Do you know that your law firm is a data controller under the new General Data Protection Regulation, and you must comply with them, or face fines of up to €20m or four per cent of your annual global turnover? Owen O’Rorke provides a beginner’s guide to compliance
This is a longer version of an article first published in the print edition of PS August 2017
Regardless of where we are with Brexit, the General Data Protection Regulation (GDPR) will take effect in the UK, and across the EU, on 25 May 2018 – less than 12 months’ time. In recent months, there has been no shortage of professionals – including solicitors – shouting about increased fines and liability. However, anecdotal evidence suggests that law firms themselves are lagging behind in terms of understanding their responsibilities as data controllers. This is of real concern, given the volume of information they hold, and its sensitivity and commercial importance.
And there’s no time to lose. There is no ‘transitional relief’ after May 2018: as the GDPR puts it: ‘processing already under way should be brought into conformity with this Regulation within [the period between May 2016 and May 2018].’ We have already noticed the existing data protection authority, the Information Commissioner’s Office (ICO), taking a harder line in enforcement as it interprets the existing law more aggressively, with a more ‘pro-data subject’ approach (emphasising individuals’ privacy rights).
Of course, many firms have quite properly brought in external consultants to get their systems GDPR-ready (and if they have not already, then they may be running out of time), but too often, this is treated as an IT project. In reality, it is an issue for every level of the business: GDPR requires board- and partner-level ownership of the issue, but basic data hygiene requires buy-in from all staff and fee-earners.
What is changing?
The basic structure of data protection law will remain the same after May 2018: data subjects will continue to enjoy rights which must be observed, and data controllers will continue to have to comply with data protection principles (although so will data processors in many cases). But the compliance burden will increase significantly, and firms – as data controllers – should be preparing for that in the diminishing window remaining before the new law applies.
Moreover, there is the cultural shift to consider: the GDPR stresses privacy by design and default, meaning that management decisions should always factor in the impact on (and build in the maintenance of minimum standards of) the privacy rights of clients and contacts from the outset. It also preaches transparency, in outward-facing statements and policies (both posted online and as a matter of client care), as to how data is used, and accountability for the reasons why firms use it. Firms must always be prepared to answer to the regulator (the ICO) and their clients when queries or objections are raised about how data is used. And the increased emphasis on data security and the rights of individuals means that all staff will want to clean up their habits in terms of everything from using devices and working from home, to how data is recorded on systems (including what should go into emails, and what should not).
There still seems to be some misconception that Brexit may mean the GDPR won’t come into effect. The Brexit vote followed less than a month after the GDPR came into force in May 2016, and led to a period of uncertainty during which the government said little about the GDPR. The GDPR may be EU law in origin, but the government has now been very clear that the GDPR will take effect in May 2018. Because of this initial confusion, the ICO issued less guidance than might have been expected in the first six months of the intended two-year run-in period. We can now expect some acceleration in the ICO’s guidance programme, and indeed the ICO has promised this via its website.
Why does the GDPR apply to law firms?
Because every law firm is a ‘data controller’. The GDPR defines a data controller as ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Every law firm obviously holds and processes the personal data of not only clients, but also partners and staff.
The GDPR will also apply to your partners and fee-earners, as well as potentially external suppliers like marketing agencies. They will all be ‘data processors’: ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.’
The firm’s senior management team must be made aware, if they are not already, that this is a significant compliance issue which requires careful attention and resources. This applies both now, in preparation for the change, and in future, given the additional compliance burden.
What action do you need to take?
1. Identify a compliance lead and raise awareness
The GDPR introduces the role of data protection officer (DPO). This role comes with a degree of independence, and specific qualifications and responsibilities (as well as rights and protections). It could be an external consultant, and group entities may share a single DPO.
The appointment will not be mandatory for every organisation, and law firms are an interesting example here. One determining question will be the scale or nature of the firm’s processing of ‘special categories’ of personal data, including medical information and (although this is carved out under the GDPR) information around criminal allegations – core activities for some firms, but not others. The recitals to the GDPR suggest that processing of client data by individual lawyers is not ‘large scale’ processing for the purposes of determining if a DPO is required.
It is therefore by no means settled whether all law firms will need to appoint a DPO within the strict meaning of the GDPR. What is certain is that it will be basic good practice to task an appropriate and qualified person with leading compliance efforts, and they will need to be sufficiently senior or have management support. They should be able to call upon not only a support team with IT skills, but HR, too: data protection must not be siloed as a technical systems issue. If that person is to be described as a DPO, their position will need to meet the requirements of the GDPR job description (even if the appointment is considered voluntary). A basic level of familiarity with the law is a prerequisite.
2. Ensure you are on top of the ICO and EU guidance
Get up to speed with existing guidance from the ICO, and also be alert to any new guidance on key issues as it is released.
A key role of the ICO is to educate data controllers as to their data protection obligations. Some of the legal tests around the application of the GDPR are not straightforward, but the ICO’s application of the law will be of more immediate impact on data controllers than legal or academic opinion. All data controllers should keep broadly up to speed with guidance from the ICO, available on its website at ico.org.uk. As the GDPR is EU legislation, some guidance will also be issued by the Article 29 Working Party – and will continue to be relevant for interpreting the law, even after Brexit.
Existing guidance includes a helpful short GDPR summary called ‘12 steps to take now’ , and a 43-page ‘Overview’ document. Both are, like most ICO guidance, cautious, but intelligible and helpful. The Overview is a manageable alternative to reading the 173 recitals and 99 articles of the GDPR itself, and the ICO has promised to update it as it forms a view on various aspects of interpretation, taking into account the views of other European authorities. In October 2016, the ICO issued a privacy notices code of practice : the first such topical guidance clearly to reference the new requirements of the GDPR. There is also some existing guidance from the EU, including on data protection officers , the new right of ‘data portability’ and identifying a data controller or processor’s ‘lead supervisory authority’ .
In November 2016, the ICO gave some further indications of guidance which data controllers can expect to see both from Brussels, and from the ICO direct. This includes guidance on consent (adraft was issued in March 2017 with the revised version post-consultation due this summer), and on contracts and liability between data controllers and data processors (due ‘early in 2017’, although it has not materialised at the time of writing). The ICO has added a page to its website called ‘Guidance: what to expect and when’ , which outlines new and upcoming guidance from both the ICO and other bodies. However, it seems unlikely the guidance will be comprehensive by 25 May 2018, when the law will be effective.
3. Carry out an audit of the personal data you hold and use, and why
The scale of this task may demand an external consultant, but management needs a working corporate knowledge of this information too. Some questions to consider follow.
What nature of information do you hold on individuals? Where does it come from? What do you use it for?
Are those individuals aware of what you are doing with their data, and if you are relying on consents, how did you obtain them? What form of wording was used? Will those consents be valid under the GDPR?
Where you share personal data with third parties, what do they use it for, and again, do the individuals know?
Under the GDPR, ‘transparency’ and ‘accountability’ are key principles, so you will be expected to know the answers to the above, and more, when an individual data subject or the ICO asks the question. Record-keeping requirements are expanded under the GDPR, which means being able to show on demand the thinking behind any policy with an impact on privacy.
In terms of transparency, much fuller information is required from data controllers when they first collect personal data from individuals or from other sources; for instance, you will need to tell individuals about their data subject rights, their right to withdraw consent, and information about data retention. Reviewing the ICO’s recent privacy notices code of practice, referred to above, may well be a sensible place to start.
4. Identify any areas of potential vulnerability or gaps in your corporate knowledge
This should follow naturally from a review. Once undertaken, it may require taking remedial steps or seeking advice from appropriate professionals (inside your firm or out), but at least you will know where the key threats to your business lie.
5. Conduct a ‘privacy impact assessment’ before embarking on any major projects or policy changes
The GDPR gives legal effect to the concepts of ‘privacy by design’ – which means knowing in advance whether any relevant project (say, a marketing campaign or IT restructure) will create data protection issues – and ‘privacy by default’, which means that ‘default settings’ are friendly to individuals’ privacy rights. Most international transfers of personal data are likely to need special attention, and indeed, you will need to identify one or more of the GDPR’s ‘gateways’ to demonstrate the legal basis for data transfers outside of Europe.
6. Develop a policy for dealing with subject access rights
Among other changes included in the GDPR is a change to subject access rights: the regime that allows individuals to receive copies of the data you hold on them. The token statutory fee will be removed, and the period for compliance will be reduced from 40 days to one month. This is a particularly vexed issue for law firms since Dawson-Damer v Taylor Wessing  EWCA Civ 74 (which may mean that beneficiaries will be able to use subject access rights requests to force trustees to reveal details of their confidential decision-making), and firms may want to consider as a client care issue who pays for the potentially huge cost of dealing with these requests where they are used as collateral in litigation or family and business disputes.
In tandem with the right of subject access, client care letters should also be clear about who owns the client file, what that means, and how it may be kept or returned (noting recent updates in Law Society guidance on this issue). Above all, fee-earners must learn to be circumspect about how they record and communicate information about clients, opponents and others (especially by email) because, as the case law shows, privilege (which, of course, is the client’s) will not always offer a cloak of protection here – especially around trust cases.
7. Review your contracts with data processors and IT security
The GDPR requires data controllers to ensure that the data processing contracts they make with data processors are compliant with the GDPR. These changes mean that any data processing contracts or clauses will need review – and perhaps careful drafting – before the GDPR takes effect. There remains an argument, untested at law, that law firms may be data processors of client information on the client file – but they will indubitably be liable as data controllers for a considerable amount of the information they hold.
Having the right IT provider – which can offer encrypted devices, secure mail servers and storage – will, of course, remain a priority. There are plenty of other articles that consider the technical side of cybersecurity. Just as important, however, is getting buy-in from staff, instilling a culture of awareness, and supporting the systems with policies that are actually followed.
8. Watch out for, and get to grips with, particular changes
Specific changes include the following.
- Registration. This will be abolished as a requirement of European law. But the ICO needs to fund its regulation of data protection, and it is likely that a new levy will be imposed on data controllers: we will find out more over the coming months.
- Application . The GDPR applies more widely than the existing Data Protection Act 1998. For the first time, data processors will have direct obligations under the law (and contracts with them will need updating); so too will data controllers based outside the EU but selling goods or services to individuals within the EU.
- Consent as a basis of ’fair and lawful processing’: tougher rules . ICO guidance on GDPR consent was published in March 2017 for consultation, which has now ended. delayed final guidance is not now expected until later in the year. In addition, a new ePrivacy Regulation is currently in draft; this is intended to come into force (replacing PECR) alongside the GDPR in May 2018. As it stands, direct marketing rules will remain broadly unchanged, although the ePrivacy Regulation’s definition of ‘consent’ will be determined by the GDPR. Law firms’ email direct marketing activities tend (albeit not exclusively) to be aimed at ’corporate subscribers’ – meaning contacting email addresses at people’s places of work – which does place a lower compliance burden, but data protection law still applies. It applies not simply in what is sent but how the database is handled, whether it is up to date and accurate, and how much information it is fair (and within reasonable expectations) to keep on clients, potential clients and intermediaries. The GDPR would expect greater transparency about this activity, and individuals will be able to demand it by law.
- Legitimate interests as a basis of ’fair and lawful processing’. Tougher rules will apply here too. Legitimate interests was historically a helpful fall-back; if what you are doing is broadly reasonable having regard to the individual’s interests, but it is difficult to get consent, ’legitimate interests’ may be available. Going forwards, any processing on legitimate interests basis must be laid out in advance and notified to those who may be affected. An individual will be able to challenge processing on this basis, and require an explanation, and to prevent further processing unless you can show ‘compelling’ legitimate interests.
- Other new and expanded rights. These include the so-called ‘right to be forgotten’ (broadly, erasure of information – eg where it has become irrelevant and cannot otherwise be justified); enhanced rights to object to certain other types of processing where a legal basis cannot be made out; and the right to ’data portability’ (ie preparing your data / IT systems to enable individuals to request a transfer of all relevant information that you may hold on them to a third party eg a new supplier). The impact of these new rights will not be felt until the law changes in May 2018, but they increase the imperative for getting your firm GDPR-ready – not least because they can be used in tandem with subject access, or as a follow-up.
- Transparency . Much fuller information is required from data controllers when they first collect personal data from individuals, or from other sources: for instance, you will need to tell individuals about their data subject rights, their right to withdraw consent; and information about data retention. Reviewing the ICO’s recent privacy notices code of practice, referred to above, may well be a sensible place to start.
- Accountability . You will have to be able to demonstrate your compliance with the data protection principles, and this duty falls proactively (and promptly) on the data controller rather than being for the ICO or individual to prove. In certain circumstances, the GDPR requires that both data controllers and data processors keep records of their data processing activities, which will go some way to replicating the information in the ICO’s current register of data controllers, albeit with more detail.
- Security breaches . Unless you can show that a data security breach (essentially the actual or potential loss, corruption or theft of data) is unlikely to cause harm to individuals, you will have to report that breach to the ICO within 72 hours of becoming aware of it. And where the breach is likely to present a high risk to particular individuals, they should be notified directly.
What are the implications of non-compliance?
Underpinning all these changes is a drastically increased set of sanctions – including a raising of the ICO’s current maximum fining powers from £500,000, to a maximum of €20m or four per cent of annual global turnover, whichever is higher. These fines will undoubtedly be crippling to any business, including a law firm.
The GDPR is a reality for all businesses in England and Wales which hold data about individuals, including law firms. If you aren’t already looking at how to comply, start immediately – or it may soon be too late.
The print version of this article incorrectly refers to a law firm as a data processor, and not a controller. We apologise for any confusion caused.