General Data Protection Regulation – Are you ready?
Wednesday, 25 April 2018
Law firms generally hold vast amounts of sensitive data on their clients. However, in February 2018, research found that only 25% of law firms believed they were in compliance with the new General Data Protection Regulation (GDPR) that comes into force on 25 May 2018 in the UK (source: Law Society). These regulations are a significant update to the current Data Protection Act 1998 and have been introduced to keep pace with the ever-changing digital landscape and to give individuals more transparency and control over their personal data and how it’s used by your firm.
All business owners are accountable for the personal information they store on clients and employees. The size of your firm is irrelevant; the responsibility for this remains with the owners and non-compliance could lead to significant fines.
We strongly recommend that you undertake a full review of the data you hold to ensure compliance with the new regulations and formulate a plan of action to make changes to make sure your systems are compliant with the new regulations.
Initially you need to determine whether your firm processes personal data as a “data controller” or a “data processor” and consider whether you are required to formally appoint a Data Protection Officer. Even though a formal appointment is unlikely in a law firm, it’s recommended that a voluntary designation of this role is made of someone to lead on compliance and who everybody is aware of to report matters to and obtain guidance from.
What you need to consider
Staff awareness – Are all your staff aware of this change and the need to protect data? This includes visibility of computer screens by office windows, processing of data in reception area and meetings with clients in general work space.
Consent – This must be a positive opt-in and must be separate from other terms and conditions with a record kept of when and how obtained. Current consent can still be used as long as acquired in line with new GDPR requirements. Withdrawal of consent must be available at any time under a mechanism that is easy to give consent and people must be notified of this.
Protection – What measures do you have in place to protect data? Assess your IT security processes and what information your staff hold on personal devices. Consider the rise in the number of recent cyber-attacks and think about getting cyber security accreditation to demonstrate to clients the importance you’ve placed on their information.
Review – Now is the time to look at the information you hold and complete an assessment of where it is held and what you currently do with that data. Are you holding data you don’t really need? Removed this from your system.
The GDPR is an evolution of current rules but does impose stringent accountability and transparency obligations on a firm’s data controllers. If you need further guidance, the ICO website provides help and advice.