There’s a lot of noise around about the introduction of the EU-wide General Data Protection Regulations (GDPR) which replaces the current UK Data Protection Act on 25 May 2018. Why is it creating such a stir? How will law firms be affected by it? What will they need to do?
One of the reasons GDPR has caught the attention of business owners is the potential for eye-wateringly large fines for non-compliance – up to €20m or 4% of global annual turnover. GDPR also makes it considerably easier for individuals to bring claims for ‘material and non-material damage’ – ie they will be able to claim for distress, hurt feelings, or reputational damage, even when they can’t prove financial loss. That’s a sea change from the present law.
Data Protection Officers
Organisations with more than 250 employees, or which process data on a large scale must appoint a DPO. Others will need a DPO-equivalent (for law firms, most likely the COLP) to ensure GDPR compliance and to be the liaison for clients and others with privacy concerns.
Consent to hold and process personal data is the cornerstone of GDPR. Data is defined as ‘any information … that can be used to directly or indirectly identify the person’, eg electronic and paper records of names, email addresses, bank account details, photographs, medical records, IP addresses or social media posts. You must request consent in clear, simple language, separately from other T&Cs, and be specific about how information will be used. Data subjects (this includes clients and employees) must positively opt-in, with an easy way to withdraw consent at any time. Using personal data for a different purpose needs a new consent.
Holding Data Lawfully
Organisations must document all the personal data they hold, its source, who can access it, where it’s held, and why it’s held. Most law firms can call up their database and list their data by client. But how many would be as confident about their paper records, including archives, and files inherited from other firms during mergers? And what’s stored on individual desktops, laptops or in email records?
Communicating Privacy Information
Once you have a complete list of data, you need to document the lawful basis on which you’re holding it. Refresh privacy notices, ensuring they are concise, clear and simple, stating how you intend to use the information and the lawful reason for processing it. The privacy notice should also tell people of their right to complain to the ICO if they think there’s a problem with the way you are handling their data.
Organisations must be able to prove compliance with the new legislation, and detail the steps taken. Firms must have proper policies and audit trails documenting how processing decisions were made and how they achieve effective data protection.
GDPR provides people with additional rights, notably:
- The right to be forgotten – individuals will have the right to demand deletion of personal data where there’s no compelling reason for its continued processing. Law firms must have the processes and technology to be able to identify and delete data on request. What do you hold and where?
- Subject access requests – people can ask for all data held on them: organisations must provide this ‘without delay’, at the latest within one month, and without charge. Can you do this?
Privacy by Design
Under GDPR, privacy risks must be assessed at the start of any new project, and reassessed continuously. You must carry out a privacy impact assessment whenever the risk of breach is high due to the nature or scope of the processing operation, e.g., where a firm is planning to buy new software and data will be migrated, or in a merger where datasets will be combined. It also applies to processing data concerning vulnerable subjects. GDPR defines ‘vulnerable’ as where there is a power imbalance between the data controller and the data subject, and the individual may not be able to consent to or oppose the processing of their data. This could apply to children and vulnerable adults, but also to HR activities.
This doesn’t just mean the loss of data, but also destruction, alteration, unauthorised disclosure of, or access to, personal data. Currently, there is no obligation to report a breach, but GDPR requires the report of data breaches to the ICO within 72 hours. There are potentially serious consequences of failing to do so – a fine of up to €10m or 2% of global turnover. Practically, this means that everyone in a firm must be able to recognise a breach, with clear reporting lines to ensure a rapid response.
Counsel, Experts and Outsourcing
Law firms commonly transfer personal data to other individuals and organisations, eg counsel or medical experts, or to outsourced providers, such as digital dictation or secure shredding companies. Under GDPR the firm, as data controller, retains responsibility (and liability) for the proper and secure handling of their data by third parties and must only engage with those who can provide ‘sufficient guarantees’. So, firms must conduct thorough due diligence and review existing agreements to ensure that they are protected.
With the introduction of GDPR on 25 May 2018, privacy becomes central to everything you do, and firms should start preparing now. You should review all the data you hold and assess whether you have consent to process it. This is no mean feat and will require board/partner level commitment. Privacy just became real.
If you would like help in reviewing and revising your policies and procedures to achieve GDPR compliance, please call Anne Austin on 01743 294 866 or 07533 571871.