It is just nine months until the General Data Protection Regulation (GDPR) comes into force in the UK, introducing much tighter rules and legislation around the way in which organisations obtain and hold data on individuals.
The GDPR is a new framework for data protection laws – it replaces the previous 1995 Data Protection Directive which current UK law is based upon. The EU's GDPR website says the legislation is designed to "harmonise" data privacy laws across Europe, as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses that handle personal information. GDPR comes into force prior to Brexit, and even after the UK’s exit from the EU the UK draft Data Protection Bill 2017 is expected to have been passed, enshrining the equivalent provisions into UK law.
Such a huge change to the way organisations manage data will be alarming for legal businesses small and large, and preparing to meet these changes will be a challenge for the vast majority. With no set rules on how to go about ensuring your data and processes are compliant, it can seem to be a minefield of information. With severe penalties in place for those who do not comply, we understand that the question of how to prepare for GDPR will be something keeping our customers awake at night.
In this latest GDPR blog we take a look at the key areas that law firms should be thinking about in their journey to compliance:
Data Retention
The Data Protection Act of 1998 requirement that data be kept for no longer than is absolutely necessary remains largely the same under GDPR. Lawyers are of course used to rules about the period for which files should be retained. So why is the GDPR implementation something to be concerned about? GDPR introduces higher standards of maintaining records about data. On request, the controller will have to provide evidence of their safeguards. This will affect the sanctions imposed in the event of a data breach. The Information Commissioner’s Office (ICO) says “having a disposal schedule is an example of good records management practice”. Having clear procedure on which staff are trained, and which is adhered to, will not only help your compliance but can also have an impact on system performance.
Do now: Ensure that you have a clear policy, which everyone has been trained on and understand that when you open or close a file, think about the destruction date. Think about paper and electronic files. How much of the detail do you really need to keep to be able to do future conflict checks – it’s probably less than you currently keep.
One of the key things that firms and chambers will need to think about on their journey to compliance is how they approach data retention going forward. Under the GDPR, legislation states that data shall be “kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data is processed.” This means that data cannot be retained any longer time than is necessary, with a requirement to inform the data subject about the retention period if required. Data must then be deleted when legitimate purpose expires, so there needs to be a process in place so businesses know when this should happen. These changes mean that there can no longer be a relaxed approach when it comes to the data stored within systems, and firms need to be sure that personal data is stored and maintained in a way that is compliant.
Data Audits
All businesses should see the impending implementation as a deadline to audit their data processes. Throughout GDPR there is emphasis on maintaining records of processing.
If you will need to, or indeed choose to, appoint a Data Protection Officer (DPO) under the regulations, get them in place now. Assess all processing of personal data, determine on what basis the data is processed and consider whether there is sensitive personal data. If data is held by consent of the subject, where is that recorded and updated? Don’t just think about client data, think about employees or contractors as well.
Data audit should consider all of the places data may be stored or used. Consider all of the software involved and if that software - whether from Advanced or elsewhere - has clear guidance on how you can use it to assist in your compliance. We will be providing further product specific guidance over the coming weeks.
Consider who has access to the processed data, whether that is necessary for each member of staff or if you could limit it.
Have you got clear policies in place for data processing? Do all of your staff know what they are and where to find them? Is this part of new staff induction and are long serving staff members regularly refreshed?
Do now:
- Consider whether you should appoint a DPO
- Begin your data audit
- Check and update your policies
- Train staff
Subject Access Requests
Another key area for concern which will emerge from all of this is around Subject Access Requests. Although this isn’t something which happens frequently within the legal sector at the moment, this could potentially change over time with stricter regulations around the way businesses hold and manage personal data within their systems.
For more detailed information, tips and guidance on how to deal with Subject Access Requests under GDPR, take a look at our dedicated blog.
Client Care Letters
One thing that solicitors’ firms should pay particular attention to are the changes that might need to be made to their Client Care Letters. GDPR will require firms to review their standard templates and adjust sections which are affected by the new data protection rules. In addition to this, GDPR will need to be addressed within the letter, outlining how the firm is adapting to changes around data, what will happen to personal data after a certain time period and how clients can find out what personal data a firm holds. Client Care Letters represent what your firm is offering to a client and give a clear outline of the approach you will be taking; by ensuring that your compliance with data regulations is adhered to and clearly outlined in these letters you will build trust.
The legal market is far from immune to the concerns and challenges that all commercial organisations across the country will be thinking about as they look ahead to the incoming changes. Doug Hargrove, Managing Director of Advanced Legal comments; “As the leading provider of legal software to the solicitors’, barristers’ and coroners’ market we understand that the incoming GDPR legislation will be daunting for professionals across the legal sector. At Advanced we have market and solution experts who have reviewed the GDPR in a large amount of detail and are putting the necessary work into our solutions to ensure your journey to compliance is as seamless as possible.”
Legal businesses can find a range of vast and in-depth information and guidance provided by the ICO providing ideas for your compliance journey, lessons learnt and tips for your own get-well programme
