Preparing for the GDPR – What do you need to know right now?

Print This Post

19 February 2018

Posted by Craig Forsyth, marketing & training coordinator at Legal Futures Associate Centre for Assessment

Forsyth: Start preparations ASAP

On 25 May 2018, the EU General Data Protection Regulation (GDPR) comes into force. That might seem like a long time, but that’s just over 100 days away at the time of writing. Actually, GDPR was adopted back in April 2016, May 2018 is the end of the two-year grace period.

The GDPR brings with it a whole host of changes, and the penalties for non-compliance are higher than ever, either 4% of your annual turnover or £20m, whichever is higher. But how do you prepare? What do you need to change first? Where do you even start?

Fortunately, the reality of GDPR isn’t exactly the apocalyptic scenario that many observers in the legal industry are predicting. You won’t lose all your clients and you won’t have to ask them all if you can still use their data.

GDPR is simply a method of bringing the outdated 1998 UK Data Protection Act into the modern age, considering the advances in information technology that have so radically changed the face of data in the 21st century.

So what are the key things that law firms need to be aware of for GDPR? What should solicitors be looking at as a priority to be prepared for 25 May? We’ve compiled a list of the top five major changes brought in by the GDPR that legal professionals need to make themselves aware of today.

Privacy by design

With GDPR, both data controllers and data processors must think about data privacy and protection from the very beginning of any process. This method of thinking ensures that user data is protected every step of the way and all levels within an organisation are responsible for data privacy

Direct obligations for processors and more obligations for processors

With the Data Protection Act 1998, a common excuse given to avoid fines was to say that your organisation was not a data controller, but in fact a data processor. This was because data processors had fewer responsibilities than controllers.

With GDPR, both controllers and processors are responsible for data security and equally accountable for data breaches. No excuses!

72-hour breach notification

Under the Data Protection Act, once a data breach is detected, there is no legal obligation for data controllers to report it. Under the GDPR, all data breaches must be reported within 72 hours of becoming aware of the breach, without undue delay and where feasible. Notifications made after 72 hours must be accompanied by reasons for the delay.

Stronger data subjects rights

The DPA 1998 gives subjects many rights, such as the right to access the information held on them and the right to prevent processing for direct marketing. GDPR significantly expands these rights.

Data subjects now have the right to portability, which requires any information requests to be provided in an easily portable form, such as a memory stick, as well as existing rights such as the right to be forgotten and right of access being increased in scope.

Mandatory data protection officer

This may only apply to larger firms, but it’s still worth noting. Large businesses that handles large amounts of data must appoint a data protection officer (DPO) to oversee all data usage throughout the organisation. The DPO must have expert knowledge of data protection law, report to the highest level of management and have the power to act independently.

Tackling the GDPR can be daunting, especially with the knowledge that it will have a huge impact on how your firm handles data. Old processes will need to be completely replaced and compliance will take a concerted effort.

If you’re looking for guidance, you can also visit the Information Commissioner’s Office online, where they have published a handy guide to GDPR preparation. There are also many organisations and individuals providing expert GDPR workshops, such as us.

However, if you choose to start your preparations for the GDPR, it’s important that you start as soon as possible. The sooner you can begin to demonstrate compliance, the easier it will be to continue practicing law as normal after 25 May 2018.

Leave a comment

* Denotes required field

All comments will be moderated before posting. Please see our Terms and Conditions

Legal Futures Blog

Contribute to your law firm’s success – Handle. Calls. Better.

Chris Davidson Moore LT

Our ongoing mission is to help our law firm clients use the internet more effectively to grow their business. As such, from an online perspective, we look at every component of the journey their prospects make, from initial internet search to becoming a client, and even beyond that, helping our clients look in more detail at the experience they provide to their clients. We’ve never had any problem generating traffic for their websites. However, rankings and traffic are mere vanity metrics unless site visits are converting into good-quality enquiries which our clients can convert into profitable new business.

March 15th, 2018