New data rules loom
How will GDPR impact the legal sector?
GDPR replaces existing data protection legislation
The General Data Protection Regulation (GDPR) will be implemented on 25 May as a result of legislation pushed forward by the European Parliament.
Although Britain has decided to leave the EU, this is a piece of legislation that the British government will likely be adopting after Brexit and it is important for those operating in the legal sector to have a clear understanding of what GDPR is, how it could impact them and what they can do to prepare for it.
What sections of GDPR will influence law?
The GDPR is a piece of legislation that has been in the works for four years — and is finally coming into action. Only getting the go-ahead in 2016, it sets to create a framework that will determine how data is currently used, as the amount of data we handle continues to grow with the advancements in technology.
When this piece of legislation was announced, it was said that it would only impact huge organisations like Google, Facebook and Twitter — but this isn’t the case.
As law firms handle mass amounts of data, they will already be familiar with the Data Protection Act of 1998 (DPA) — but this will be replaced once GDPR is introduced. Law firms are controllers and processors of their clients’ data, meaning it is crucial for them to abide by the rules. If businesses do not comply with this new legislation, they can face significant penalties — an example of this would be a monetary penalty of 4% of turnover.
Once this legislation has been introduced it could make or break firms. This is one of the main reasons why law firms need to prepare themselves for the changes now rather than later — for their own protection and the protection of their clients.
The reason behind GDPR is that it becomes easier for victims of data breaches to claim compensation against organisations. This means that law firms should reassess their security policies and update any security systems they have in place to ensure the risk of any data breach is minimised.
Preparations to make for GDPR
There are multiple avenues law firms can go down to ensure that they are prepared for GDPR. This all starts with acknowledging the legislation which will likely be adopted by the British government after Brexit.
To prevent any data breaches, law firms should be carrying out regular assessments and audits that review current data protection methods and suggest new ways to protect data if appropriate — whilst aligning with GDPR.
It means taking a look at the data protection framework, then completing an audit that reviews any contracts with external companies to ensure compliance.
If a legal firm has a third party that helps monitor its data, it is necessary to make sure that firm knows what they can and can’t do with it.
Also these firms need to be informed that they must provide notification immediately of any suspicion of data breaches.
Staff data protection policies need to be updated. There are certain organisations that must have a designated Data Protection Officer under the legislation, however even if one is not required under the regulations consideration must be given as to whether the firm should have one in any event in order to protect the company and its clients.
Staff must be aware of the risks, the consequences of breaches and how they can prevent any mishandling of data. It might be useful to do this in one-to-one sessions to directly specify how data protection relates to their role within the business.