The General Data Protection Regulation comes into effect across the European Union on May 25. It replaces the UK’s Data Protection Act 1998 (DPA) – and will bring data privacy up to date in the digital age. Brexit will not affect the new regulation as the government has confirmed it will fully incorporate it into UK law.
GDPR will give people stronger rights to access information that is held on them and requires organisations to manage that data better.
Will GDPR affect me?
Yes, it affects every organisation that either “controls” or “processes” data. If you’re subject to the Data Protection Act then you’ll be subject to GDPR, so it’s important to know what impact it will have.
What’s new with GDPR?
The Information Commissioner’s Office (ICO), the UK’s data privacy watchdog, is frustrated at the “scaremongering” about the new rules’ impact. GDPR is only a step change, it says, insisting it’s an evolution, not a revolution in data protection.
“It seems a much bigger task than it actually is,” says Duncan Finlyson, a director of Infolegal, which provides compliance advice and training for solicitors. “Most firms will already be in compliance with large parts of GDPR, otherwise they wouldn’t already be in compliance with the DPA or the SRA’s Code of Conduct.”
However, Julia Tutin, Client Adviser at Miller  warns law firms against complacency. “The new regulation requires organisations to have better data privacy procedures or risk punishment.”
The biggest changes are:
A person must give their explicit consent for their information to be held, defined as being “freely given, specific, informed and [an] unambiguous indication of the data subject’s wishes.” Implied consent, such as from pre-ticked boxes, is no longer good enough.
Consent must be verifiable, so a record of it must be kept. Also, information can only be used for the purposes for which consent has been given. So, a law firm cannot send clients marketing material unless they have agreed. People can also withdraw consent at any time.
There are much tougher fines for those that fall foul of the new rules – up to £17 million, or 4% of overall income, compared to £500,000 under the DPA.
However, the ICO has sought to soothe anxieties, saying it has “always preferred the carrot to the stick,” pointing out that only 16 out of 17,300 cases it dealt with in 2016/17 resulted in fines.
“Although the ICO says fines are “the sledgehammer in our toolbox”, GDPR gives it a range of sanctions – from warnings to reprimands and corrective orders – that could severely dent a law firm’s reputation,” says Tutin.
What do law firms need to do?
Here are three essential tips:
Tip 1. Audit your data
GDPR requires organisations to ensure data is secure, used fairly and lawfully, and only for the purposes that they have consented to. It also allows people to have their data erased – the “right to be forgotten” – if there is no longer a reason for it to be held or if they no longer agree to it being stored.
That means law firms should practice what Finlyson calls “better data housekeeping.” Every practice should do an audit of what data it has, to know which types of information it holds and for what purpose.
“If they don’t do that they won’t know what data they must disclose, delete or have a legal duty to hang on to,” says Finlyson. “That’s a process that many law firms will not have gone through before.”
It’s important to note that this obligation also extends to the information held on employees.
Tip 2. Prepare for more data requests
GDPR gives people new rights to access their data, so law firms must know where information is kept.
For a sole practitioner with a few hundred clients that shouldn’t be an issue. However, for larger firms that could be problematic, especially if some information is held in paper files, ledger cards or accounts books.
Some law firms are creating a central client register, says Finlyson, detailing what information is held and where.
Staff members must also know how to deal with a request for information. “You only have a month to respond, so it can’t sit in someone’s inbox for a week or two before being passed around the office,” says Finlyson.
Most law firms will not be obliged to appoint a Data Protection Officer, although it is a good idea for practices to have someone who is responsible for data protection, says Tutin. “They will ensure your practice complies with the regulations and can deal with information requests.”
Tip 3. Boost your security
The new regulation states that organisations must take appropriate steps to protect the data they hold. That includes IT security, such as firewalls, anti-virus software and perhaps encryption, but also ensuring staff members take steps to keep data secure.
But, says Finlyson, “many law firms aren’t doing enough staff training.” Most data breaches still result from simple mistakes. “It doesn’t matter how secure your systems are if your people aren’t,” says Finlyson. The biggest cause of data breaches in the legal sector between October and December 2017 was information being sent to the wrong person, according to ICO figures.
Is my law firm insured?
Your solicitors’ PI policy will provide coverage against third party claims, including loss of client money, loss of client data or deformation. However, a cyber policy provides additional protection above and beyond that offered by PI insurance.
It is therefore worth considering buying a cyber policy.
Organisations have a duty under GDPR to quickly notify the regulator and victims of an information loss if it affects their “rights and freedoms”. GDPR requires organisations to have “robust” breach detection and investigation procedures in place. However, if you’re one of the two-thirds of UK law firms that, according to the government, doesn’t have a crisis plan to deal with a data breach, then you might not know where to start.
Dealing with the fallout from a data breach can be difficult and expensive. The cost of responding to a breach is covered by a cyber insurance policy.
- expert advice on how to notify the regulator and clients
- an IT specialist to help get you back up and running
- if necessary, PR experts to help protect your company’s reputation
- compensation for any lost profits as a result of the incident.
The ICO might also investigate your firm if you have a breach, and although it says fines are a last resort, even a relatively minor penalty could hit a small law firm hard.
“GDPR has not been tested yet in the courts, so we cannot say categorically whether fines and penalties would be covered, but it is our opinion that they generally should be insurable, unless there is an element of ‘moral turpitude’,” says Quy. “For example, if a data protection officer was wilfully negligent and the organisation effectively condoned that behaviour by turning a blind eye.”
But, the costs of the investigation and defending any action by the regulator would be covered by a cyber policy even if the fines and penalties were not.
Having a cyber policy enables a sole practitioner access to the same sort of resources to deal with a cyber attack or data breach as a magic circle firm. “You can call the insurer’s crisis response team to help fix a problem as soon as it arises, day or night,” says Tutin.
Cyber insurance offers peace of mind and pretty good value for money, providing protection for a host of risks other than GDPR. “Speak to a good broker that specialises in PI, crime and cyber risks. They’ll advise you on how to cover the risks that worry you most and ensure there are no gaps in coverage. For most firms, completing a proposal form is the best way to help you make an informed decision,” says Quy.