On the 25th of May 2018, the General Data Protection Regulation (GDPR) will be introduced as official legislation by the European Union. Although Britain has decided to leave the EU, this is a piece of legislation that the British government will likely be adopting after Brexit. It’s important for those operating in the legal sector to have a clear understanding of what GDPR is, how it could impact them and what they can do to prepare for it. For this reason, we’ve teamed up with personal injury experts, TRUE Solicitors LLP, to find out more.
What is GDPR and how will this have an impact in law?
In summary, GDPR has been a piece of legislation that has been in preparation for four years. Only getting the go-ahead in 2016, it sets to create a framework that will determine how data is currently used, as the amount of data we handle continues to grow with the advancements in technology. When this piece of legislation was announced, it was said that it would only impact huge organisations like Google, Facebook and Twitter — but this isn’t the case.
Those working in law will be familiar with the Data Protection Act 1998, however, once GDPR is implemented, this will be suspended. Law firms are controllers and processors of their clients’ data, meaning it is crucial for them to abide by the rules. If businesses do not comply with this new legislation, they can face significant penalties — an example of this would be a monetary penalty of 4% of turnover, something that all firms will wish to avoid.
There will be a definite impact on the legal sector once this new legislation is introduced, and the changes could make or break a firm. This is one of the main reasons why law firms need to prepare themselves for the changes now rather than later — for their own protection and the protection of their clients.
Law firms handle a lot of personal data for their clients, and GDPR makes it an easier process for clients to claim compensation against firms that breach GDPR. This means that law firms should reassess their security policies and update any security systems they have in place to ensure the risk of any data breach is minimised.
How to prepare before implementation
There are many ways that a law firm can be prepared for the introduction of GDPR. This all starts with acknowledging the legislation — even though the UK plans to leave the European Union, this doesn’t mean that you should ignore the fact that we will still be in the EU when this legislation is introduced and that GDPR will likely be adopted by the British government after Brexit.
Firms should carry out regular assessments that will look at your current data protection measures and then come up with ways that will comply with GDPR once it is introduced to make sure that all your data is protected with no risk of any breach of GDPR.
Review your ongoing contracts and company policies to make sure that they are in line with the data protection framework. If you have a third party that helps monitor your data, you need to make sure you outline what they can and can’t do with it. Also inform them that they must notify you immediately of any suspicion of data breaches. Update your staff data protection policies to meet new requirements, too. There are certain organisations that must have a designated Data Protection Officer under the legislation, however even if you do not require one under the regulations you should consider whether your firm should have one in any event in order to protect the company and its clients.
Training is a key aspect that law firms need to look at when it comes to GDPR. Make sure that staff are aware of the risks, the consequences of breaches and how they can prevent any mishandling of data. It might be useful to do this in one-to-one sessions where you can directly specify how data protection relates to their role within the business.