Blogs

European Union flag

The impact of ‘Brexit’ on data transfers

With just over six months to go until the UK exits the European Union, the Government has started to issue guidance on what will happen if there is ‘no deal’ by the 29th March 2019.

As we all know, the current data transfer rules are set out at European level in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018.  Under the current rules, transfers within the EEA are permitted BUT, on 29th March 2019 the UK will become a ‘third country’ for the purpose of the applicable legislation.

So, what does this mean?

The Data Protection Act 2018 will remain in force and the EU Withdrawal Act would incorporate the GDPR into UK law to sit alongside the domestic legislation.

UK-EU Transfers

The Government has recognised the ‘unprecedented degree of alignment’ between the UK and EU data protection regimes and has confirmed that at the point of exit they will allow the free flow of personal data from UK to the EU (this will be kept under review).

EU-UK Transfers

These transfers become more complicated as the UK will be deemed a ‘third country’.  Under the GDPR, transfers to a ‘third country’ can only take place in defined circumstances –

  • There is an ‘adequacy decision’ in place; or

  • There are appropriate safeguards in place.

Adequacy decisions are currently in place for Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.  The adequacy finding for Canada only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the finding for the US is for transfers covered by the EU-US Privacy Shield Framework (currently subject to challenge by the EU Commission).

Appropriate safeguards are –

  • A legally binding and enforceable instrument between public authorities or bodies;

  • Binding corporate rules (BCRs);

  • Standard data protection clauses adopted by the Commission;

  • Standard data protection clauses adopted by a supervisory authority and approved by the Commission;

  • An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA;

  • Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;

  • Contractual clauses authorised by a supervisory authority.

So, how does this impact me and what do I need to do?

The UK Government has expressed its intention to apply for an adequacy decision but the EU has stated that the process cannot be started until after 29th March 2019 and obtaining a decision can be a lengthy process. This means that EU-UK transfers will need to have appropriate safeguards in place.

If your organisation transfers data from the EU to the UK, or if you are an organisation in the UK that receives data from EU then you should look to implement standard contractual clauses as a matter of urgency – the latest approved version can be found on the EU Commission’s website.  It’s important to note that the current version was approved pre-GDPR and should be updated.

UK organisations who offer goods and services to data subjects within the EU will need to appoint a representative within the EU.

You can find out more here through these links:

Get in touch

If you’d like to discuss our data protection services, then contact one of our helpful experts today.

The impact of ‘Brexit’ on data transfers Read More »

digital lock with the CFA logo

Cyber Essentials – Affordable Security

Guest blog from Centre for Assessment Ltd

The Cyber Essentials Scheme has been around for a number of years now, and more and more businesses are finding the demand for this is increasing when it comes to working with particular clients and qualifying for tenders/contracts. The core values of Cyber Essentials offers both clients and supply chains peace of mind, knowing that basic cyber hygiene measures are being adhered to, and the essential elements of the IT infrastructure are running effectively.

The core values of Cyber Essentials are built around 5 main controls: firewalls, secure configuration, access control, malware protection and patch management. The combination of these controls ensure that the risk of cyber-attacks is kept to a minimum, and that companies are showing a commitment to both staff and clients, ensuring data is handled and stored safely and securely.

There are two different levels of cover available through the scheme which are ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.

Cyber Essentials is a self-assessment driven audit, which allows businesses interested in the scheme to be able to evidence their basic conformance to the scheme rules within an application document. Once completed this is then reviewed by a registered certification body for assessment. Decisions on conformance can be made within as little as 48 hours.

Cyber Essentials Plus includes all of the self-assessment elements of the basic Cyber Essentials.  Additionally, it entails a vulnerability scan, on-site testing and a much more comprehensive assessment process verified by independent experts to help further ensure that the IT infrastructure is as secure as possible. This level of assessment represents a much larger commitment to the overall IT welfare of any business and helps in leading the war against cyber-crime within the UK.

These types of assessments are a step in the right direction for any business looking to bolster their IT security within any industry. Cyber Crime is forever evolving and adapting to try and appeal to victims via a range of different means. This can be something as simple as a link in an email or sending updates with ‘URGENT’ in the subject, to try and instil fear and panic usually leading to a knee jerk reaction, which can cost victims dearly.

The legal sector is no stranger to cyber-crime and its devastation, with 62% of law firms estimated to be the victim of a cyber-attack in the last year. Law firms are considered to be 7th most vulnerable industry for malware according to Cisco, with 4.5% of all UK data breaches occurring within the legal sector. Practices are starting to take note of the devastation this causes and are beginning to take steps towards a scheme like Cyber Essentials, to help in the fight against cyber-crime and to re-assure clients.

We are even starting to see schemes like Cyber Essentials incorporated into other standards within the legal sector. In July 2018, a new version of Lexcel, The Law Society’s Legal Practice Quality Mark, was announced, and within some of the policies and procedures there is a direct reference to the scheme stating, “Practices must have an information management and security policy and should be accredited against Cyber Essentials.” This is helping to further enforce the importance of the scheme and general cyber awareness within the legal sector.

Get in touch

Cyber Essentials is available through the Centre for Assessment.  To find out more, visit their website, or telephone them on  0161 237 4080

If you’d like to know more about Teal’s data protection services can help you, get in touch with one of our experts today.

Cyber Essentials – Affordable Security Read More »

Someone typing on a dark laptop

ePrivacy Regulation Update – What’s the latest?

For some time now, the EU Commission has been planning an update to the current ePrivacy Directive (which was implemented in the UK through the Privacy and Electronic Communication Regulations, or PECR for short).  The ePrivacy Regulation will replace the current rules on issues like the use of cookies and electronic marketing and was originally meant to be implemented alongside GDPR but the final text was not ready in time.  So, what’s the latest update?

After significant delays in moving towards a final text for the Regulation, the EU Commission issued an update on 12 June 2018 following policy debates on 8th June and it would appear that further changes have been proposed.

Cookies

Currently websites display cookie banners informing visitors that the website uses cookies for the purposes of data analytics – if you don’t want cookies dropping on your device then the only option is to stop using the website.  The EU Commission had already indicated that under the new rules, internet browsing companies should design functionality to allow individuals to give specific consent for cookies (in fact a small number of organisations have already made this change on their websites).  Following the debate, the options for cookies now include banning the use of cookie walls (claiming it is disproportionate for public authorities to make their websites conditional on the use of cookies) or changing the recitals to clarify the requirements around consent.

B2B Marketing

Currently a large proportion of B2B marketing is carried out on a soft opt-in basis.  This is where the email address has been obtained through the sale (or negotiation for the sale) of a product or service, the individual was told that their email address would be used for unrequested marketing and was given the chance to opt-out at the time of collection, the marketing relates to similar products and services, and each email gives the recipient the chance to opt-out.  The draft Regulation indicates that the EU Commission may seek to bring B2B marketing in line with the requirements for B2C marketing, meaning that the current soft opt-in option will be reversed so that communications can only be sent where the individual has given prior consent.

The updated draft text also allows member states to set a time limit under which organisations may contact individuals for direct marketing purposes. The DMA is continuing to argue against these changes which could cause significant issues for businesses.

Timeline

It is now anticipated that the Regulations will be passed towards the end of 2018 or Spring of 2019 with one year for implementation.

What actions can I take now?

It’s important to document what marketing your business undertakes, your legal basis for the processing and how you obtain contact details.  If you don’t rely on consent, then you may want to start to consider what implications the Regulations will have on your business if they are passed in the current format.

Start to talk to your website provider about the options around cookies now BUT don’t make any major changes until the Regulations are finalised.

Watch this space!  With 3-6 months to go before the Regulation is passed it’s inevitable that further amendments will be made.

Get in touch

If you need any help in the meantime with regulatory compliance, then feel free to get in touch.  An initial chat with one of our associates is always free.

ePrivacy Regulation Update – What’s the latest? Read More »

Someone writing a report

Revised Lexcel Standard: Be prepared!

The Lexcel Legal Practice Quality Mark has been revised and expanded.  Lexcel accredited practices will be assessed against the revised standard from 1st November which means there is plenty for you to be working on. The Law Society Lexcel website gives you more information.

Broadly, these changes align the standard with recent new and revised legislative requirements in relation to data protection and financial crime.

The SRA Code of Conduct 2011 mandatory outcome 7.5 applies whether or not you are Lexcel accredited… ‘you comply with legislation applicable to your business, including anti-money laundering and data protection legislation’.

1. Start planning

There is a lot here to risk assess, develop, train, implement and test before your next Lexcel assessment … and of course to communicate to clients, as appropriate, and to your staff.

With regard to data protection, look at all the Lexcel requirements and you will soon realise that data protection touches all areas of the Standard.

2. Risk assess

You will need to look at the wider picture to assess and manage the risk of breaches and other offences.  A thorough review will include your compliance plan, risk register, policies and procedures, record keeping, monitoring and training.  Are you, for example, maintaining appropriate records of data processing activities, information asset registers, money laundering risk assessments and records?  Remember it is important to keep records of your decision making to evidence compliance and to have robust breach reporting procedures.  You need to understand your vulnerabilities and risks and address these accordingly.

3. Develop documentation

For all these new requirements off the shelf template policies or procedures may be helpful but are not always likely to be sufficient as every practice is different. One size does not fit all.  Examine the profile of your own practice, undertake thorough risk assessments and gap analyses.  Bespoke policies and procedures in plain language and applicable to your business are best practice, and likely to be more robust and easily understood by everyone.

4. Train, implement and test

Ensure your policies and procedures are effective. Undertake audits and spot checks.

Be prepared for assessors (and potentially other bodies), to review your central documentation, follow the audit trails, check your matter files and interview staff for evidence that they understand their responsibilities relevant to their role and have received appropriate training.  Importantly too, are your staff able to identify potential breaches or compliance failures and do they know how to go about reporting this?

A wealth of information and guidance is available on the ICO, Law Society and SRA websites.  As always, Teal blogs are a great resource for practical guidance.

Make sure you check out the Cyber Essentials scheme which, for Lexcel accreditation, firms are now encouraged to achieve.

Take a deep breath, consider your risks, raise awareness in your business, and start your reviews and preparation now.

Get in touch

Most of all, don’t lose sleep! To find out more about our risk management services, simply contact one of our experts today to chat about how we can help.

Revised Lexcel Standard: Be prepared! Read More »

Hand writing the word "Claims" with a blue marker on a glass screen

Claims Management Regulator to become FCA from April 2019

The FCA has recently launched consultation CP15/18 which sets out their proposed regulatory structure for Claims Management Companies (CMCs).  The announcement also confirmed that jurisdiction for complaints would move from the LeO to the Financial Ombudsman Service (FOS); although one wonders how they will cope with an increased number of complaints when they are already a stretched service.

The Consultation proposes extensive regulation for CMCs, including some of the current CMR rules, but also introducing new rules and making all parts of the current FCA handbook applicable as well.

The FCA will regulate 6 activities by introducing 7 new permissions (1 permission for lead generation activities and 6 sectoral permissions covering the activities of advising a claimant, investigating a claim and representing a claimant).  Scotland will also be included in the proposed regulatory regime and claims made under s75 of the Consumer Credit Act 1974 are also within scope.

So, what are the main proposals?

  • Before a CMC agrees a contract with a customer they will be required to give a short summary document containing an illustration or estimate of the fees charged, an overview of the services the CMC will provide, and the tasks the customer will need to do themselves.  Where a statutory ombudsman scheme exists, the summary must confirm that the customer does not need to use a CMC to pursue the claim and may present the claim themselves for free.

  • CMCs must offer a mandatory 14 day cooling off period and this must be detailed in the initial documentation.

  • Where the customer has been introduced by a third-party, the customer must be given information about any fees the CMC has paid to that third-party.

  • CMCs will be required to provide regular claim updates to the customer, even where there has been no progress.  Specifically, where the CMC knows the likely value of a claim then an estimated fee update should be provided.

  • The CMR Client Specific Rule 10 will be carried over to the new rules, requiring CMCs to investigate whether there are other ways the customer can make their claim.

  • CMR Client Specific Rule 14 will also be carried over with a slight amendment – CMCs will need to take reasonable steps to ensure that the customer understands the contract they are agreeing to (including vulnerable customers).

  • CMCs will need to provide customers with a clear explanation of fees and charges whenever a payment is requested.  There will need to be appropriate policies and procedures for dealing with customers in arrears, including specific policies for vulnerable customers.

  • ‘No win no fee’ type adverts will have to include details on the fees which will be charged or how fees are calculated and whether there is a statutory free scheme available to the customer.  All calls to customers will need to be recorded and kept for a minimum of 12 months (even those that result in no further contact with the customer).  CMCs will need to keep a record of electronic communications as well.  The financial promotion rules in PERG 8 will apply.

  • CMCs who purchase leads from third parties must carry out due diligence to determine whether the lead generator is authorised and has appropriate systems and processes in place to ensure compliance with data protection, privacy and electronic communications legislation.

Other FCA rules which will apply –

  • The Senior Managers and Certification Regimes that currently apply to all banks, buildings societies, credit unions and the largest investment firms will be extended to all regulated firms including CMCs.

  • The Individual Conduct Rules, the basic standards of behaviour that people working in financial services are expected to meet, will apply to almost all staff in firms and is not limited to those individuals who are subject to the Senior Managers Regime and Certification Regimes.

  • PRIN, COND, SYSC, DISP, GEN and the standards on how firms treat whistleblowers will all apply.

  • CASS will apply to firms who handle client money.

  • CMCs will be subject to the prudential resources requirement and specific wind down procedures.

  • The usual FCA enforcement procedures in EG and DEPP will apply equally to CMCs.

The FCA will create a new handbook section called the ‘Claims Management: Conduct of Business Sourcebook’ to sit alongside the existing sections.

Further consultations are expected later in the year, but this document is a clear indication a lot of preparation will be needed over the next 10 months to ensure CMCs are up to speed with the requirements.

Any firms with an existing CMR authorisation in April 2019 will be issued with a temporary FCA permission and a landing slot to submit an application for full authorisation.  There is no news yet on what the application process will look like.

The consultation is open until 3rd August and can be reviewed.

Get in touch

If you think your firm could be affected by the new rules or if you have any further regulatory questions, contact our experts today.

Claims Management Regulator to become FCA from April 2019 Read More »

Man taking notes whilst looking at laptop

What do I have to provide when I receive a subject access request?

With conflicting advice still available on the ICO website there seems to be a lot of confusion around exactly what a data subject is entitled to when they exercise their right of access under GDPR.

Many data subjects still seem to think that this right entitles them to receive a full copy of their file free of charge, when actually that will not be the case 99.9% of the time.

The Right to Be Informed

Individuals have the right to be informed about the collection and use of their personal data, including-

  • The purpose for processing the data and how you will process the data

  • The retention periods you will apply

  • Who you will share the data with.

You provide this information in your privacy notice which should be given at the point of collection and you will provide a link to the information on your website.

The Right of Access

Individuals have the right to access their data, and can make a ‘subject access request’ verbally, in writing or even via social media (don’t forget to check your tweets!).

You now have one calendar month instead of 40 days to respond to the request and you can no longer charge a fee.

The data subject is entitled to –

  • Confirmation that you are processing their data

  • A copy of their ‘personal data’ (we will come back to this in a minute!)

  • Other ‘supplementary’ information which is basically the information you provide in your privacy notice.

But what exactly does ‘a copy of the data’ mean?  You will be pleased to know that by and large this does not mean that they are entitled to a copy of the entire file of papers.  A ‘copy of the data’ is basically that, a list of the data fields that you process, which can identify the data subject (name, address, date of birth etc.).

Where it becomes slightly complicated is if it is possible to identify the data subject from the information you are processing then that information may also be personal data.  In a recent ICO live chat I was given the example of where you hold on file an email from an individual complaining about the data subject.  Whilst I did engage in a long debate with the representative about whether this would be appropriate for a law firm to disclose, or potentially for an employer to disclose where an investigation was being carried out for example, the conclusion from the ICO was that I would need to consider this type of document carefully and make a decision about whether there was a valid reason to withhold the document or not.

In situations where you are simply instructing a third party, for example a letter to an expert which sets out the name, address and contact details of the data subject, but is then just a business to business email giving instructions on work to be carried out, then a copy of this letter would not need to be provided.

General Points

  • Review the types of communications you will have on your files – if any of them ‘could’ fall within the definition of personal data then make sure your staff are aware to consider these and flag them to the DPO for confirmation of whether they need to be included in the response of not.

  • Data subjects can only be given a copy of their own data – an individual cannot request information on behalf of a partner for example.

  • If a data subject requests something specific, for example a copy of a specific email by date or a copy of a specific call recording then you should look to provide this.

  • You should ensure your staff are trained to recognise a request (remember social media!).

  • You should have a documented process and should keep a log of all requests.

  • The ICO’s Subject Access Request Code of Practice has not been updated for GDPR yet.

Get in touch

99% of the requests you receive will be straight forward but for that 1% which you maybe aren’t so sure about, remember you can use our ‘Ask Teal’ service, or simply contact one of our experts today.

What do I have to provide when I receive a subject access request? Read More »

British pounds - notes and coins scattered

The human cost of money laundering

It is very easy to silo oneself when immersed in the world of investigating money laundering and to forget that actually it isn’t just about currency, commodities and hidden profits, but it’s about people.

I have investigated a plethora of cases during my career and the focus is usually centred upon the villain and the criminal gains. How often do we actually sit down and examine how many people have been damaged along the road to the conviction? We get the conviction, we take back the proceeds of crime via the machinations of POCA and we send the villain to jail. Do we know what happened to all the others that were affected somewhere along the way to the Courtroom steps?

Just like fraud, I have often heard people say that it is a victimless crime. This couldn’t be further from the truth.

Money laundering is a crime that many people consider irrelevant to them. If it is a problem at all, they consider it is a problem only for banks. That is far from true. Money laundering has massive effects, not only on financial institutions, but also on governments, industries, economies and also individuals.

What are the effects of these widespread crimes that fly under the radar of much of the population? And why are these effects so massive?

To understand the reasons you need to understand the nature of money laundering. It is not an overt crime like robbery or assault; it is secretive and buried under multiple layers so as to avoid detection. It is also not headline news. How often do you see a laundering case at the top of the News at Ten? It’s not a headline grabber and so the consequences of this crime also get buried in the myriad stories about Brexit, Russian Spy Poisoning and Britain’s Got Talent!

Have you ever stopped to consider what might be under your nose when taking a stroll through the main street of your town or through a large, out of town shopping mall? Have you ever considered the rise and proliferation of the nail bar?

That is not to cast aspersions over every nail bar in the land, but have you ever considered how a business, with seemingly very few customers in an area of high business rates, is able to sustain itself?

I have investigated a number of cases involving nail bars. They are often used as a ‘front’ for cannabis farms. These farms are often linked to organised crime, often of Asian or Vietnamese origin.  The profits of the sales of cannabis are often laundered by creating fictitious sales or customers on the books. A simple scheme where no one is really hurt?

Cannabis farms don’t run themselves. The crop needs tending. Organised criminals don’t employ a local firm of horticulturalists. They often turn to human trafficking to find their staff.

When Police conduct search warrants at these cannabis farms they usually find a single male ‘gardener’ on the premises, locked into the building and controlled by others who are higher up the food chain. This male is usually living in fairly squalid conditions, sleeping on a camp bed if he’s lucky, and left only with sufficient food and water to exist. The ‘gardener’s’ sole function is to tend to the lucrative crop. There will be no pay or rewards beyond basic existence.

This is the reality of laundering. A person who has been trafficked. A prisoner in a foreign land with no rights or standing. They may actually have a better standard of living than in their homeland and do not view themselves as victimised, but a victim they are.

Money laundering and financial crime hurts real people.

Money launderers need to engage with professionals to enable their funds to be assimilated into a legal system. As professionals in this arena you will come into contact with launderers. They will want your assistance.

By engaging with launderers, whether knowingly or unwittingly, you become part of the problem.

Perhaps you may now look differently when engaging with some businesses. What lies beneath?  Think……..What can I do about it? What should I do about it?

Get in touch

We assist firms everyday with practical advice on AML and on how to spot the signs of money laundering in real life.  Contact us today for more information.

The human cost of money laundering Read More »

Red mug with a red and white calendar of May 2018 with the date 26th circled

GDPR – What happens on May 26th?

GDPR 25th May….  It’s the date we have all been working towards, some of us for many months. But what happens on 26th May, and the day after that?

Well, initially we all have a well-deserved rest over a bank holiday weekend, and then it’s business as usual from Tuesday 29th May.  But what is ‘business as usual’?

For those who have not been able to complete their GDPR preparations prior to 25th May, you should have an action plan to take you through the following weeks and month on the journey to compliance with the principles of the GDPR and to demonstrate ongoing accountability.

But if you have completed your preparations it doesn’t mean that you don’t have any ongoing work to do.  In order to demonstrate accountability, you will need to test your processes, test your staff and create an audit programme.

1.  Test your processes

You have created a lovely shiny process to be followed if a data subject exercises one of their rights; but does it work? You may not receive a request straight away so why not run a workshop on the basis that you have received a request and work out the steps you need to follow to comply with the 30 day timescale – use the outcome to refine your process where necessary.

2.  Test your staff

You have trained your staff but how much have they actually understood? Are your policies and procedures embedded? Test them. Send in a ‘dummy request’ and see what happens. Don’t forget to also test from a cyber security point of view – simulated phishing email tests are a useful exercise.

3.  Create an audit programme

How will you demonstrate ongoing compliance? DPOs should consider regular spot checks, especially if your business has more than one site – are the team keeping paper that you think has been destroyed? Are visitor processes being followed – turn up unannounced and you will find out!  Don’t forget that root cause analysis of complaints and data breaches will provide you with valuable insight on how well your GDPR programme has been embedded. Check your websites on a regular basis to make sure they haven’t reverted back to old versions of any of your policies. Monitor social media for mentions of your business, which can be an early indicator of a data breach.

4.  Keep up to date

The draft Data Protection Bill had a provisional report stage on 9th May and as progress continues to be slow, it may not be enacted before 25th May. The E-Privacy Directive is also still stalled and could arrive at any time in the coming months so it’s definitely one to watch, and it’s always worth checking in with the ICO’s website to see updates on how they intend to enforce GDPR and what they will be looking at in the coming months.

Get in touch

Here at Teal we will of course keep you up to date through our blogs and our experts are always available to offer advice or even to come in and test your processes for you.  Find out more about our data protection services or simply get in touch with one of our experts.

GDPR – What happens on May 26th? Read More »

Side view of silver laptop

Technology for compliance

At the recent Teal Annual Conference, I spoke to the delegates about Technology in Compliance. I’d like to pose some of the questions we talked about during the session. How would your firm answer?

  1. How do your current systems and processes work for you?

  2. As a firm, are you all working on the same system or is it a mix?

  3. Are you confident that all your employees are using the same versions of documents such as your Client care letters and Terms of Business?

  4. How often do you review your systems and processes?

The answers to the above questions are fairly self explanatory when it comes to assessing how effectively a firm is using technology to support their compliance function.

There are common themes for the majority of firms I meet. Firstly, there are still many firms that do not have a case management system (actually there are a lot) and who operate with a “S – Drive” where everyone can access and save documents. Secondly, there are those that have a mixture of different systems, and different levels of take up of those systems depending on the department.  There are of course some firms that use their CMS to the best of their advantage. This takes a significant amount of work, but the firms that make the effort, reap the rewards. Personally, I would like to see compliance embedded into the IT systems and processes within all firms.

By investing in people, processes and systems it allows compliance to become second nature, providing an additional layer to internal risk management, and an audit trail if something were to happen.

In addition, it can also help increase profitability – so what is there not to like?

With so many different systems on the market, if you do not have a system, or are looking to change, how do you choose the right one for your firm? Here are some pointers:

  • Select the project team in-house – have a mix of staff covering support staff, fee earners, IT, management. You need to have a complete overview from all perspectives. Also ensure you include different disciplines, as each will have their own requirements.
  • Scope the list of features you must have, should have and would like to have. A project cannot always be completed in one hit, and taking a phased implementation approach is often more successful.
  • Do your research into providers or bring in an independent consultant who can assist. It is not a case of one size fits all.
  • Know your budget – there is a vast difference between “out the box” and custom built.
  • Shortlist the systems that you consider will assist you in your business and arrange a beauty parade.
  • Have a selection of staff at demonstrations.
  • Take your time to work through the pros and cons.
  • Consider the change management that will be needed within the firm to implement the new system.

As a starter for ten, here are some of the features which you should consider embedding into your systems:

  • Conflict checks
  • AML – check the integration with AML providers
  • Streamline your systems and have mandatory workflows to embed compliance
  • Versioning control
  • Workflows
  • File reviews
  • KPIs
  • Key dates
  • Client feedback
  • Risk assessments
  • Outlook functionality
  • HR plugins
  • Office manual
  • Training and development
  • Risk register

I am strongly of the view that we can effectively use technology within our compliance systems to minimise the risks involved in running a law firm. Why make things more difficult for yourselves, your firm, your staff, and your clients than they need to be!

Get in touch

Teal Compliance offers a compliance technology platform which is built specifically for law firms. Find out more about Teal Tracker, or alternatively contact one of our helpful advisers.

Technology for compliance Read More »

Multi-coloured data entry on a black screen

14-day countdown to GDPR

With just 14 days left to go until GDPR implementation day, what should you be focusing on?

At our conference on 26th April, 57% of those attending said they had nearly completed all of the changes they needed to make in advance of 25th May, 4% stated that they were ready. So, what about the 22% who said they had only just started, or the 17% who didn’t know what GDPR was??  The key is DO NOT panic. It’s not Y2K all over again, the world will not end if you haven’t completed all of your preparations by 25th May.

What you do need is a plan……

Transparency is the key – prioritise those documents which tell your clients/customers what you will do with their personal data – how do you collect it, how do you process it, who do you share it with, how long do you keep it and how do you delete it?

Policies – get your key documents in order – data protection policy, data retention policy, privacy notices, cookies policy etc – make sure they are fully updated and available on your website.

Data processors – make sure you have full contractual arrangements in place with anyone who processes personal data on your behalf.

Data subject rights – how can your customers/clients exercise their rights under GDPR?  Make sure this is clearly signposted in your privacy notices, data protection policy and on your website – something simple, quick and easy. Make sure your staff know who to refer any requests to.

Don’t forget your employees! They will need a privacy notice that covers the use of their data for employment purposes and they will need to know where to refer any GDPR questions they either have themselves or receive from clients/customers.

Security – do you have robust security measures in place for both your electronic data and any paper data you store in filing cabinets?

Beyond this, and perhaps beyond 25th May, you will need to refine your processes for responding to data subject requests, ensure you have a full training programme in place (if you haven’t done training already) and consider what spot checks and audits you need to have in place to ensure ongoing compliance and accountability.

Get in touch

Don’t forget, here at Teal we are available to offer support for all your data protection needs. Simply contact us today for more information.

14-day countdown to GDPR Read More »