Time is running out for solicitors and law firms unprepared for the enforcement of the EU General Data Protection Regulation (GDPR) - but help is at hand, says Pearl Moses, head of risk and compliance at the Law Society.
You probably already know that the EU General Data Protection Regulation (GDPR) will be enforced from 25 May 2018 and that it’s been described as the ‘most significant change in data privacy regulation in 20 years’. Despite the prospect of large fines for non-compliance, recent research by IT provider CenturyLink found that 75 per cent of law firms are still unprepared.
So what do law firms need to do about it?
1. Understand what is required of you and your firm
If you are responsible for your organisation’s compliance you will need to understand the key concepts and principles of the GDPR to be able to implement the key provisions. For example, every law firm is now defined as a ‘data controller’ as they hold and process the personal data not only of clients but also of partners and staff. Senior management should be aware of the implications of this and invest in the appropriate resources necessary to enable compliance both before the deadline (there is no transitional relief after May 2018) and into the future.
2. Conduct a data audit
Firms should carry out an inventory of all data held by the firm including electronic and paper files, accounts systems records, address books, marketing lists of email and physical addresses, information stored on the web, deeds and wills the firm holds. By now you should have conducted an audit of:
- what personal data you receive and/or hold?
- where data came from and who has access to it?
- how you process and/or transfer personal data?
- how you update, store and keep personal data?
3. Check your use of data is compliant
You will need to ensure that the way you process data is compliant under the new regulations. Undertake a review of all data protection processes and procedures within the firm and where necessary make changes in relation to:
- individuals’ rights (including the right to be forgotten)
- data subject access requests
- privacy policies
- receiving and requesting consent
- breach notifications.
4. Review your policies and procedures
Your policies and procedures should be relevant and proportionate for your legal practice – they are likely to vary between firms depending on the data held, the client and the nature of the work. However, they do need to be reviewed in light of GDPR, and, where any omissions or gaps are identified, rewritten to remedy those defects.
5. Train your staff
Make sure that all personnel are aware that the law on data protection is changing and that steps may need to be taken to ensure that the firm is compliant. This means training not just key staff, such as those responsible for collecting handling and managing data, but all staff – as their actions could adversely affect your legal practice. Failure to do so can leave your firm open not only to sanction form the regulator but enforcement and possible fines from the Information Commissioner’s Office (ICO).
These initial steps are just the starting point on what for many firms is likely to be a long journey. However, the clock is ticking. The Law Society and the Risk and Compliance Service have resources that will keep you informed and up-to-date and our Advisory Service can help you to develop and implement your own approach. Book a diagnostic assessment with us, before the 31 January, and we will give you a 10 per cent discount on the usual cost. Email us at firstname.lastname@example.org or ring us on 0207 316 5655.