The General Data Protection Regulation will introduce new reporting requirements and financial penalties with regard to data breaches. Anna Drozd, EU professional practice policy advisor, and Arfah Chaudry, intern, look at the key changes for law solicitors.
Unlike the current directive 95/46/EC, the GDPR introduces specific provisions on data breaches and when and how they should be notified to the supervisory authority (in the UK, the Information Commissioner’s Office (ICO)). With the GDPR introducing very high penalties for data breaches and the nature of data held by law firms, the questions concerning data security and data breaches become all the more pertinent.
However, the GDPR’s requirements concerning data breach and data security must also be seen in a broader context of solicitors’ obligations to keep clients’ affairs confidential (Chapter 4 of the 2011 Solicitors Code of Conduct). These cover, among others, the obligations to identify and mitigate the risks to clients’ information and making sure that outsourcing of some services does not compromise clients’ confidential information.
The Solicitors Regulation Authority (SRA) has identified information security as one of the key risks that law firms should take into account (see most recent SRA Risk Outlook for 2017/2018).
Data breach remains one of the top concerns of law firms due to the nature of information held by them and the risks it poses to clients and the firms’ reputation.
Despite growing publicity of cybersecurity incidents around the world, law firms’ top concern remains the security of the paper files. The ICO data breach report for 2015/2016 indicates the two main data security issues affecting the legal sector are loss and theft of paperwork (27 per cent of reported breaches) and data being posted or faxed to the incorrect recipient (17 per cent). These are followed by the theft of an unencrypted device and sending an email to the wrong recipient (both 10 per cent).
It is not possible to state with certainty how many UK law firms have been affected by cybersecurity incidents, as data breach reporting is not yet mandatory (it will be once the GDPR starts to apply in May 2018).
The GDPR defines personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4(12)).
Article 33 obliges the data controller to notify a personal data breach to the supervisory authority (determined in accordance with Article 55) only when it is likely to ‘result in a risk to the freedoms and rights of natural persons.’ If the data breach has a cross-border impact or your firm operates across borders, or both, you should check which supervisory authority would be the lead one (see guidelines for identifying lead supervisory authority). It remains to be seen how the cooperation will work between the supervisory authorities as reported by the first Pan-European Personal Data Breaches Exercise, carried out by the Commission’s Joint Research Centre with several EU regulators.
It is also possible that your firm will have to notify the data breach to SRA (see Responsibilities of COLPs and COFAs) and other regulators if your firm operates across borders.
The breach resulting in a risk to the freedoms and rights of data subjects also has to be communicated to the data subjects affected (Article 34, subject to several exceptions). The notification has to be made ‘without undue delay’ and up to 72 hours after becoming aware of it. If the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.
Data processors will have to notify data controllers without undue delay after becoming aware of a personal data breach.
According to Article 33(5) your firm will have to maintain documentation on data breaches, their nature and the remedial actions taken.
Article 33 of the GDPR specifies that the notification to the supervisory authority must include:
Because it will cost you your money, your clients and your reputation. The GDPR introduces a threshold of up to €10m or two per cent of the total worldwide annual turnover of the previous financial year, whichever is higher. The breaches may also result in substantial reputational damage, loss of billable hours or more spending to replace hardware and/or software. Also, losing sensitive information about your client’s affairs may result in financial and reputational losses for them and may have a negative impact on your business in the long term.
What can your firm do?
There are steps you can take to get ready for the new data protection and data security regime:
In the coming months, the Law Society will be busy reviewing its current practice notes to reflect the requirements of the GDPR. The EU regulator, WP29, is expected to publish its guidelines on data breaches in the second half of 2017, along with guidance on international data transfers, profiling and consent.