GDPR Readiness Assessment: Large UK Law firm

Client challenge

Our client is a leading UK law firm with a large percentage of clients in the Insurance sector.

  • A key business driver for the firm is to ensure it can evidence compliance with the GDPR legislation by March 2018.
  • As a leading advisory firm our client places a high value on protection of its reputation within the legal sector and amongst its clients.
  • Insurance clients are also driven by the rigours of the FCA regime which even prior to GDPR was pushing members to evidence greater due diligence of controls in their supplier management practice.
  • Our client's business processes require that it is frequently responding to information security controls due diligence from Insurers – either as part of a new bid or ongoing supplier management.
  • Increasingly the questionnaires required evidence that our client is responding to prevailing financial services regulation and legislation.
  • With this business background and a shortage of available specialist resources our client engaged TORI to assist deliver of the firms GDPR compliance project.

What we did

The engagement has been separated into two phases of Readiness Assessment followed by Remediation and Compliance.

  • Readiness Assessment requires that TORI subject matter experts from our Risk & Control and Technology Infrastructure teams collaborate with peers on the client side
  • 10 work streams were established to perform a gap analysis between the current and target compliance state. The work streams are fully aligned to the guidelines of the GDPR legislation and the UK Information Commissioners Office (ICO):
    • Leadership, culture and governance
    • GDPR project structure, due diligence and controls
    • Scope of the compliance (legal entities and cross border)
    • Risk management
    • Roles and responsibilities
    • Data Protection Office
    • Process Information Management systems
    • Process and applications analysis
    • Information Security Management systems
    • Rights of the data subjects
  • A compliance tool was developed by TORI to act as both a project dashboard and evidence of the due diligence and rigour in the project
  • The current state assessment required TORI to collect data from multiple sources including flowcharts, data maps, structured interviews, contracts, applications interrogation, audit reports and policy/procedures
  • At every stage the client interaction was fully inclusive and collaboration ensuring the our client has full ownership of the project supported by TORI subject matter expertise

The result

  • Full GDPR compliance status is required by April 2018 and our client will achieve that
  • The Readiness Assessment phase will complete during August 2018
  • The phase report will:
    • Confirm the scale of the remediation gap
    • Compile a detailed remediation plan with timescales, roles and costs
    • The prioritisation of the plan is driven by a full risk assessment approach
    • Ensure that controls are in place to ensure the management of the evidence based due diligence is embedded into firms day to day business operations
  • Remediation activities are to be prioritised with factors such as the firms risk appetite and the prevailing compliance guidelines from the ICO