How the GDPR will impact law firms and what lawyers need to know
As a lawyer looking to grow your firm, it’s vital that you understand the impact of the new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
The GDPR will come into effect on May 25th, 2018, replacing the data protection directive of 1995 (officially Directive 95/46/EC). GDPR aims to give control back to citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When it comes to confidential and highly personal data, law firms store a lot of information. As such, they have a greater responsibility to keep data safe and take accountability for how data is collected, stored and used. For law firms, it will be important to understand how you collect, store and use personal data of your clients and employees in order to ensure compliance.
How will the GDPR impact my law firm?
If your practice collects, stores or uses EU citizens’ personal data you are subject to GDPR.
Fines for non-compliance can be up to 4% of annual worldwide turnover or €20 million, whichever is greater.
GDPR defines parties as either “controllers” or “processors”. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. For example, a controller could be any law firm, while a processor could be an IT firm doing the actual data processing.
It is important to note that even if your firm is based outside the EU, the GDPR will still apply so long as you deal with personal data belonging to EU citizens.
What lawyers need to know
Here are just a few of the new obligations that law firms will need to consider:
The GDPR places greater emphasis on accountability. This means you must have an accurate record of the data you hold, demonstrate how is was collected, and whether the collection is “lawful”.
Furthermore, you must be able to demonstrate that you are managing personal data in a manner compliant with the regulations. Firms must be able to supply, on request, the details of the data they hold and how it has been used.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. Law firms will need to review how they collect and record consent.
For processing of personal data to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. It is important that law firms determine their lawful basis for processing personal data and document this.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA. Law firms will need to ensure they allow individuals to exercise a range of individual rights, including the right to be forgotten, right of data portability and right of access.
It’s safe to say that with the GDPR, data protection is no longer the responsibility of IT. The protection of personal data must be considered and embedded in your law firms processes, from Marketing to HR and Business Development. In the coming weeks, we’ll be providing more information on how law firms can prepare for GDPR.