On 25th May 2018, the landmark GDPR will bring about a profound shift in the way organisations are expected to manage their data. The General Data Protection Regulations replace 20 years of legislation under the Data Protection Act, fully addressing the sensitivity of personal information today.
As the legal sector is involved in extensive personal data processing, it is imperative that law firms are prepared for these changes. Failure to do so could result in heavy fines of up to 4% of annual turnover, or 20 million Euros, not to mention a compromised reputation. However, shockingly, recent research found that only 25 per cent of UK law firms are prepared for GDPR.
So what do you need to know about GDPR for the legal sector, and how should you prepare for its release?
Basics of the GDPR
A key point to note about GDPR is that, even post-Brexit, the UK government will adopt the regulations, which apply even if your systems are located abroad. The EU website for GDPR emphasises that the rules apply to both data controllers and data processors, and that includes law firms.
Why it’s important
1 in 5 UK law firms have suffered a data breach. Hacking poses a real risk to law firms’ infrastructure and corporate data, as well as clients’ personal data and, by extension, company reputation. With the increase of online services and remote working, the need for comprehensive data protection systems is greater than ever.
A streamlined data protection protocol for all EU states will create more efficient cross-border transfer of information. And, of course, the increased motivation to improve data storage and processing procedures will improve the productivity of any law firm.
How will GDPR change data protection for law firms?
The impact of GDPR for the legal sector is wide-reaching. Firstly, law firms will be expected to gain consent from subjects to process their data in each instance of its use. The regulations also stipulate that organisations can only use personal data that is relevant and necessary to the service they provide, and that only those involved in processing should have access to information.
This may make legal discovery more complex. However, firms will no longer have to register data use with local DPAs. Instead, internal records of personal data retention must be maintained to avoid risking fines of up to 2% of annual turnover. Firms must ensure all new and existing systems are designed with privacy in mind.
Should a data breach occur, organisations will have just 72 hours to report it to the Information Commissioner’s Office and notify affected subjects, if they cannot prove it is unlikely to compromise individuals’ data.
What does GDPR mean for clients?
GDPR aims to give individuals more control over their personal information and make it easier to access compensation for breaches. Clients will have the right to know if a company is processing their data, what they are storing, and to what ends. They will be entitled to a free copy of these records, which they may transmit to another data controller. This makes it important to ensure all records are kept in a client-friendly format.
Subjects are also able to object to profiling, data portability and processing, or subject access, so law firms should prepare official channels for these procedures. Finally, individuals have the right to request that all of their personal information is removed from company systems at any time.
GDPR for the legal sector – what law firms need to do
Under GDPR, data protection for law firms must be stepped up. All staff must be trained in compliance with data protection policies. These must be upheld with regular security log monitoring and a comprehensive audit trail of how data is used.
The GDPR requires all organisations that process “data relating to criminal convictions and offences” to employ a specialist Data Protection Officer, making this vital for most law firms. However, the regulations allow for this role to be filled by an external service provider. As an internal employee would have to prove expertise in data protection, be given regular training and resources to carry out these tasks, it is often more effective to outsource your legal data protection to a specialist company.
Professional providers in GDPR for the legal sector have expert knowledge of the latest regulations and systems, and can work without the risk of performing tasks posing a conflict of interests with their role. To find out more about our specialised network security and data protection services for law firms, call CBS today on 020 3355 7334.