Legal Abacus readers learn how to ensure a client, parnter or customer is GDPR compliant

Following the introduction of GDPR, Legal Abacus readers are taught how to identify whether an organisation is GDPR compliant and how they’re achieving such status moving forward.

Legal Abacus is the bi-monthly magazine for member of the ILFM, aimed at individuals working within Legal Finance or Legal Management roles.

The main aim of Legal Abacus is to communicate and inform members about what is happening within education and career development, legal accounting and business management, and in the wider legal sector as a whole.

The article highlights relevant accreditations, certificates and logos that all demonstrate a commitment to GDPR compliance, discussing the different accreditations in detail.

The article can be found in the July/August issue of Legal Abacus magazine.

Alternatively, read the article here:

GDPR compliance does not come with a badge

With the new GDPR regulations now in force, how do you recognise a compliant supplier, partner or customer? Maxine Park of DictateNow looks at the problem and what it means for the supply chain.

There has been a huge amount of publicity highlighting the new regulations and all the steps required of an organisation to ensure compliance, but no one has explained how you know an organisation has not only achieved the standard, but is continuing to do so.

Maxine Park of leading transcription and dictation services outsourcing company DictateNow looks at the problem and what it means for the supply chain: “Standards required of an organisation to undertake its daily activities, usually come with certificates, logos, accreditations and the like.

It is easy to find reputable construction companies sporting the CHAS logo on their vans, websites and even workers, identifying them as a business that takes Health & Safety seriously.

Quality law firms can be recognised by the Law Society’s legal practice quality mark, Lexcel. But how do you know any of the organisations you do business with, share information with or allow to process personal data is GDPR compliant, beyond them telling you they are?

This is one of the problems with what is in effect a self-certifying standard. Of course, every organisation will tick the compliance box on the questionnaire you send or complete the box on the tender to your satisfaction, but without undertaking your own audit, you have to rely on trust.

Fortunately, there is a standard that closely maps the GDPR compliance and it comes with regular independent checks and a certificate to identify compliant organisations; namely ISO 27001 which is a framework for information protection.

The GDPR recognises personal data is critical information that must be protected, so there is definite synergy. However, outside the ISO standard are the specific requirements relating to the rights of personal data subjects, like the right to be forgotten and data portability.

It is likely though that personal data will have been recognised as an information security asset during implementation of ISO 27001. This ensures much of GDPR requirements will be covered by successful and ongoing certification.

The GDPR and ISO 27001 requirements have a lot in common; both are mainly concerned with reducing risk to individuals and organisations caused by the loss, breach or misuse of personal data.

ISO 27001 requires organisations to create, maintain and continually improve information security management systems, which are audited annually by BSI certified auditors.

The new GPDR is more concerned with reducing risks for the data subjects, through new rights that make organisations processing personal data accountable. There are potentially large fines for those organisations found not to be compliant if a problem occurs. There is no independent audit or certificate, however.

Fortunately, the common ground ensures it is a relatively easy transition to GDPR compliance from ISO 27001 certification. Those organisations in the supply chain that maintain ISO 27001 certification offer confidence to data controllers who need to share data with them.

The certificate proves the organisation has security professionals who having successfully implemented ISO 27001 systems and controls, are well positioned to understand the requirements for ongoing GDPR compliance.

If you believe you are GDPR compliant, but need to share data with supply chain partners and are looking for an indication of their compliance, a good place to start is choosing those organisations that are ISO 27001 certified. With a certificate to prove it.

No one will question your decision or the reasoning behind it, which also just happens to be a key foundation of the new GDPR requirements. Choose ISO 27001 and share with confidence.