The General Data Protection Regulation (GDPR) is a new EU regulation which replaces the UK’s Data Protection Act 1998. For any type of organisation dealing with individuals’ personal data, there are a number of changes which will need to be taken into account. When considering GDPR for lawyers in particular, who are constantly dealing with highly sensitive personal information, it is important that you are aware of the new regulation and how it will work.
The ultimate aim of the GDPR for lawyers, and those operating in other sectors, is to allow for easier data transfer across Europe. With all states of the EU and border countries following the same data protection protocol, data sharing across borders should become more straightforward. As a result, doing business with clients from EU member states will involve a smoother transaction.
What is the General Data Protection Regulation?
From 25th May 2018, new EU regulation will be put in place which will protect the rights and freedoms of individuals by protecting their personal data. These will allow for changes in technology and the ways in which organisations collect data. As a result, more precise and inclusive regulation is required.
The new regulation consist of 6 core principles:
All personal information shall be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant, and limited to what is necessary;
- accurate and, where necessary, kept up-to-date;
- retained only for as long as is necessary;
- processed in an appropriate manner to maintain security.
What Are The Main Changes In Data Protection Law?
There are a number of changes which will directly affect the way you deal with data within your legal chambers. All organisations dealing with personal data will be responsible for adhering to the new regulation and, as a result, there will be more stringent levels of accountability. For instance, penalties for the loss of data can result in your chambers being fined 4% of your global annual turnover, or €20m. There will be a two-tier penalties system in place, with the lower end penalties resulting in fines of 2% of your global annual turnover or €10m. All breaches must be reported to the Information Commissioner’s Officer (ICO) within 72 hours unless it can be shown that there is unlikely to be a significant risk to individuals personal information.
There are also definitive changes with regards to consent. There is tighter regulation on what constitutes ‘consent’ and consent must be explicit. Therefore, it may be that previous consent may no longer be valid. On top of this, individuals’ rights are another area which have been enhanced, with individuals being able to object to such things as profiling, data portability, data processing, and subject access, amongst other things.
All of the above will apply to data processors, as opposed to just data controllers as it is under the current regulation. This means that all businesses are directly responsible for their own compliance. In the case of law firms, where data is both controlled and processed, companies must be doubly aware.
GDPR For Lawyers – Implications For The Legal Industry
The legal industry will be impacted in particular due to the implicit nature of its business. It may be that things like legal discovery, for example, may be made more complicated by the regulation. Otherwise, the GDPR has the potential to provide smoother data transfers across Europe and so aid any business working across borders.
In order to ensure that your offices are compliant with the regulation and not caught short, there are a few things that you will need to do in order to prepare:
- Review your existing data protection policies to ensure compliance with this EU regulation. Analyse the impact it will have on your policies and processes;
- Appoint a Data Protection Officer if necessary – this is a requirement if a data controller or processor is offering goods and service to, or collecting the data of, EU subjects. The DPO will work with the national data protection authority;
- Review consent and fair processing notices, as most current consent mechanisms in place under the Data Protection Act, will not be valid under the GDPR;
- Ensure that all employees dealing with the processing of personal data are aware of the new regulation and policies that your legal offices will need to implement;
- Ensure that, when designing new products or processes, EU regulation is adhered to.
In order to fully understand the implications of the General Data Protection Regulation, CBSIT can advise you on how GDPR for lawyers will work, how your law firm may be affected and how to prepare. CBSIT can also assist in the auditing of current processes and policies, and provide expert guidance on where to improve your data protection compliance in time for GDPR implementation on 25th May 2018. Contact us today to discuss your options.