white paper how will gdpr affect law firms in the...
TRANSCRIPT
White Paper How will GDPR affect law firms in the UK?1
How will GDPR affect Law Firms in the UK?
WHITE PAPER
White Paper How will GDPR affect law firms in the UK?2
How will GDPR affect Law Firms in the UK?What is the Background to GDPR?
The General Data Protection Regulation (GDPR) is a proposed set of rules which aim to implement a stricter and more uniform data
privacy regime right across the European Union. The EU institutions agreed on the scope and detail of the GDPR towards the end of
2015 and it is due to come into force on 25 May 2018. It will replace the 1995 Data Protection Directive — implemented in the UK by
the Data Protection Act (DPA) — and will supersede the privacy laws of every EU state with immediate effect.
What are the Key Points of GDPR?
Data ProcessorsWhereas current data protection regulations only apply to data
controllers, the GDPR will extend obligations to data processors,
including requirements to:
• Carry out regular data protection impact assessments;
• Implement appropriate security standards and maintain adequate documentation; and
• Appoint a data protection officer (for public authorities or controllers and processors who process large scale and/or sensitive personal data).
Data processors can be fined if they fail to fulfill their GDPR
obligations — and data controllers must ensure they implement
written data processing agreements with any third parties (eg.
suppliers) who process any of this data.
Consent and Right to ErasureStricter requirements to gain explicit consent from data subjects
will apply to companies who wish to hold or process any personal
data. Parents will need to grant consent on behalf of any data
subjects who are under a certain age (each country’s regulator will
determine this age, in the range of 13 to 16 years’ old).
As well as tightening up rules on gaining consent, the GDPR also
provides greater powers to individuals to remove this consent,
should they change their mind at a later date. It introduces a
‘right of erasure’ (otherwise known as the ‘right to be forgotten’)
which essentially means that data controllers will need to delete
any personal data if requested by the relevant individual.
White Paper How will GDPR affect law firms in the UK?3
Data PortabilityData subjects will be able to demand that any of their data held
by a data controller be transferred in a “structured and commonly
used and machine-readable format” — either to themselves or to
a different data controller. This right is known as ‘data portability’
and can be invoked if, for example, an individual using a cloud
based software service wishes to change their service provider
(ie. without losing all their data).
Breach NotificationsThe relevant data protection regulator (the ICO in the UK) must
be notified of any personal data breaches “without undue delay” -
and within 72 hours if possible — by the data controller, once they
become aware of the breach. The only derogation from this rule is
where the breach is “unlikely to result in a risk for the rights and
freedoms of individuals”. Furthermore, if a data breach is likely to
pose a “high risk to the rights and freedoms of individuals” the
data subjects must also be notified by the data controller. Data
processors, meanwhile, are required to notify the data controller
of any personal data breach “without undue delay”.
Personal Data and Special Personal DataA uniform definition of “personal data” will be applied across
the EU, to include “any information relating to an identified or
identifiable natural person”. Furthermore, the ambit of special
personal data (more commonly known as sensitive personal data)
will be extended, to encompass biometric data (eg. retinal scans
and fingerprints) and genetic data. The new regulations will make
it even more difficult to justify the processing of special categories
of personal data — which also include “data revealing racial or
ethnic origin, political opinions, religious or philosophical beliefs,
or trade union membership” and “data concerning health or data
concerning a natural person's sex life or sexual orientation.”
Data Protection OfficersPublic authorities and other data controllers or processors who
carry out large scale systematic monitoring of individuals, or those
who handle special personal data or data pertaining to criminal
convictions and offences, are required to appoint a Data Protection
Officer (DPO). This DPO should have professional experience and
knowledge of data protection law and their tasks include:
• Monitoring data protection compliance within their company or organisation;
• Providing training and awareness of GDPR and other data protection duties to staff; and
• Being the first point of contact for data subjects and regulatory authorities (eg. the ICO).
Privacy by Design and PseudonymisationThe GDPR will introduce a requirement for data controllers to
“implement appropriate technical and organisational measures”
when developing products, services and procedures. This
emphasis on “privacy by design” is particularly relevant to the
Internet of Things (IoT) and Big Data, and takes into account
cybersecurity concerns.
Pseudonymisation is one way of meeting privacy design
requirements. It is defined under the GDPR as “the processing
of personal data in such a manner that the personal data can no
longer be attributed to a specific data subject without the use of
additional information, provided that such additional information
is kept separately and is subject to technical and organisational
measures to ensure that the personal data are not attributed to
an identified or identifiable natural person.” Technical measures
such as tokenisation and hashing can be used to work towards
the pseudonymisation of personal data.
White Paper How will GDPR affect law firms in the UK?4
How will GDPR affect Law Firms in the UK?
The GDPR is expected to come into force on 25 May 2018. As law firms both control and process sensitive client data, it’s crucial
that they are fully prepared for the new rules to come into effect. The good news is that, because lawyers are already very familiar
with data protection — as they are bound not only by DPA rules but also by their commitments to client confidentiality (under
the SRA rules) — they are likely to already have more robust systems and procedures in place compared to many other sectors.
Therefore, they may have less work to do to ensure compliance with GDPR.
Fines and CompensationCurrently, the maximum fine which can be imposed by the ICO
is £500,000. The GDPR will drastically increase the possible
level of fines, up to the greater of €20 million or 4% of total
global turnover of an undertaking. Since many City firms are
continuing to merge with their American counterparts (eg.
Eversheds Sutherland), this threat to global turnover should make
international firms take particular note of the new regulations.
Under the GDPR it will be easier for clients who suffer “material or
non-material damage” due to a data breach by their firm, to bring
claims for compensation. Furthermore, as lawyers may often come
into contact with “special” categories of personal data (eg. handling
an employment law case involving allegations of discrimination on
grounds of sexual orientation), they could be exposed to the most
significant fines if they fail to keep client data secure.
What about Firms which are Headquartered outside the EU?All firms which represent clients with an EU presence, hold data
pertaining to EU citizens (whether clients or third parties) or
process such data, will be caught by the provisions of the GDPR.
Additionally, if they use any form of online advertising which
involves internet use profiling of EU citizens (in practice, this
often simply means that geo-location preferences do not exclude
IP addresses associated with EU countries) they can similarly
face consequences under the GDPR.
How can Law Firms use the GDPR to Build their Client Base?
Firms should first get their own houses in order and prepare themselves for the impact of GDPR upon their own data protection
processes, before advising clients in this regard. Not only will this enable them to better understand the practicalities of implementing
any changes required under the new legislation, but showcasing optimal compliance procedures will also help them to lead (or
advise) by example.
GDPR Software ToolsBespoke software solutions can be created to help lawyers prepare for GDPR, both within their own firms and on behalf of their clients.
Some of the functions of this type of software may include:• Discovery of relevant data to help with understanding of
scale and scope of compliance;
• Supporting a data governance initiative and creating a “data map” to support GDPR processes and provide evidence of data management (eg. for audit purposes);
• Identification of data subjects and management capability to support responses to subject access, erasure and portability requests;
• Information lifecycle management initiatives to demonstrate support for control over the privacy and management of data — including data deletion and masking/pseudonymisation;
• Data assessment, roadmap development and data strategy; and
• Automation of other parts of the data management process.
©2017 CenturyLink. All Rights Reserved. The CenturyLink mark, pathways logo and certain CenturyLink product names are the property of CenturyLink. All other marks are the property of their respective owners. Services not available everywhere. Business customers only. CenturyLink may change or cancel services or substitute similar services at its sole discretion without notice.942040617 - how-will-GDPR-affect-law-firms-in-uk-whitepaper-uk-wp170197
Global Headquarters Monroe, LA (800) 784-2105
EMEA Headquarters United Kingdom +44 (0)118 322 6000
Asia Pacific Headquarters Singapore +65 6768 8098
Canada Headquarters Toronto, ON 1-877-387-3764
Will Brexit affect the Adoption of GDPR in the UK?
Negotiations are expected to take at least two years between the triggering of article 50 and the UK formally exiting the European
Union. As such, the GDPR will directly apply to the UK for a good 10 months following its coming into force at the end of May 2018.
Furthermore, just as with any other non-EU country, the regulations will continue to apply to British law firms — even post-Brexit —
unless they cease to work with clients within the EU.
How should law firms be preparing for the introduction of GDPR?• Awareness – make sure key personnel are briefed on the main points of the GDPR relevant to their area.
• Impact assessment – carry out a comprehensive analysis of your current data protection measures. Consider any measures you will need to take to ensure compliance under the new regulations.
• Audit – review your contracts and policies and update these in advance of GDPR. Examples include: adding a clause in contracts with third party data processors asking them to notify you immediately of any data breach; and tightening up staff data protection policies to meet the new regulatory requirements.
• DPO – appoint a Data Protection Officer if necessary.
• Design – ensure that you take account of data protection principles if you are creating a new product or service, updating your IT systems or revising procedures.
• Training – make sure that staff at all levels of your firm have sufficient awareness of how data protection issues may relate to their particular roles, and provide sufficient training to promote compliance.
• Advice – obtain external advice (if you do not have data protection lawyers in-house) well in advance of 25 May 2018. Similarly, an IT consultant who understands the forthcoming rules can review your existing IT systems and make sure they meet the new requirements.
Professional IT services (such as CenturyLink Cognilytics) can provide the skills to install, manage and configure these types of
software solutions and interpret the results.
Firms which decide to use these types of software tools to increase the efficiency of their own GDPR preparations, can also
differentiate themselves by offering the same tools to their own clients. They may choose to run this software themselves, included
in their service offering to clients — or they can licence the tools, for example in the form of a SaaS/cloud product. Alternatively, the
GDPR software could be offered to clients direct from the IT provider, with the firm charging a referral fee.