Get Data Protection Right…
The introduction of the General Data Protection Regulations (GDPR) on 25th May will change how lawyers store and use personal information not only on behalf of their clients, but also employees.
Under the new regulations law firms will need to address broadly similar issues faced by other organisations when seeking to comply with the new stricter European Commission led regulations which will replace existing UK data protection legislation.
Why are changes being made?
The increased use of technology such as mobile phones and tablets to access the internet and the use of social media has led to a change to the way people share their personal data, and businesses have developed highly sophisticated software processes to track online behaviour. It is not always apparent to the consumer that they are being monitored, or that their personal data is being used by third parties to influence marketing activities by businesses to drive sales. It has been difficult to regain complete control of personal data once it is in the public domain.
The GDPR will redress the current imbalance to give individuals greater control in future over how their personal information is stored, and its use will become highly regulated.
What should law firms be doing to comply with the GDPR?
Firms will need to demonstrate compliance with the GDPR by the 25 May 2018 deadline. This means that as a minimum, firms are required to;
1. Carry out an 'Impact Assessment' of the datasets your firm are responsible for.
2. Identify any Data Processors used by the firm and enter into a written contract with them.
3. Review your firms’ data security practices and data protection training.
4. Appoint an appropriate person to act as a Data Protection Officer on an ongoing basis.
The Information Commissioner`s Office provides detailed guidance on how to comply with the GDPR. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Most lawyers are used to keeping detailed records, so will already have processes in place for safe guarding personal information, however it is important that all employees in the firm are aware that data protection law is changing and the impact that this may have on the firm if information is not stored and processed properly. The ICO recommends that;
You should document what information you hold, where and how you hold it, where it came from and who you share it with. This is known as your data sets.
You should review your privacy arrangements and put in place a plan for any changes that are necessary to implement GDPR.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
You should update your procedures and plan how you will handle subject access requests within the new timescales and provide any additional information.
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard and remember that consent is not the only legal ground for processing information. Firms must ensure the use of the personal information is in line with other aspect of the GDPR including data minimisation, use in accordance with individual’s rights, and any storage limitations.
In relation to children, firms should start thinking now about whether they need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organisation.
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider Article 37 GDPR to determine whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
Some parts of the GDPR will have more of an impact on some firms more than on others (for example, the provisions relating to profiling or children’s data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business and give those areas due prominence in your planning process.
If you require assistance to get GDPR ready or any other law firm management issue, please do not hesitate to get in touch.
0781 4499375