Has your law firm started to prepare for GDPR? It's vital that your law firm not only understands the key legal obligations and risks that could impact your business but has started to develop a game plan for compliance.
On May 25th, 2018 the General Data Protection Regulation (GDPR) will replace the data protection directive of 1995 (officially Directive 95/46/EC). Data protection authorities can impose fines of €20 million or 4% of your firm's global turnover (whichever is higher), so it's important that you are able to show that data protection is a key consideration (rather than an afterthought) when designing any system that processes personal data.
If you're not sure where to start, here are 7 things to do to prepare your law firm for GDPR before the year comes to an end!
7 ways law firms can prepare for GDPR
Raise awareness
Law firms possess a large amount of personal data, so it's important that all your key decision makers appreciate the impact GDPR will have. As a best practive, you may want to appoint a person responsible for overseeing data protection tasks to ensure compliance with GDPR requirements. This person can serve as a reference for education and training throughout the firm, without necessarily being a designated Data Protection Officer (DPO), which GDPR requires of some organisations.
Document the personal data you hold
Conduct a full audit of all the personal data you have, where it came from and who you share it with.
Carry out a "Data Protection Impact Assessment"
It is recommended that law firms conduct data protection impact assessments (DPIAs) for all processing activities, regardless of risk level. DPIAs help you identify how your organisation's processes affect or might compromise the privacy of the individuals whose data you hold. If identified risks cannot be mitigated successfully, you will need to consult with a data protection authority before engaging in the processing activity.
Review your privacy policies and contracts
When it comes to privacy policies, you'll need to identify the lawful basis for your processing activity (ie. consent), document it and update your privacy notice to explain it. Law firms should also re examine their agreements with data processors, and draft new ones if required, to ensure that they meet the requirements with the GDPR.
Ensure "privacy by design"
The new GDPR makes it clear that privacy cannot be an after thought. It needs to be embedded throughout the process of designing products and services. This means is that technical and organisational measures should be in place to ensure that – by default – personal data is only processed insofar necessary in view of the processing purpose(s). For example you cannot use "pre ticked" boxes for marketing purposes or use data for purposes not specified.
Review treatment of consent and rights of data subjects
Under GDPR, the rules for obtaining valid consent from individuals are stricter. Law firms should review how they requested, obtained, recorded, tracked, and amended consent across all processes, from HR to Marketing and Business Development. Additionally, you need to check your procedures (technical and administrative) to ensure you are capable of providing the rights individuals have, including the right to be deleted or the right to data portability.
Review reporting of data breaches
Due to the confidential and secretive data law firms hold, they are often targeted by cybercriminals. Under the old DPA, firms needed to provide notification to data subjects and authorities, but with GDPR firms are also required to record information about any data breaches that occur. This documentation must be ready to be shared with a DPA, upon request. Furthermore, it's important to note that if your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document it.
Ensuring compliance is important for the longevity of your law firm. So don't get left behind in your compliance journey and prepare for GDPR starting now!
