GDPR 1 Year on – Is your law firm compliant?
Last year, The General Data Protection Regulation (GDPR) came in to effect on May 25th, 2018, and replaced the UK’s Data Protection Act 1998 (DPA). It required organisations to improve how it managed the personal data it held and give stronger rights for people to access that information it held on them.
What did this mean for law firms?
Whilst there was some worry surrounding the new requirements, most law firms would have already been in compliance with large parts of GDPR as it matched what they should have already been compliant with under the previous DPA or the SRA’s Code of Conduct. However, the new regulation required organisations to have better data privacy procedures or risk punishment with much tougher fines now in place for those that fall foul of the new rules – up to £17 million, or 4% of overall income, compared to £500,000 under the DPA.
Brexit and GDPR
Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR and Brexit will not affect the new regulation as the government has confirmed it will fully incorporate it into UK law. Furthermore, regardless of whether your firm is based outside the EU, It is important to note that the GDPR will still apply if you deal with personal data belonging to EU residents.
GDPR Recap – What was required?
- A greater emphasis was placed on accountability, meaning that all organisations were required to have an accurate record of the data held and be able to demonstrate how it was collected and whether the collection is “lawful”.
- Under GDPR, for a person’s information to be held, their explicit consent must be given and defined as being “freely given, specific, informed and [an] unambiguous indication of the data subject’s wishes.”
- Law firms should have reviewed how they collected and recorded consent and the consent must be verifiable, with the ability to supply, on request, the details of the data they hold and how it has been used.
Information can only be used for the purposes for which consent was originally given. So marketing materials cannot be sent for example, unless the law firm has received specific consent to do so.
Individuals must be allowed to exercise a range of individual rights, including the right to be forgotten, right of data portability and right of access.
Clear instruction on how to withdraw consent, and the right to do so at any time must also be in place.
The Law Society provides some further information and guidance for Law Firms on GDPR
GDPR compliance audit check
As recapped in the overview, we know that GDPR gives people stronger rights to the data held on them and greater responsibility placed on those organisations that hold the data. A law firm must practice better data management and put in place a greater set of processes that protects personal data, from marketing to HR and Business Development.
To ensure this, every law firm should audit what data it holds and for what purpose, furthermore to understand that this also relates to information held on employees and not just client data.
A Data Management plan can then be put into action once it has been determined what obligations to that data are required, and whether it needs to be deleted, stored or disclosed.
It is also important that security is taken seriously as with being compliant with greater access to data rights, so law firms must know where information is kept and ensure that appropriate steps are in place to have better security to protect the data they hold.
Cyber security and Insurance
Under GDPR, Law Firms have a duty to quickly notify the regulator and victims of an information loss if it affects their “rights and freedoms”. GDPR requires organisations to have “robust” breach detection and investigation procedures in place. Whilst a PI policy will provide coverage against third party claims, including loss of client money, loss of client data or deformation, an additional cyber security policy would provide additional protection above and beyond that offered by PI insurance.
Are you looking to renew your Professional Indemnity Insurance? Are you interested in finding out more about a Cyber Security Policy? If so, don’t let the run up period where you can negotiate best prices pass you by.
Let The Strategic Partner help you find the right Insurer and price for your firm. Renewing your Professional Indemnity Insurance can be a burden but is essential. Leaving this to the last minute could result in your firm paying higher premiums due to the Insurer and you not having sufficient time to discuss your firms and your risk profile. You and the Insurer need time to understand and discuss your firm.
To obtain a no obligation quotation you can email us your current proposal form or last year’s proposal form. We will then obtain indicative terms for you. It is as simple as that.
Need Regulation and Compliance assistance?
Through both our direct services and through our Partner firms, we can deliver a whole range of regulation, compliance, risk management support and business services to assist you.
Through working with you, we will provide your law firm regulatory compliant advice as well as help you implement a detailed regulation and compliance programme ensuring that your firm and your staff are fully aware of the obligations to comply with the various rules required to be followed at a law firm.
We also offer an ongoing maintenance programming involving audits and onsite training to ensure that your firm is up to date and remains compliant at all times.
Click here to find out more about our regulation and risk management services