Law firms urged to get 'houses in order' over GDPR compliance
Insurance specialist sets up data protection taskforce to carry out full risk assessment
Law firms that are not already taking steps to comply with new data protection laws must get their “houses in order” and “not bury their heads in the sand”, experts have warned.
This week, digital minister Matt Hancock MP published a statement of intent about the new Data Protection Bill, which will implement the EU General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive, as part of ensuring Britain’s privacy laws are fit for the digital age. As a result, the Data Protection Act 1998 will be repealed.
The new Act, which is due to be introduced this Autumn, will strengthen privacy rights of individuals by ensuring they have greater control over their personal data, while organisations and their data controllers will be held to greater account as to how that data is used.
Should organisations commit any breaches, the Information Commissioner will be allowed to issue fines of up to £17m or 4 per cent of global turnover, a significant increase on the current maximum fine of £500k.
Rick Preston, partner and head of intelligence services at insurance law specialists Horwich Farrelly, told Solicitors Journal that law firms should already be taking steps to ensure they will be compliant with the GDPR, which will automatically come into force in the UK from 25 May 2018.
“All law firms have to get their houses in order. There’s no point waiting now. For a lot of firms, they’re just going to sit and wait, but you can’t do that when GDPR is coming in next year. You have to work towards that now and when the bill is enacted, make those changes at that point.
“Due to size of the task, many firms may bury their heads in the sand, but there’s no getting around it. It will be a major change requiring a lot of resource for every firm – it must be taken extremely seriously. The size of the firm will not make a difference when it comes to compliance; there’s no higher standard for one or the other.”
Horwich Farrelly has set up a GDPR taskforce, which is carrying out a full risk assessment of the whole business to ensure compliance. The task force comprises compliance teams, operational teams, IT staff, heads of department, the CEO, and a new data protection officer.
“The whole thing about GDPR is not being reactive,” said Preston. “Previously, if there was a breach, you could go in and see what the problem is, but the obligation now will be to document the processes, procedures, and safeguards all in advance.
“Consent is a big part of GDPR and how you deal with it, so we have to look at client data and non-client personal data, claimant data, and whether we have the appropriate consent to process that data. The obligation is on us to notify the data subject that we will be processing that data and the specific nature of the processing of that data. This isn’t always easy when you’re dealing with third-party data.”
Added value
Christopher Coughlan, an associate and head of data protection and privacy at Ashfords, also told the journal that due to the volume of changes being introduced by the Data Protection Bill, solicitors and other professionals should already be preparing for compliance.
“This is particularly crucial for law firms, who tend to hold large quantities of personal data, including sensitive personal data,” he added.
“In light of the increased liability and specific contractual requirements under the Data Protection Bill, firms should review their agreements with existing suppliers to ensure that they are compliant with the standards required. As well as being a regulatory issue, it’s important to be aware that good data protection will also add value to your firm.”
Vicky Bowles, head of knowledge management at Stone King, said the area she and other law firms will be most concerned with marketing and mailing lists because consent will be needed to send individuals information.
“Previously, we haven’t had the same level of regulation to make sure that you’ve got consent. So now, it’s about knowing your data extremely well and knowing where all your customer information came from, and working that through. We’re feeling the pressure as a law firm that advises on this to lawyers. We have to get it 100 per cent right.”
Heavy fines
Writing in the first of a series of blog posts entitled ‘GDPR - sorting the fact from fiction’, Information Commissioner Elizabeth Denham has dismissed concerns that increased fines are the biggest threat to companies under new data protection law.
“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point.”
Denham said it was “scaremongering” to suggest that the Information Commissioner’s Office (ICO) will be making early examples of firms for minor infringements or that maximum fines will become the norm.
“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
She added that while fines “may be the sledgehammer in our toolbox”, the ICO has access to other tools that are just as effective.
“Like the DPA, the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders. While these will not hit organisations in the pocket – their reputations will suffer a significant blow.”
Matthew Rogers, reporter