Posted by Paul Bennett, a partner at Legal Futures Associate Aaron & Partners
Bennett: Law firm are at a higher risk than many consumer businesses
There’s a growing sense of trepidation amongst the UK’s legal community with the new General Data Protection Regulation (GDPR) coming into play in just a few months’ time.
I’ve spoken to many SME law firms over the past year and, although many of them know that it’s coming, the majority don’t yet know what they need to do about it.
It seems this confusion isn’t just confined to the legal profession either. I was very interested to read the findings of a recent survey by the learning provider Litmos Heroes, which found that almost 30% of UK business decision-makers say they are completely in the dark about the law changes and what they need to do to ensure their business is ready.
The study also highlighted a worrying statistic that suggested one in three businesses have done nothing at all towards becoming GDPR-compliant, and nine out of ten admitted that, if the regulation was introduced tomorrow, they wouldn’t be prepared.
GDPR was adopted by both the European Parliament and the European Council back in April 2016 and, since that time, we’ve been busy helping to train our clients on the new laws to ensure they have all the knowledge and the facts they need. And we’re actively encouraging them to move quickly and implement any necessary changes because the 25 May 2018, deadline continues to creep ever closer.
Although this started as a European Union law, Brexit will not change anything, as not only has the UK government decided to enshrine the new legislation in to the UK statute book, but a large number of UK businesses handle the data of EU citizens and, therefore, will have to comply.
Any that fall foul of the new regulation will face significant fines even for their first breach and non-compliance could cost firms four per cent of their annual global turnover, up to a maximum of €20m. These are eye-watering penalties that would have a major impact on the profitability and possibly the long-term future of any SME.
So, what do law firms need to do?
The GDPR will completely overhaul how businesses process and handle data. It’s the biggest change to data protection rules in decades and it’s come about because the old system was deemed no longer fit for purpose given the vast amounts of data and personal information many firms now have access to following digital advancements over the past 20 years.
In the context of UK law firms, many hold sensitive data and so are at a higher risk than many consumer businesses. Under GDPR, firms will be more accountable for their handling of people’s personal information and this could include having data protection policies, data protection impact assessments and having relevant policies on how sensitive data is used, stored and processed.
All employment contracts and policies for UK law firms need to be revised to ensure that, as employers, they comply with the new regulation. Some larger firms may also need to look into whether or not the appointment of a designated data protection officer is required.
There’s also a double regulatory risk that legal firms need to keep firmly in mind. In the UK, the GDPR will be enforced by the Information Commissioner’s Office, working in conjunction with the Solicitors Regulation Authority.
This two-pronged approach makes it even more crucial that law firms act now before the allotted window of preparation slams shut next May.
There is certainly a lot of scaremongering when it comes to GDPR and as the countdown to May 2018 continues, I fully expect the issue to gain even more column inches in the months ahead.
A little while back, Elizabeth Denham, the UK’s information commissioner, described it as a “step change” for data protection and “an evolution, not a revolution”.
For businesses and organisations already complying with existing UK data protection laws, that certainly should be the case. Getting GDPR-ready will still take some time but the changes should be relatively straightforward, and it’s hopefully just a matter of reviewing existing processes and making a couple of enhancements.
However, for those that don’t comply with current data protection laws, it may well involve a complete overhaul of data-handling policies and processes, which will take significantly longer. Whichever camp you fall in to, the time to act is now.
The first steps every firm should take – but most don’t, but leap into the detail of processes – is to a) map the data they have, b) audit against the GDPR requirements to decide where the gaps are and c) carry out a risk assessment to decide what the priorities are for the deadline – then get key people engaged to support the plan, filter out informaiton and get the priority tasks completed. If any of this has been skipped, you need to take a step back … but quickly.