GDPR: What actions are you taking to be compliant?

GDPR: What actions are you taking to be compliant?

Published on 4th April 2018

On 25th May 2018 General Data Protection Regulation will replace the Data Protection Act 1998, so we haven’t got long to go!

As you might already know, the maximum fine for a breach of GDPR is 4% of global annual turnover or €20 million (whichever is higher), so there is some real motivation to ensure we are compliant. There are other lower tiered fines depending on the nature of the breach.

Since I specialise in recruitment for the legal sector, I thought it would be useful to share some conversations I have been having with my clients around GDPR. This will provide an insight into how firms in the legal sector are preparing to be compliant and will perhaps shed some light on where to start if you aren’t sure.

One thing that has really stood out through conversations with my clients, is not to seek costly external assistance in educating yourself on GDPR. There is so much information online to assist with your initial steps that it would be much more cost effective to seek advice on particular matters or issues you and your firm face as you go along.

What are other law firms doing to be compliant?

Some clients have been proactive and are prepared for the 25th May. Below is a list of actions these firms have taken:

  • HR functions are sitting down to map out and understand their firm’s data flow. This will provide them with a better idea of what needs to be cleansed, controlled and audited.
  • Identifying 3rd party providers to find out what they are doing to be compliant with GDPR.
  • Assigning a GDPR Specialist(s) for the firm. These individuals will take the initial responsibility to thoroughly understand processes and procedures and then further educate the firm.
  • Hire a GDPR Specialist to come into the firm and advise best practice.
  • Training the firm on why and how to be compliant – some firms are holding presentations, some are simply sending informative emails. Other firms have purchased a GDPR e-learning package for all employees. This will ensure everyone in the firm understands their role in GDPR compliance.
  • HR functions or GDPR panels will map out what functions have access to specific types of information. This allows the firm to limit access to users if they do not need it.
  • The firms that do not yet have portals are beginning to use portals as a way to better manage candidate data.

Other hints and tips

  • If you use Mimecast (an outlook feature), they have created a new module that allows you to perform data subject searches and add notifications when certain data leaves the business. It is worthwhile exploring this option as you can limit and control who has access to information and emails.
  • As mentioned above, use all online resources and forums to get a better understanding of GDPR and start the process internally by mapping and making an initial plan. It is cost effective to hire help or a GDPR specialist at the later stages.
  • Remember to document the steps you have taken and why, as you will need to be able to demonstrate these steps in order to be compliant.

If you would like more information on GDPR compliance or would like to know the steps that Ambition are taking to ensure we are compliant, please contact us on
020 7404 4004 or