably compliant manner. As certain as death and taxes, this is the first of what will become a regular stream of fines.
Innocence is no longer a valid excuse for any business and now that we are 18-months past the GDPR deadline, the ICO are likely to take a very dim view of any firm claiming to have it “on their plan”.
If you have any concerns about whether the data that you store in your systems is non-compliant, or that inappropriate personally identifiable information may be hidden away in your document management system or paper archive storage, we have a solution for you which can quickly verify your compliance with your shiny new GDPR policies. Why not talk to us to obtain piece of mind, evidence of compliance or to establish the scale and breadth of any unseen issue (non-compliance) in order to remedy the situation before a whistle-blower whispers to the ICO, or heaven forbid, you get a notification of an audit.