Law firms must prepare for GDPR

Law firms must prepare for GDPR

Complying with the new GDPR provisions will also add value to your firm, says Christopher Coughlan

With less than a year until the General Data Protection Regulation (GDPR) takes effect on 25 May 2018 solicitors and other professionals should already be preparing for compliance.

This is particularly crucial for law firms, who tend to hold large quantities of personal data, including sensitive personal data. The GDPR took four years to finalise and this is a complete overhaul of data protection, so a detailed discussion of GDPR is beyond the scope of this article.

However, with potential fines of up to the greater of €20m or 4 per cent of a company’s global turnover, breach notification obligations and increased accountability, GDPR compliance will be crucial for all professionals.

The right of an individual to request copies of their personal data in permanent form, as part of a subject access request, is expanded under the GDPR to include the right of erasure (‘the right to be forgotten’), and a right of rectification, which will place obvious administrative burdens on firms.

The length of time in which firms will have to respond to subject access requests is reduced from 40 days to 30 days under the GDPR, and firms will no longer be entitled to charge the £10 fee for the subject access request.

The GDPR includes breach notification provisions which apply to both controllers and processors. Firms will be under an obligation to report a breach of security that leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

When acting as a processor, a firm must report all breaches to the controller without undue delay. When acting as controller, a firm must report all breaches (subject to certain exemptions) to the Information Commissioner’s Office (ICO) without undue delay and within 72 hours of becoming aware of the breach.

Where there is a high risk to the rights and freedoms of individuals there will be an obligation to notify the individual concerned as well as the ICO.

The recent trend towards outsourcing, in conjunction with the outcome focussed regulation of the legal services industry, has resulted in the Solicitors Regulation Authority releasing guidance as to how law firms can ensure that client data is protected.

Increased fines for data controllers (and the introduction of penalties for data processors) have heightened the risk faced by law firms in relinquishing control over client data. A maximum fine of the greater of €20m or 4 per cent of a company’s global turnover for failure to comply is a significant exposure for firms.

In light of the increased liability and specific contractual requirements under the GDPR firms should review their agreements with existing suppliers to ensure that they are compliant with the standards required under the GDPR.

The volume of changes being introduced by GDPR mean that firms should have started preparing by now. As well as being a regulatory issue, it’s important to be aware that good data protection will also add value to your firm.

Christopher Coughlan is head of data protection and privacy at Ashfords

@Ashfords_Law www.ashfords.co.uk

AdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisement
Latest News

Delay in Final Report of the Infected Blood Inquiry

Thu Sep 21 2023

Attorney General presents UK intervention in Ukraine case against Russia at International Court of Justice

Thu Sep 21 2023

Firms losing potential clients by failing to return their calls, research shows

Thu Sep 21 2023

Powers of attorney modernised as legislation allows CILEX Lawyers to certify LPA copies for the first time

Thu Sep 21 2023

Stark contrast between Government response to Post Office Horizon victims and Infected Blood

Wed Sep 20 2023

ACSO comments on the Justice select Committee report:

Wed Sep 20 2023

Campaigners win permission to appeal against Sizewell C Nuclear Power Station ruling

Tue Sep 19 2023

Pre-inquest review into the deaths of Reading murder victims, James Furlong, Dr David Wails and Joseph Ritchie-Bennett

Mon Sep 18 2023

Feedback launches legal challenge to decision not to require food waste reporting

Fri Sep 15 2023
FeaturedAudit reform: if not now, when?
Audit reform: if not now, when?
Browne Jacobson collaborates with LGiU on report highlighting “critical” role of local government to hit net zero
Browne Jacobson collaborates with LGiU on report highlighting “critical” role of local government to hit net zero
BSB publishes new guidance on barristers’ conduct in non-professional life and on social mediaThe Chancery Lane Project expands to the USA
The Chancery Lane Project expands to the USA
SJ interview: Adrian Chopin
SJ interview: Adrian Chopin
Whose human rights are more important, yours or mine?
Whose human rights are more important, yours or mine?