The General Data Protection Regulation (GDPR) comes into force in May 2018. Law firms that fail to prepare in time, so they can comply with the regulations on day one, risk facing the regulator’s wrath.
Given that legal practices operate largely on trust, the fallout from a data breach could be disastrous. And the reputational damage would come on top of the potential fines of up to the greater of €20 million or 4% of a company’s global turnover.
To meet the GDPR’s requirements in time, law firms need to focus on organisation, transparency, and accountability.
Understand the data
Law firms must be acutely aware of data-security risks due to the sensitive information they hold on many people.
The GDPR will introduce strict rules around getting permission to use personal data and how the data can be used and stored, once permission has been obtained.
Supply chains will need to be reviewed and monitored. Robert Bond, a regular speaker on GDPR, gave the following example in an article in the Legal Practice Management magazine (September 2017):
“Firms need to be careful because the smallest things might catch them out. [for example] Does their translation agency contract allow them to comply when they’re outsourcing highly confidential documents? If a sensitive file is sent by the agency to a non-compliant country for translation and then stolen, the firm will be held responsible by the regulator”.
Records need to be kept as to where and how data is stored as well as how it is processed and by whom. Once the data held by the firm has been mapped, determining how long it can be kept and when it needs to be destroyed is a much easier process to manage.
Balancing GDPR compliance with other regulatory responsibilities
Law firms have duties and responsibilities outside the GDPR. For example, the GDPR may state that a piece of data should be destroyed but anti-money laundering regulations may require the data to be kept for a longer period.
To understand how GDPR requirements sit alongside other regulations, it may be worth investing in a consultant. Not only can they audit your data governance procedures and provide strategies to bring them in line with GDPR requirements, they can advise you on how to balance GDPR compliance with other regulatory duties and responsibilities.
The Information Commissioner’s Office 12 steps businesses can take to prepare for the GDPR
Awareness: Make sure everyone in the practice is aware of the changes coming into force under the GDPR and how the regulations will affect their role.
Information you hold: Conduct an information audit so you understand what data you hold, where it came from and who you share it with.
Communicate privacy information: Review and update your current privacy notices
Individual’s rights: Check your law firm’s procedures to ensure they completely cover clients’ and employees’ rights, including how you plan to delete personal data or provide data electronically.
Subject access requests: Update policies and procedures and plan how you will handle data requests from people within the new timescales.
Lawful basis for processing personal data: Identify your lawful basis for processing data under the GDPR and update your privacy notice to explain it.
Consent: Audit how you seek, record and manage obtaining consent in relation to data collection and storage and make necessary changes to meet GDPR standards.
Children: Put systems in place to verify peoples’ ages and obtain parental or guardian consent where required.
Data breaches: Update or create policies and procedures to ensure you can detect, report and investigate all data breaches.
Data protection by design and impact assessment: Familiarise yourself with the Information Commissioner’s Office code of practice on privacy impact assessments and the latest guidance from the Article 29 working party and implement policy and procedure changes where required.
Data Protection: Officers Appoint a Data Protection Officer and assess where this role will sit within your organisation’s structure.
International compliance: If your law firm carries out cross-border data processing, determine your lead data protection supervisory authority.
In summary
GDPR compliance will require an investment in technology, cyber-security training and getting the right processes and procedures in place. But by taking decisive action, compliance will become far easier in a shorter space of time and new data processing systems will swiftly become second nature.
The trick to a stress-free transition to GDPR compliance is not to leave it too late.
We have been helping legal professionals with professional disciplinary and regulatory hearings for over 20 years. If you have any questions relating to GDPR compliance, please call us on 0151 909 2380 or complete our Free Online Enquiry and I will soon be in touch.