The General Data Protection Rules (GDPR) come into force in less than four months. According to the latest statistics available, only 25% of over 150 legal sector IT decision-makers said their firms were GDPR ready .
The impact of the GDPR cannot be overstated. Moderately serious breaches can result in fines of €10 million or 2% of annual global turnover, whichever is greater. Major breaches may incur a maximum penalty of €20 million or 4% of annual global turnover. Now, it should be pointed out that these potentially ruinous financial penalties are by no means a given should a breach occur and to suggest otherwise amounts to little more than scaremongering. But the risk is there, and no law firm wants to be the first to be made an example of.
For legal practices still coming to terms with their GDPR compliance requirements, here are our three top tips for getting ready in time for 25th May 2018.
One – Draw a map of the data you hold
Data-mapping is key to GDPR compliance. Before you can create and implement policies and procedures around consent, data breach occurrences, and management of personal data, you need to know what data you have, where it is contained and how it moves from one part of your organisation to another (including in-between jurisdictions).
A data map should identify the following key elements:
- Data items (e.g. client names, email addresses, phone number, records)
- Formats (e.g. hard copy forms, online data entry, database)
- Transfer methods (e.g. post, telephone, email, internal/external)
- Locations (e.g. offices, Cloud, third parties)
The purpose of a data map is to understand not only what data your law firm holds, but also who is accountable for specific data, how unintended use of that data could occur and possible avenues for breaches.
Two – Discover whether you require a Data Protection Officer (DPO)
The GDPR requires certain organisations to appoint a DPO. To decide whether your law firm requires such a position to be created, you need to examine the type of data you hold and how it is used (all GDPR roads lead back to your data map).
Article 37 of the GDPR states :
- The controller and the processor shall designate a data protection officer in any case where:
a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
To help organisations understand these provisions relating to controllers and processors under the GDPR, the Article 29 Working Party (Art.29 WP) was established . It defines the concepts of ‘regular and systematic monitoring’. The definition of ‘regular’ includes processing that are ongoing and repeated at fixed times. ‘Systematic monitoring’ includes processing that is pre-arranged, planned, orderly and occurring according to a pre-arranged system.
When deciding whether your firm undertakes ‘large-scale’ processing, factors to consider include the amount of data being utilised, the amount of time spent on data processing activity, and the geographical extent of the processing.
Bear in mind that even if you are not required to appoint a DPO, you can do so voluntarily. A DPO’s duties include monitoring the firm’s compliance with the GDPR, acting as a contact point for the ICO and ensuring all employees who deal with data understand their compliance obligations.
The key requirement of a DPO is they are independent. Therefore, it may be easier to appoint an external person to act as your law firm’s DPO. However, thought must be given to the conflict of interest issues an external appointment may bring to light.
Three – Update your consent processes
No law firm can get away with not marketing in 2018. Therefore, it is likely your organisation has several ways of collecting data from the public to target direct or content marketing campaigns.
For example, you may have a series of in-depth articles on your website which can only be accessed by someone providing their email address. In this type of situation, you must ensure that anyone who provides their details to access the content understands what their personal data will be used for. Under the GDPR, “consent” of the data subject means any “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Article 4(11)).
Not only must you gain consent correctly, you need to manage that consent so the data owner can withdraw it if desired.
Now is the time to review and update your consent policies and procedures to ensure they are compliant with the GDPR. In addition, records should be maintained in the form of reliable records which can be called on as evidence of compliance if needed.
We have been helping legal professionals with professional disciplinary and regulatory hearings for over 20 years. If you have any questions relating to GDPR compliance, please call us on 0151 909 2380 or complete our <a href=”https://jglaw.co.uk/make-an-enquiry/”>Free Online Enquiry</a> and I will soon be in touch.