The statement of intent on the UK’s new Data Protection Bill, recently published by the Department for Digital, Culture, Media and Sport, should serve as a final reminder to UK law firms, if any was needed, of the imminent arrival of the General Data Protection Regulation (GDPR). The statement emphasises the UK Government’s commitment to implementing the GDPR into UK law. It will apply to every organisation, law firms included, that process EU residents’ personally identifiable information.
Lack of preparation
The recent PWC Annual Law Firms Survey found an alarming lack of preparation among law firms with only 13 per cent having performed an assessment over GDPR, with an additional 19 per cent having only performed a partial assessment. The sanctions for breaches are stringent—minor administrative breaches can attract a penalty of up to €10m or two per cent of annual worldwide turnover, and more fundamental breaches are subject to a higher fine of €20m or four per cent of annual worldwide turnover. The GDPR may be off the radar for many lawyers, but come May 2018, the strict sanctions will demand attention.
Steps firms must take to ensure compliance
1. Know the rules
The Information Commissioner’s Office is a good place to start, providing a comprehensive overview of the rules outlined in the GDPR. The Law Society of England and Wales, and the Council of Bars and Law Societies of Europe (CCBE) have both published guidance on GDPR compliance for law firms.
Be aware that the rules are not entirely final. Guidance is still being considered by European Commission’s Working Group 29, and the British government has proposed a new Data Protection Bill that will clarify many of the possible exceptions noted above. Important derogations are being sought by both the Bar Council and the Law Society of England and Wales to protect legal professional privilege. The status of these derogations will not be known until the final bill is presented in December of 2017.
2. Recognise that law firms have different responsibilities under the GDPR
Both the original GDPR text and the government’s statement of intent make it clear that organisations with professional privilege will be subject to variations of the the rules that apply to most other groups. Seek out guidance that is specific to law firms to make informed choices as to your firm’s obligations.
3. Educate and train
Make sure all staff are up to speed with the regulations and the impact they’ll have on how they handle customer data. Hold staff briefings, twice a year at least, on data protection. Run drills on simulated breaches to ensure preparedness.
4. Review policies and procedures
5. Review technology
Law firms should begin reviewing their technology and operations now to become compliant with the GDPR by May of 2018. Article 32 requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Such measures could include encrypting personal data, data access logging to ensure ongoing confidentiality and integrity, backups for timely restores, and testing procedures to verify the previous measures. Data controllers should also take steps to ensure that others granted access to hold personal data only process them on instructions from the controller.
The area most at risk for law firms is technology used to store case files and client contact details. This type of technology is commonly called case management or customer relationship management software (CRM). Lawyers need to review what personal data they are storing, where is it held, and who is allowed to access that data. While these seem like easy questions, once you factor in backups, employee access, and cloud vendors/online storage, mapping out your data can seem daunting.
6. Implement breach notification procedure
The supervisory authority must be made aware of any breaches within 72 hours. If the data is deemed to be “high risk,” they must also notify the client directly. Firms should create standard breach procedure checklists to reflect this.
7. Appoint a data protection officer
If your firm processes large amounts of data (clarified in Article 37) they will need to appoint a data protection officer to oversee all matters related to data protection including training, compliance monitoring, and to act as a liaison with the Data Protection Commissioner.
Review all policies of any third party data processors that you employ to ensure they are working towards full compliance by 2018. Use this list to start your audit.
The onus on firms
All law firms and the legal profession are highlighted in EU regulations as data controllers. This alone means law firms need to make data protection a top tier concern in their internal risk assessments. In addition, many legal professional regulators such as the Solicitors Regulation Authority (SRA) for law firms in England and Wales make full compliance with the current Data Protection Act an explicit requirement. No other act or regulation gets the same emphasis, one which will certainly also be afforded to the GDPR.
Now is the time for firms to start thinking about GDPR and implement the necessary steps to ensure compliance before May next year.
Joshua Lenon is lawyer in residence at Clio