Ignoring GDPR poses a major risk to business, and law firms are no exception. Indeed, those employed in the legal field are expected to be on the front line when it comes to regulation compliance. But despite GDPR being in place for almost a year, there is still a significant number of businesses that have yet to update their processes, policies and procedures in line with the regulations. Is your law firm one of them?
The data protection responsibility
Any individual or body that is considered a controller of data is responsible for protecting its users’ privacy. In the legal sector, this is the responsibility of Chambers but also self-employed barristers. Anyone concerned with gathering, storing and using personal data, be that contact details, images or identifiable information, has to comply with GDPR. Whereas businesses will be familiar with, and most likely abiding by, the Data Protection Directive 1995, there are key differences between this and the GDPR. As outlined by this guide for barristers and Chambers, these include:
- Data controllers are accountable for, and must be able to demonstrate compliance with data protection obligations;
- Personal data must be processed in a transparent manner, with data subjects being notified of processing;
- There are stricter rules relating to the extent of personal data which is stored, and to the length of time for which it may be kept;
- Data breaches must be notified to the supervisory authority and data subjects;
- There needs to be consideration of a person’s right to be forgotten;
- Data subjects will be entitled to receive a copy of personal data concerning them or have the data transferred to a third party;
- Data Protection Officers and Data Protection Impact Assessments may need to be employed/undertaken;
- New liabilities for processors have been introduced, which will include Chambers, when processing information for barristers.
Even though GDPR is an EU initiative, Brexit will not render the regulation obsolete. Identical rules will still be in place post Brexit, and it will be equally important to adhere to them. Law firms need to be get compliant and stay compliant.
Ignoring GDPR – what are the risks?
The most obvious risk to ignoring GDPR is financial, with any business found to have done so facing a fine. The maximum fine is €20 million (£17.6 million) or 4% of global annual turnover (whichever is higher), although lower fines are payable for companies that have taken some measures to prevent data loss. The extent to which compliance checks are undertaken and penalties awarded is unclear, but there have been a few high profile examples. For example a French data regulator fined Google €50 million for data violations.
Beyond financial risk there are other, equally damaging, implications.
Unauthorised use of personal data is a concern for all online users and, law firms have a duty of care to protect the privacy of anyone whose data they hold. Ignoring GDPR sends out a powerful message to clients and employees that their data security is not important, which can have knock-on effects for client satisfaction, loyalty and even talent retention and attraction rates.
The reputation of a law firm found to have been ignoring GDPR, particularly if a data breach should occur, would be catastrophic and is likely to have financial implications.
Do you need help checking how you comply with GDPR?
City Business Solutions provides IT services to the legal sector. We can help you with your GDPR concerns and advise you on what steps you need to take to become fully compliant. Want to know more? Get in touch today!