Do you know what the GDPR means for your practice? – Sponsored by Legal Eye
The GDPR is set to impact the legal sector in a big way.
Coming into force on the 25 May next year, the General Data Protection Regulation (GDPR) aims to increase security on personal data and improve protective measures for consumers.
Although its main focus will be on introducing new rights for citizens, it’s businesses that will need to prepare for its implementation and ensure that their current processes comply with the new regulation.
With the regulation being highlighted at our recent Editorial Roundtable by Legal Eye’s Paul Saunders, it’s been made clear that the will writing profession will not escape its impact.
Given the existing responsibility that will writers have to protect clients’ data, the introduction of the GDPR means that this is only set to increase. Therefore, it’s vital that private client solicitors and will writers understand the importance of the new regulation and ensure that their business complies with all its requirements.
What is the GDPR?
Applying to the processing of personal data, every organisation operating in the European Union will be subject to the regulation, providing that they offer goods and services. Whilst we may have made the decision to leave the EU last June, departure is scheduled for 2019 – this means it will still apply to the UK. Replacing the existing Data Protection Act, the UK Data Protection Bill will implement the GDPR in UK law.
The GDPR will also harmonise the definition of ‘personal data’ across the EU, to encompass “any information relating to an identified or identifiable natural person”. In addition, the remit of sensitive personal data will extent to include genetic as well as biometric data.
What will it effect?
In simple terms, the GDPR will require consent to be obtained before any data can be processed. The aim of this is to protect the consumer, ensuring that they know what they are opting in to and preventing businesses from tricking them into providing personal data.
To comply with this, companies are required to use clear and straightforward language when requesting consent – this must be done in a way that ensures that the consumer knows what they’re signing up for.
The regulation also requires consumers or ‘data subjects’ to have access to the information which they are providing. Designed to give users more rights over the data stored about them, businesses holding the data must be able to provide a copy of this in electronic form, as well as being able to clearly justify why it was being held in the first place.
One of the most significant aspects of the GDPR – for citizens and businesses – is that it will require the data of an individual to be completely erased should they request it to be. As this data may have been passed on, it may require businesses to also stop third parties from processing the data too.
What are the consequences on non-compliance?
This is the part of the GDPR to receive the most media attention – and it’s not hard to see why. The respective regulator in each jurisdiction is given the power to fine businesses who fail to comply with any aspect of the GDPR, with the amount rising with the seriousness of the breach. The legislation states that whilst minor offences could lead to a company being fined €10 million, it also says that a more significant breach could result in a fine of up to €20 million. Comparatively speaking, these sums are somewhat greater than the fines that the ICO can currently issue under the Data Protection Act.
At the recent COLP//COFA Conference held by the SRA, the ICO stated that prior to a decision being made, every case would be considered individually, with the regulator looking at the sensitivity of the information as well as the risk to the individual’s rights and freedoms.
Despite these considerably serious consequences, recent research has indicated that three-quarters of law firms are unprepared for the soon to be implemented GDPR. According to the survey conducted by CenturyLink, a fifth of firms claimed that they had experienced an attempted cyber attack, with under a third of IT directors stating that they felt fully-compliant with the relevant legislation.
As well as being alarming, these statistics also highlight the need for businesses to take immediate action and not leave compliance and preparational measures to the last minute.
Commenting on this point was Managing Director of Legal Eye, Paul Saunders.
“This report backs up our figures which show only 11% of law firms are ready for GDPR. Law firms shouldn’t be frightened of GDPR, and if they are unsure of how to prepare for GDPR they should call in expert help.”
How will the GDPR impact will writers?
When the GDPR coming into force, businesses – yours included – will become more accountable for how they handle the personal information of clients. Given that businesses in the legal sector both control and process sensitive data, it’s even more important that they know how to prepare ahead of the GDPR’s implementation.
Whilst the thought of new regulation may seem intimidating, it’s important to remember its wider purpose. For a start, it’s very likely that you’re compliant to a certain degree, particularly if you’re a member of a voluntary body and are adhering to the Data Protection Act.
Rather than worry about the implications of non-compliance, it’s important that businesses take the necessary steps now to ensure they’re prepared for May 25. Assessing internal processes is a good place to start, as well as looking at how data is currently obtained and stored. Not only does will this help with compliance in the long run, but it can also refine business practices to become more efficient and effective. In turn, businesses are able to see the implementation of the GDPR as an opportunity to improve as opposed to a burden.
Highlighting the positive impact that the new regulation could bring to businesses was Karen Babington. The Managing Director of Solve Legal Marketing stated:
“The approach to GDPR is entering a new phase. The focus should not be on the fear-imposing fines and should be focussed on the profit increasing potential of protecting your business by doing a job properly.”
The required steps will differ depending upon the size and amount of data processed, with larger businesses needing to maintain documentation of why information is being used, how its held, and what measures are in place to protect it.
A data protection officer or (DPO) will also need to be appointed where a business regularly processes a lot of sensitive personal data, acting as the first point of contact for data subjects, as well as the regulator.
On a broad level, a summary of the recommended steps is as follows:
- Observe and review how data is currently collected
- Nominate a Data Protection Officer (this can be outsourced if needed)
- Ensure processing methods are prepared
- Keep records to illustrate continual compliance
- Observe and review consent and data protection notifications
The UK’s regulator – the ICO – have also stated that they will be setting up a phone service to help small businesses prepare for the regulation, as well as releasing a 12-step guide.
This article is sponsored by Legal Eye.