Posted by Craig Forsyth, marketing & training coordinator at Legal Futures Associate Centre for Assessment
On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force. That might seem like a long time, but that’s just over 100 days away at the time of writing. Actually, GDPR was adopted back in April 2016, May 2018 is the end of the two-year grace period.
The GDPR brings with it a whole host of changes, and the penalties for non-compliance are higher than ever, either 4% of your annual turnover or £20m, whichever is higher. But how do you prepare? What do you need to change first? Where do you even start?
Fortunately, the reality of GDPR isn’t exactly the apocalyptic scenario that many observers in the legal industry are predicting. You won’t lose all your clients and you won’t have to ask them all if you can still use their data.
GDPR is simply a method of bringing the outdated 1998 UK Data Protection Act into the modern age, considering the advances in information technology that have so radically changed the face of data in the 21st century.
So what are the key things that law firms need to be aware of for GDPR? What should solicitors be looking at as a priority to be prepared for 25 May? We’ve compiled a list of the top five major changes brought in by the GDPR that legal professionals need to make themselves aware of today.
Privacy by design
With GDPR, both data controllers and data processors must think about data privacy and protection from the very beginning of any process. This method of thinking ensures that user data is protected every step of the way and all levels within an organisation are responsible for data privacy
Direct obligations for processors and more obligations for processors
With the Data Protection Act 1998, a common excuse given to avoid fines was to say that your organisation was not a data controller, but in fact a data processor. This was because data processors had fewer responsibilities than controllers.
With GDPR, both controllers and processors are responsible for data security and equally accountable for data breaches. No excuses!
72-hour breach notification
Under the Data Protection Act, once a data breach is detected, there is no legal obligation for data controllers to report it. Under the GDPR, all data breaches must be reported within 72 hours of becoming aware of the breach, without undue delay and where feasible. Notifications made after 72 hours must be accompanied by reasons for the delay.
Stronger data subjects rights
The DPA 1998 gives subjects many rights, such as the right to access the information held on them and the right to prevent processing for direct marketing. GDPR significantly expands these rights.
Data subjects now have the right to portability, which requires any information requests to be provided in an easily portable form, such as a memory stick, as well as existing rights such as the right to be forgotten and right of access being increased in scope.
Mandatory data protection officer
This may only apply to larger firms, but it’s still worth noting. Large businesses that handles large amounts of data must appoint a data protection officer (DPO) to oversee all data usage throughout the organisation. The DPO must have expert knowledge of data protection law, report to the highest level of management and have the power to act independently.
Tackling the GDPR can be daunting, especially with the knowledge that it will have a huge impact on how your firm handles data. Old processes will need to be completely replaced and compliance will take a concerted effort.
If you’re looking for guidance, you can also visit the Information Commissioner’s Office online, where they have published a handy guide to GDPR preparation. There are also many organisations and individuals providing expert GDPR workshops, such as us.
However, if you choose to start your preparations for the GDPR, it’s important that you start as soon as possible. The sooner you can begin to demonstrate compliance, the easier it will be to continue practicing law as normal after 25 May 2018.