GDPR compliance: key issues facing law firms
Only 25 per cent of law firms consider themselves to be compliant with the forthcoming EU General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. According to a recent report (November 2017) by CenturyLink of 150 legal sector IT decision-makers, 75 per cent of law firms say they are not yet prepared. Yet the report reveals that only 55 per cent of law firms have employed data security professionals to help them with this task.
Given that the world of data protection is constantly evolving and the legislation is complex and demanding, it is not surprising that this figure is likely to increase considerably over the next four months.
At SRM we work with a wide range of businesses including law firms of all types and size. Our experience shows us that there are certain specific issues which are most relevant to this sector.
DPA 1998 / DPA 2018
First, the good news. The vast majority of law firms are already bound not only by the current Data Protection Act (DPA) 1998 but also by their commitment to client confidentiality (under the SRA rules). As a result, they already have relatively robust systems and procedures in place. So, although the burden of compliance is significant, with GDPR imposing stringent requirements upon organisations, we have found that law firms on the whole are well set up to address the application of GDPR across their business. What we have found, however, is a level of confusion as a result of Brexit leading some to mistakenly believe that GDPR will not apply to the UK.
To clarify: in May a new UK Data Protection Bill will be enacted to coincide with the implementation of GDPR. The new UK act will enshrine the principles of the GDPR in UK law so compliance with one ensures compliance with the other. This means that the EU GDPR is relevant to all firms, even those which have no clients or contacts outside the UK.
Data Protection Officer
Most firms need to have a data protection officer (DPO) in place and this is compulsory for those firms that carry out large scale processing of special categories of data or data relating to criminal convictions and offences. Finding someone internally to fill this role is often an issue, however, because few with existing ‘day jobs’ have the required professional working knowledge of the forthcoming data protection regulations. We have found that many DPOs report feeling unsupported and ‘out of their depth’ until we are involved, providing expert resource and support.
If any processing activities involving personal data, which does not fall under special categories of data, require consent then that consent must be freely given with a specific, informed and an unambiguous indication of consent. We have found that many firms misunderstand the requirement for consent under GDPR. In basic terms, it is that ‘opt-out consent’ is no longer an option. Clear consent from the individual needs to be obtained via some affirmative action. Moreover, any current clients or contacts also have to opt-in and we have provided guidance in running opt-in campaigns before May 2018 to ensure that permission to contact is in place.
One of the main problems we have encountered with law firms is the need for awareness and training. From the senior partners to the lower ranking members of the office staff, everyone needs to be properly trained in correct data protection procedures. It is not simply the role of the DPO to comply with GDPR; it has to be a business-wide planned strategy. This is because, in our experience, human error is the most significant threat to data security.
Another area where we have found issues is in the growth of internationalism. Larger law firms continue to merge with their international counterparts becoming part of super global law firms. The UK elements of these international firms must take particular note of the new regulations as it will be inevitable that they will hold data pertaining to EU citizens (whether clients, third parties or employees) or process such data and will be caught by the provisions of the GDPR, whatever the legislative environment within which their associates operate.
‘Special’ categories of personal data
Under the GDPR it will be easier for clients who suffer ‘material or non-material damage’ due to a data breach by their firm, to bring claims for compensation. In addition, we see more UK firms now coming into contact with ‘special’ categories of personal data (eg. handling an employment law case involving allegations of discrimination on grounds of sexual orientation), they could be exposed to the most significant fines if they fail to keep client data secure.
As a business development tool, law firms increasingly use the web, sometimes including forms of online advertising. We have worked with firms where these involve the use of profiling of EU citizens (in practice, this often simply means that geo-location preferences do not exclude IP addresses associated with EU countries) and it is important that they consider the implications of GDPR in these activities.
HR Data Processing
Employees will have the same rights as clients under GDPR which means that the Data Protection processes must also include employees. When considering the implications of GDPR a lot of organisations do not take employee data into account and often have lower security standards and fewer controls in place to protect it.
Our GDPR team
SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full DPO role.
Our GDPR SAQ has been developed to outline key areas that need to be addressed and to provide a guide as to your current state of GDPR readiness.
For more information on how our GDPR team can support and resource your organisation contact Mark Nordstrom on firstname.lastname@example.org or telephone 03450 21 21 51.
Visit our website: GDPR – The General Data Protection Regulation
Or read our blog: