GDPR And The Legal Sector: Separating Fact From Fiction
In insight / By Lydia Cooper / 02 May 2017
At the moment, everywhere I turn I am met with yet another article scaremongering about the latest General Data Protection Regulation (GDPR). I've heard stories of fines for non-compliance of anything between 4% and 10% of global turnover, as well as promise that Brexit will provide some sort of respite from GDPR, which is certainly not the case.
If like me, you find the concept of data protection law at best a little dry and at worst totally overwhelming then the following video should help. Last week I sat down with Jonathan Armstrong, a Partner at Cordery, a firm who pride themselves on helping law firms to manage the ever-increasing compliance burden. Jonathan has spent 25 years working in the industry and knows the difference between fact and fiction when it comes to GDPR. Here we set the record straight on what GDPR means for UK legal firms and the practical steps they need to take in order to be compliant.
First of all, what is GDPR?
The GDPR regulation is set to become part of UK law (and EU law but which also applies outside the EU); on the 25th of May 2018 and your company is legally bound by it, there is simply no getting away from it. The new GDPR, put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in April 2016, is set to replace the Data Protection Directive. Although many companies have already adopted privacy processes and procedures consistent with the existing Data Protection Directive, the GDPR contains a number of new protections for data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.
In less than 400 days’ time, the regulation will come into place and the fines for non-compliance are either Euro 20 million or 4% of global turnover. Those that think that Brexit will have any impact on GDPR need to think again as we now know that the UK is likely to leave the EU in 2019, whilst GDPR applies from 2018. Therefore, whilst the UK is still in the EU the new legislation will apply to us. According to Jonathan, there isn’t a scenario where the UK doesn’t get tougher on data protection and at best Brexit is a red herring which could make the situation worse for the UK.
Solicitors are already subject to the Data Protection Act 1998 and a number of professional obligations surrounding data protection, and none of this changes with GDPR – it simply amplifies the need to take it seriously. Solicitors already understand the security obligations they are under, particularly when it comes to IT related data and many may already have further protection methods and guidance available via their managed IT provider as Nasstar clients do.
However, for those that need further guidance, the short video below covers all of the GDPR basics, how it will affect the legal sector specifically and offers some practical tips from a legal industry perspective.
One of the most important takeaways that I took from my conversation with Jonathan is to exercise data protection by design/default to ensure that protection is built into every new solution, product or process. This can be done by carrying out data protection impact assessments to identify threats or risks. Look at it like a business case – what are you trying to achieve, what’s the harm and how do you fix the harm?
Here are some more practical steps to getting GDPR ready:
Have an action plan – take a risk based approach and prioritise
Have a proper data breach response plan - similar to a fire evacuation plan, it needs to be easy to follow and rehearsed
Invest in proper technology – Nasstar reduce risk with its managed platform but this needs to be implemented properly throughout the business
Review vendor contracts – you will need their help to report security breaches. Check you have the right contract with them and find vendors who know GDPR
Put in place a DPIA process
Get your documents and records ready to produce in a regulatory inspection and make sure you factor this into overhead costs
Think of a world without employee consent and tougher consent generally
Make sure things like the right to be forgotten, the right to not be subject to profiling are all covered in policies and procedures
Brief the board and look at annual reporting requirements
Train staff on all aspects of the law to ensure all staff know risks
Set up and undertake regular compliance audits / reviews
Sense check your plans with specialist lawyers
If you have any further questions on GDPR, you can head over to the Cordery's website, for a list of FAQ's where they explain the new General Data Protection Regulations in plain English, covering every part of it.
We are currently helping a number of our customers get to grips with GDPR and our professional services team are experts on the details of the fine print. Nasstar’s professional services team offer a consultative approach offering solutions such as automation, data cleansing and integration of systems to streamline the process of gathering consent. If you need any help getting through GDPR and into compliance, please do get in touch.