I spoke to Lauren Delin (Senior Paralegal at Rocket Lawyer UK), about the GDPR and the challenges that Rocket Lawyer has faced in getting ready for GDPR. Below is the conversation we had.
Alan: We know that the GDPR came into force on the 25 May. What did you do to get Rocket Lawyer compliant with the GDPR and incoming UK data protection laws?
Lauren: A key part of GDPR compliance was ensuring our products were up to scratch and of value to those who rely upon our service every day to ensure their businesses are operating in a way that is legally compliant. Here at Rocket Lawyer, we offer a range of legal documents to help customers navigate the legal landscape (which can be a bit of a minefield). Therefore, it was imperative that all affected products were made compliant before the 25 May, together with all of our great content, such as our guides.
As an international business, Rocket Lawyer was also affected by the GDPR in its own right. Our compliance programme involved reviewing our existing data privacy practices against the GDPR requirements and then identifying the actions we needed to implement those requirements by the 25 May. This involved working alongside our business teams in the US and Europe to identify the key compliance issues we needed to focus on, and then considering how they were going to affect future projects involving the handling of personal data.
Alan: That sounds like a lot of work! On a scale of 1 – 10 (with 1 being easy and 10 being hard), how hard did you find getting everything ready for the GDPR?
Lauren: I’d give it an 8 on the difficulty scale (eased only by the fantastic team of people I had the opportunity of working with and who supported me throughout!). It was certainly challenging, but only because it affected so many different areas of our business. Legal compliance was imperative, however, we also had to make sure that it was in line with our commercial objectives and market trends.
Alan: What was your approach to getting Rocket Lawyer’s documents up-to-date and compliant?
Lauren: Having a firm understanding of the requirements was a good starting point. I undertook quite a bit of research, and attended my fair share of presentations and webinars! I also took inspiration from companies I admired, paying particular attention to their approaches to data privacy, for example, the ways they communicated their data privacy practices through their privacy policies.
Alan: A hot topic has been around the impacts of the new data protection regime. What do you think will be the biggest impacts of the GDPR for small businesses and individuals?
Lauren: Unlike large businesses, small and micro businesses don’t need to appoint a Data Protection Officer, however, they could still be fined up to 4% of their annual turnover for failing to abide by the GDPR’s rules. In short, the GDPR affects a number of processes across small businesses, from sales and marketing to IT and security, so it’s important such businesses understand their obligations.
Individuals on the other hand can sleep a little easier knowing that companies are taking the protection of their personal information more seriously.
Alan: It’s been reported that many businesses aren’t compliant with the GDPR and that many businesses wouldn’t have been ready by the 25th May. What advice would you give to businesses who may not be compliant with the GDPR right now, or are in the process of becoming compliant?
Lauren: I’d advise that they undertake a review of their existing data privacy practices against the GDPR requirements to identify the actions they need to implement. It’s always advisable to get senior people involved right from the very outset to ensure data protection is incorporated into the business’ governance structure and is fully supported throughout its lifecycle. Perhaps most importantly, I’d recommend a data mapping exercise, which can help businesses understand their data processing activities and record them all. Lastly, such businesses should create solid information notices to let people know how they process personal information. Rocket Lawyer can help here! Just contact us about our GDPR audit and compliance service or browse our library of documents and guidance.