GDPR: Are You Sure Your Law Firm Is Ready?

The General Data Protection Regulation (GDPR) will be a major element of data law in 2018. When it comes into effect on 25 May 2018, businesses will need to show careful consideration of their clients and employee’s data as well as a willingness to reveal if their company has suffered a data breach. For law firms and the legal profession in general, compliance with the GDPR should not be taken lightly and must be a priority for the sector.

Lay of the land – what will implementation look like?

While each firm will have bespoke requirements related to their sector and size, the GDPR’s implementation will have some components that all companies need to adhere to. The onus on the regulation is transparency, encouraging businesses to show a clear data trail and allowing specific data to be removed at the client’s request.

Businesses will need to clearly communicate what data they are collecting and for what reasons. Pre-ticked boxes or assumptions of consent will no longer be tolerated as individuals will need to actively and positively “opt-in” to their data being collected and used by the company. This added autonomy that clients have can be a challenge on a company’s internal processes. Should they request specific data points be removed, the business will need to comply and respond to the request effectively.

The GDPR also requires businesses to implement certain technical measures to ensure data is protected appropriately. Encryption is one recommended solution, however exact security measures business undertake will depend on the nature, scope, context and purpose of their personal data use. Ensuring data is secure is also a vital part of compliance. Another recommended solution is pseudonymisation, which involves processing data in such a way that it cannot be attributed to a specific individual without the use of additional data. For personal data to be pseudonymised the “additional data” must be securely kept separately to reduce the risk of identification. Although pseudonymisation is not a cast-iron guarantee of protection, it is a beneficial privacy enhanced method which reduces the risk to the individual.

In short, implementation will involve a careful balance between providing more liberties to clients and employees while ensuring the data held in the company is more secure than it has ever been.

What about law firms?

Client data is a hugely important factor of day-to-day operations, and the regulation will naturally cause some firms to fear the its implementation. While the Data Protection Act of 1998 has many similarities to the GDPR, one important change lies in the way firms communicate data breaches. Historically, businesses were under little to no obligation to reveal when a cyber-attack had taken place – leading to cases of companies revealing a loss of client data years later.

Under the GDPR, businesses will now be required to notify the Information Commissioners Office (ICO) within 72 hours of a breach occurring and they may also need to notify the individuals affected as well. While the idea of admitting when a cyber-attack has taken place can seem damaging to business operations, it is also an opportunity to showcase the procedures put in place and the defences the business has against these threats. With updated data processing, firms can identify the exact information that has been lost and using the latest encryption can ensure the data stolen is worthless to the cybercriminal.

Paying the piper – what does non-compliance look like?

Whenever discussing upcoming regulation, non-compliance becomes a key issue. Under the GDPR, failing to meet the regulation will have serious repercussions on the business. Whether it is failing to notify the ICO or having insufficient data protection methods and protocols in place, businesses that fail compliance will suffer both financially and reputationally.

Fines can be up to 4% of the firm’s annual turnover or €20 million – whichever is higher. This marks a stark contrast to the fines currently in place. For example, Carphone Warehouse’s recent fine of £400,000 over 2015 data breach pales in comparison to the changes that the GDPR will bring. With a harsher punishment for non-compliance, firms cannot ignore the regulation’s requirements.

However, it goes beyond money. If a firm is found to be non-compliant, they will be named and shamed by the regulator. For the legal sector, this reputational damage could cost the business more than the fine itself. A firm prides itself on confidentiality and trustworthiness. If the company is named and shamed, they will lose client confidence and face a long-term damage to their business.

The GDPR will affect all businesses and industries. However, the legal sector stands to lose a considerable amount if they are not compliant. It is vital to ensure that compliance goes beyond technology. The new rulings also require companies ensure they can deliver to clients while meeting the regulation’s trying demands.