The European Union will be introducing the General Data Protection Regulation (GDPR) on the 25th of May, which is expected to impact businesses across all different sectors. Although the UK has decided to leave the EU, this is a piece of legislation that the government will likely be adopting after Brexit. It’s important for those operating in the legal sector to have a clear understanding of what GDPR is, how it could impact them and what they can do to prepare for it.
We have teamed up with personal injury experts, TRUE Solicitors LLP, to see what methods those in law should take to ensure GDPR compliance.
What is GDPR and what does it mean for those operating in law?
Plans for GDPR have been in the works for four years to strengthen the way we use data across Europe — and its implementation will soon become a reality. Only getting the go-ahead in 2016, it will create a framework that will determine how data is currently used, as the amount of data we handle continues to grow with the advancements in technology. When this piece of legislation was announced, it was said that it would only impact huge organisations like Google, Facebook and Twitter — but this isn’t the case.
The Data Protection Act 1998 is the current legislation that highlights the importance of data usage, but once GDPR is introduced, it will replace this piece of legislation that firms across the UK have come to know. Law firms are controllers and processors of their clients’ data, meaning it is crucial for them to abide by the rules. If businesses do not comply with this new legislation, they can face significant penalties — an example of this would be a monetary penalty of 4% of turnover, something that all firms will wish to avoid.
The introduction of GDPR will have a huge influence on those operating within law — as the use of data is commonly utilised on behalf of clients regarding cases. This is one of the main reasons why law firms need to prepare themselves for the changes now rather than later — for their own protection and the protection of their clients.
GDPR allows compensation claims to be easily made if data is misused or breached by a law firm — so clients should be prioritising protection at all costs. This means that law firms should reassess their security policies and update any security systems they have in place to ensure the risk of any data breach is minimised.
What to do before GDPR arrives
Preparing for GDPR’s introduction is essential, and there are many methods that those in law can take to do this. This all starts with acknowledging the legislation — even though the UK plans to leave the European Union, this doesn’t mean that you should ignore the fact that we will still be in the EU when this legislation is introduced and that GDPR will likely be adopted by the British government after Brexit.
Law firms should begin by analysing their current data protection methods and agree on new ones that comply with this new piece of legislation — regular assessments should be carried out to ensure that they are up to date and compliant.
It’s also essential that law firms look at their own policies within contracts, and external contracts they make with other companies to ensure they are working within the framework of data protection. If you have a third party that helps monitor your data, you need to make sure you outline what they can and can’t do with it. Also inform them that they must notify you immediately of any suspicion of data breaches. Update your staff data protection policies to meet new requirements, too. There are certain organisations that must have a designated Data Protection Officer under the legislation, however, even if you do not require one under the regulations, you should consider whether your firm should have one in any event in order to protect the company and its clients.
Regular employee training is important as this makes them aware of the legislation changes with GDPR at the forefront of their minds. Make sure that staff are aware of the risks, the consequences of breaches and how they can prevent any mishandling of data. It might be useful to do this in one-to-one sessions where you can directly specify how data protection relates to their role within the business.