You are here:
  1. Home
  2. Support services
  3. Practice management
  4. GDPR preparation
  5. General guidance on GDPR

General guidance on GDPR

What is the GDPR?

The EU General Data Protection Regulation (GDPR) modernises data protection law and comes into force in the UK and EU Member States on 25 May 2018. It imposes stringent accountability and transparency obligations on data controllers including mandatory reporting of data breaches.

The GDPR will replace the current Data Protection Act 1998. The new regulation is an evolution of the current data protection framework, with which law firms should already be compliant. A new data protection bill is currently making its way through parliament, and you can now track its progress.

How to prepare for the GDPR

The regulation introduces new elements and significant enhancements, which means that every organisation will have to start doing some things for the first time and also change some current processes. The EUgdpr.org website provides a useful summary of the changes brought by the GDPR.

The Information Commissioner’s Office (ICO) produces a more detailed monthly summary of what’s new.

Subscribing to ICO’s newsletter is a useful way to keep informed.

Data controller or processor?

Before starting to follow the 12 steps, determine whether your firm processes personal data as a ‘data controller’ or ‘data processor'; and then complete the ICOs checklist for data controllers and/or processors. Law firms will generally be data controllers.

Follow the 12 steps

While the new regulation is extensive, the ICO has published a 12-step guide that we strongly recommend you use to work towards compliance in bite-size stages.

Given the scale of the changes, you should consider appointing an individual to act as the business lead for your GDPR project. This does not necessarily have to be someone with data protection expertise.

While most law firms will not be required to appoint a data protection officer (DPO), we recommend that the first of the 12 steps that practices take is to consider the voluntary designation of someone with appropriate expertise and resources to lead on GDPR compliance.

Thereafter, we suggest that firms complete the information audit (step 2) to identify and document all of the personal data that your firm processes.

Access our guidance on appointing a DPO

Recommended

Law Management Community
Law Management - Your partner in practice

Our community for partners, leaders and practice managers in legal businesses provides advice, information and the support you need.

Law Management - Your partner in practice > More