In the balance

Most firms are now well aware major changes to data protection regulations are afoot, with the advent of the General Data Protection Regulation (GDPR), which becomes law as of 25 May 2018.

But should those changes be seen as a benefit to firms, or a further compliance burden to be borne at significant additional cost and risk?

The benefit

Elizabeth Denham, the Information Commissioner, is of the very clear view that firms which treat the implementation of the GDPR as something more than a burden will be the ones who can find a payoff through having a competitive edge.

At the spring 2017 conference of the Information Commissioner’s Office (ICO) in Manchester, Ms Denham said: ‘If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance. But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit.’

Ms Denham also told the audience that only one in four adults trust businesses with their data, and that law firms should see themselves as ‘the guardians of trust in a digital age’. So there is an opportunity for firms to market their high levels of security, and to build that relationship of trust with consumers and businesses, who see perhaps too many commercial organisations fail to take sufficient care of their data. This sits very well alongside the notion of solicitors as trusted advisers.

The burdens

Reporting burdens will increase significantly under the GDPR.

It will be mandatory to report to the ICO any breaches likely to result in a risk to the rights and freedoms of individuals. This must be done within 72 hours of becoming aware of the breach. Failure to notify a breach can result in a fine of up to two per cent of turnover – in addition to the fine for the breach itself (on which, more below).

We will also need to notify the individual of a breach if it is likely to result in a high risk to their rights and freedoms (a higher threshold than for notification to the ICO).

Firms will need to invest in training staff carefully as to what constitutes a breach and what must be reported.

In light of the very tight timescales for reporting and the hefty fines involved, firms will also need to put in place a robust breach detection system, plus good investigation and internal reporting procedures.

Rules around subject access requests also become more difficult, again with significant fines for getting it wrong. These rules were complex under the old regime: they are about to become a whole lot worse.

The risks

The fine for non-compliance has risen from £500,000 under the Data Protection Act, to up to four per cent of turnover, or €20m.

The risk of breaches being identified is higher because consumers (or clients) are becoming ever more aware of their rights. Some 18,300 cases were brought to the ICO last year, an increase of 2,000 on the previous year. Meanwhile, the ICO is busy recruiting staff to beef up its operation in Wilmslow, and has already said that it has law firms in its sights.

A serious data breach will also need to be reported to the Solicitors Regulation Authority (SRA), which could take action against a firm for a breach of principle 10 of the SRA Code of Conduct (protecting client money and assets).

Data breaches would also leave firms vulnerable to civil claims for damages from individuals whose data we misuse; they can sue for breach of the GDPR, misuse of private information, and/or breach of confidence.

Firms also risk criminal prosecution. 21 convictions were secured last year: six for non-notification offences; four for failing to respond to an information notice; and 11 for unlawfully obtaining data. These numbers may look relatively low, but they add up to a 50 per cent increase in criminal prosecutions, and the numbers are unlikely to stop there.

What firms need to do

We certainly need to take the new regulation seriously: there is too much at stake not to. If there are any firms out there which haven’t yet embarked on a rewrite of policies and procedures, together with a training programme – now may be a good time to start. The longer you leave it, the harder it will be.

The longer strategic play is not just about avoiding fines, it’s about winning customer confidence and being seen as the kind of business that can be trusted. The firms which can get it right – which are prepared to buy into the whole notion from boardroom level down, and train their staff properly – will be the winners in the new GDPR environment.