What action should lawyers be taking today on GDPR? Like many people in the Legal sector, I have reached saturation point regarding the new European Data Protection Regulation (GDPR). Every day my inbox fills up with academic emails explaining some nuanced point of GDPR that is of no practical relevance. Too often the guidance we get from fellow lawyers tells us the 'what' and not the 'how' of GDPR. Below are some tips on action that law firms can take today to help align their operations with GDPR.
Tip 1: Figure out whether you must appoint a Data Protection Officer (‘DPO’). Under GDPR you must appoint a DPO if:
- You are a public body, or
- You carry out monitoring of individuals on a large scale, or
- Your “core activities” consist of large scale processing of special categories of data.
It is important to remember that you will be in breach of GDPR and liable for the lower tier of fines if you do not appoint a DPO when you are supposed to. Article 83 of GDPR creates the potential for fines up to €10m or 2% global annual turnover for failing to appoint a DPO when you are supposed to.
Tip 2: Stop using painful privacy notices
Can you remember the last time you read a Privacy Notice? Me neither. Often Privacy Notices on law firm websites are dull, opaque, and off-putting to clients. GDPR expects more. When we tell our clients in a Privacy Notice (for example on the firm’s website) we must do so using language that is clear, plain and concise. My tips for Privacy Notices:
- Keep it as short as possible and use short sentences;
- Avoid jargon;
- Presentation – Set the Privacy Notice out in a clear way with a good structure; and
- Tone – Less airport security guard more helpful friend please.
Tip 3: Fix your staff policies
A big part of GDPR is being able to “demonstrate compliance” (Article 5) i.e. to show you are complying with the new regulation in all that you do with personal data. To do that you are going to must make sure you have the appropriate staff policies in place that can educate your workforce on their responsibilities regarding data processing across your law firm. You may need some new policies such as: Data Breach Incident Plan, Human Resources Data Protection Policy, Social Media Policy, and Bring Your Own Device Policy. Figure out where your policy gaps are and fill them.
Tip 4: Staff Training
Do not let your law firm underestimate the importance of staff training. One recent study found that human error is a leading cause of data breaches, featuring in 37 per cent of data breaches. My top tips for training staff are:
- Deliver basic data protection training to all staff;
- Work out who needs face-to-face training - for example if your firm has a marketing team or a HR Department then they may need data protection training related to their role;
- Make it engaging and relevant with lots of examples of how it impacts their everyday life and their job; and
- Record all training you carry out – it will be useful if a regulator ever comes knocking.
Tip 5: Reporting data breaches
Under Article 33 of GDPR you must notify the Regulator within 72 hours of some more serious personal data breaches. You must also communicate certain data breaches to clients and individuals affected without undue delay. Failing to report these breaches, or failing to report them in time, can attract major fines.
Two major tips:
- Educate your employees on their new responsibilities to report data breaches.
- Have a process in place to so that breaches can be reported to regulators and customers efficiently.
Tip 6: Dealing with supplier contracts
A Data Controller decides how the personal data is processed a law firm being such an example. A Data Processor is an entity that processes data on behalf of the Data Controller for example outsourced services such as IT Support or Payroll Providers. Under GDPR when a firm is a Data Controller hiring a Data Processor to do work on its behalf it must insert certain clauses (see Article 28 GDPR) into the contract with that supplier to make sure the Data Processor behaves itself when it is handling personal data.
My top tips are:
- Make sure, going forward, that your contracts with suppliers and vendors have all of the GDPR clauses set out in Article 28 in place.
- Decide which of your historic contracts need to be updated.
Remember this GDPR is an action regulation, so get to work today on closing your GDPR gap.
Patrick O’Kane is a Lawyer and Data Protection Officer for a US Fortune 500 Company in London. He is the author of the book “GDPR - Fix it Fast - How to apply GDPR in ten steps”