My Account
Basket (0)
Contact Us Email Newsletters

GDPR is Here to Stay – How are You Doing (part 4)?

By David Norris

In this blog we will consider what the firm needs to document to demonstrate it has good procedures.

Policies and procedures

While much of the focus of GDPR is on the marketing and document retention issues, the regulations also refer to ensuring that data protection (i.e. data security) is part of your firm’s processes by design. Firms should therefore ensure that they have good procedures not just for contacting clients but also for generally handling data and devices that can access the firm’s network.

For example, firms should have clear policies about encrypting and securing laptops, being able to remotely wipe mobile devices, ensuring staff cannot use their personal devices on the network without suitable security and, of course, making sure the ubiquitous USB memory sticks are destroyed or encrypted.

Firms might want to also think about physical security over digital devices as well as the office environment and paper records themselves. For example, in Mercia incorporating SWAT, we are told that laptops must be removed from vehicles before being left overnight as they are not insured, and all filing cabinets should be closed at night if they contain client records inside them – I even know of a firm whose cleaner was questioned as she had unlimited access to the office when everyone else had left!

When we visit firms we often find that there is no clear guidance as to the use of IT, the security of those devices and the way in which emails or the internet are used by staff. I would also recommend that firms stipulate what software can be installed and used by staff. Firms would do well to document the thoughts in these areas and to then communicate them to staff. The QAD in the review of firms often question whether firms have properly trained staff in their procedures in such a way that staff understand it.

Process should also include confirmation that staff understand a data breach and the need to internally report. For example, on a course I had an IT consultant suggest that whenever unencrypted USB devices, mobile phones or other devices are lost then that would be reported as a data breach even though we are not sure that the data has been accessed by a third party.

We have had other firms take the opportunity of reminding staff to take great care over emails and making sure they are actually from the client before actioning them – we have had firms where an email supposedly from a client tried to instigate transfer from the clients account and yet it turned out it was fake. So firms should ask themselves are all the staff suitably data savvy as part of all aspects of professional life and not just thinking data protection is about marketing or emailing.

It is not just deliberate attacks, I cannot be the only one who has received an email meant for somebody else. It is very easy to send an email to the software suggested recipient only to realise it is the wrong David. If the email includes personal data that may be a data breach.


In many cases what is required is simple and an hour with a sheet of paper may be enough to put a plan in place to ensure compliance. If you need more information or support there is a page on the our website here that has a number of resources. You might also consider looking at the ICAEW GDPR hub and the Information Commissioners website.


December 2018 


This article is published with the understanding that SWAT UK Limited is not engaged in rendering legal or professional services. The material contained in this article neither purports, nor is intended to be, advice on any particular matter. This article is an aid and cannot be expected to replace professional judgment. SWAT UK accepts no responsibility or liability to any person in respect of anything done or omitted to be done by any such person in reliance, whether sole or partial, upon the whole or any part of the contents of this article.