How will the legal industry deal with GDPR?
The General Data Protection Regulation (GDPR) has been a huge topic across European media, with the 25th of May looming closer, businesses across the continent will have to adapt to the new legislation before its implementation date. Although Britain has decided to leave the EU, this is a piece of legislation that the British government will likely be adopting after Brexit. It’s important for those operating in the legal sector to have a clear understanding of what GDPR is, how it could impact them and what they can do to prepare for it.
GDPR: what is it and how will it influence those in law?
The GDPR is a piece of legislation that has been in the pipeline for over four years within the European Parliament. Only getting the go-ahead in 2016, it sets to create a framework that will determine how data is currently used, as the amount of data we handle continues to grow with the advancements in technology. When this piece of legislation was announced, it was said that it would only impact huge organisations like Google, Facebook and Twitter — but this isn’t the case.
Legal firms in Britain will already be compliant with the current Data Protection Act (DPA) of 1998, but once GDPR is introduced and adopted as British legislation, it will replace DPA — encouraging different methods of handling data. Law firms are controllers and processors of their clients’ data, meaning it is crucial for them to abide by the rules. If businesses do not comply with this new legislation, they can face significant penalties — an example of this would be a monetary penalty of 4% of turnover, something that all firms will wish to avoid.
These changes from the current DPA to GDPR could either help businesses that operate within the law sector or see them face many battles, legally. This is one of the main reasons why law firms need to prepare themselves for the changes now rather than later — for their own protection and the protection of their clients.
GDPR has been created to help citizens whose data is being used, and law firms handle a lot of personal data on behalf of their clients. If there is a data breach, GDPR makes it easier for those affected to claim compensation. This means that law firms should reassess their security policies and update any security systems they have in place to ensure the risk of any data breach is minimised.
What to do before 25th of May 2018 as a law firm
Law firms in the UK and across Europe can take many steps to ensure they are prepared for the implementation date. This all starts with acknowledging the legislation — even though the UK plans to leave the European Union, this doesn’t mean that you should ignore the fact that we will still be in the EU when this legislation is introduced and that GDPR will likely be adopted by the British government after Brexit.
To ensure that the data you store is not prone to a breach, it’s important for law firms to carry out regular assessments of current data procedures, then make the appropriate changes that are required to ensure GDPR compliance and avoid the large penalties — minimising the risk of any leak.
Examine your current company policies and contracts, this will allow you to see whether the methods you are using now are compliant with the data protection framework. If you have a third party that helps monitor your data, you need to make sure you outline what they can and can’t do with it. Also inform them that they must notify you immediately of any suspicion of data breaches. Update your staff data protection policies to meet new requirements, too. There are certain organisations that must have a designated Data Protection Officer under the legislation, however, even if you do not require one under the regulations, you should consider whether your firm should have one in any event in order to protect the company and its clients.
Realising the importance of training within a law firm is essential when GDPR is introduced. Make sure that staff are aware of the risks, the consequences of breaches and how they can prevent any mishandling of data. It might be useful to do this in one-to-one sessions where you can directly specify how data protection relates to their role within the business.
This article was provided by TRUE Solicitors LLP, a firm that understands the importance of GDPR and is an expert in personal injury claims.