Law firms must prepare for GDPR

Complying with the new GDPR provisions will also add value to your firm.

This article was first published by Solicitors Journal on 16 June 2017, and is reproduced by kind permission.

With less than a year until the General Data Protection Regulation (GDPR) takes effect on 25 May 2018 solicitors and other professionals should already be preparing for compliance.

This is particularly crucial for law firms, who tend to hold large quantities of personal data, including sensitive personal data. The GDPR took four years to finalise and this is a complete overhaul of data protection, so a detailed discussion of GDPR is beyond the scope of this article.

However, with potential fines of up to the greater of €20m or 4 per cent of a company’s global turnover, breach notification obligations and increased accountability, GDPR compliance will be crucial for all professionals.

The right of an individual to request copies of their personal data in permanent form, as part of a subject access request, is expanded under the GDPR to include the right of erasure (‘the right to be forgotten’), and a right of rectification, which will place obvious administrative burdens on firms.

The length of time in which firms will have to respond to subject access requests is reduced from 40 days to 30 days under the GDPR, and firms will no longer be entitled to charge the £10 fee for the subject access request.

The GDPR includes breach notification provisions which apply to both controllers and processors. Firms will be under an obligation to report a breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

When acting as a processor, a firm must report all breaches to the controller without undue delay. When acting as controller, a firm must report all breaches (subject to certain exemptions) to the Information Commissioner’s Office (ICO) without undue delay and within 72 hours of becoming aware of the breach.

Where there is a high risk to the rights and freedoms of individuals there will be an obligation to notify the individual concerned as well as the ICO.

The recent trend towards outsourcing, in conjunction with the outcome focussed regulation of the legal services industry, has resulted in the Solicitors Regulation Authority releasing guidance as to how law firms can ensure that client data is protected.

Increased fines for data controllers (and the introduction of penalties for data processors) have heightened the risk faced by law firms in relinquishing control over client data. A maximum fine of the greater of €20m or 4 per cent of a company’s global turnover for failure to comply is a significant exposure for firms.

In light of the increased liability and specific contractual requirements under the GDPR firms should review their agreements with existing suppliers to ensure that they are compliant with the standards required under the GDPR.

The volume of changes being introduced by GDPR mean that firms should have started preparing by now. As well as being a regulatory issue, it’s important to be aware that good data protection will also add value to your firm.