We at LexisNexis Enterprise Solutions are run off our feet, helping clients to ensure that our CRM solution, Lexis InterAction, is aligned with their firm’s processes for compliance with the GDPR, which kicks in on 25 May 2018. At the same time, there are many firms who are managing this preparatory process independently.

Thoroughness of evaluation of processes is of course key for compliance with the GDPR. From speaking to firms using InterAction, an area that appears to be repeatedly overlooked is ‘My Contacts’. Oversight of this functionality could prove to be a big gaping hole in a firm’s GDPR compliance processes, especially pertaining to potential future demands of data portability and the right to erasure.

To elaborate, in InterAction, there is the ‘Firm Contact List’ that is accessible by all in the organisation. This is maintained by the users and Data Stewards and will continue to be in the future. If your firm is reviewing the data held in the Firm List and deleting the records you no longer need or don’t have the right to hold, then your organisation is part of the way to being compliant with the GDPR. All good so far.

In addition, individual users also have their own ‘Contact Lists’ and can choose to transfer data into InterAction from Outlook. This movement of data takes place via the ‘My Contacts’ functionality, which serves as the bridge between the individual’s Outlook and your firm’s InterAction application.

When people leave a firm, it’s standard practice for the IT department to delete users’ Outlook accounts. However, the contact data in ‘My Contacts’ – which is GDPR-relevant – continues to reside in this location, it remains unnoticed and hence unaddressed. Once the GDPR becomes effective, the orphaned contact records residing in all ex-users’ ‘My Contacts’ may put the law firm out of compliance with the regulation if the necessary compliance processes aren’t applied to them. For instance, information on a contact may be up-to-date in the Firm Contact List in InterAction in accordance with the GDPR, but existence of older details on an ex-user’s ‘My Contacts’ location may put the firm out of compliance.

Firms using InterAction must ‘mind this invisible gap’ as they evaluate their GDPR-related processes and align the solution to them. If you think this is an issue for your firm, then please contact your Account Manager, who will be able to enlist the support of Client Advisors or Consultants to help you address this issue. It poses a potential non-compliance risk to firms, if left unaddressed.