You are here:
  1. Home
  2. News
  3. Blog
  4. Are you GDPR ready? Start here

Are you GDPR ready? Start here

20 February 2018

The General Data Protection Regulation comes into force on 25 May 2018 in the UK, and yet recent research has found that only 25 per cent of law firms believe they are in compliance. If you haven’t started planning for it yet, this is where you should begin.


Law firms hold vast amounts of sensitive data on their clients. Should a data breach occur, the regulator, the Information Commissioner’s Office (ICO), can impose a fine of up to four per cent of global turnover or €20m, whichever is the higher.

Undertaking a thorough review of how you currently process and hold data should be a priority for every law firm right now, to ensure that you don’t fall foul of the new law. If you haven’t started yet – don’t panic. There is still time to plan and implement a compliance programme.

Mind the gap

A good starting point is to carry out a gap analysis to work out where existing compliance is good, and where there are likely to be difficulties in complying with the GDPR. Then your incremental compliance plan can be put together.

1 Review all existing contracts with your suppliers to see if they are handling personal data

  • Do you have a cloud-based case management system? If so, what would happen if there were to be a data breach on that system? Would the supplier notify you, and would they help you to comply with the 72-hour breach notification requirement under article 33 of the GDPR?
  • You may have a HR system that manages all your staff’s details – is that contract GDPR-compliant?
2 Carry out an independent review of any insurance policies, to see what is and isn’t covered

Consider:

  • Will your existing policies cover you for regulatory breaches?
  • Will they cover you for a loss of turnover in the event of a data breach?
  • Will they cover you for a subsequent loss of staff?
  • If your credit rating is affected due to a data breach, are you covered for that?

3 Staff, from partner-level down, are fundamental to ensuring GDPR-readiness

Make staff aware that, in addition to the possibility of fines against their employer, criminal sanctions are available where employees, wilfully or negligently, are responsible for data breaches. All staff need to understand what the risks are, both to the firm and to them.

Some things to be aware of:

Both digital and hard-copy personal data needs to be protected.

  • Consider the visibility of your offices from the street: are client details visible on computer screens?
  • Are client cheques, with their account details on them, left on desks, and if so, are they visible from the outside?

The dangers of collaborative or agile working

  • Public wifi. Consider the risks associated with working in public spaces using free public wifi. There are a number of privacy solutions for employees who work remotely. Employees should be encouraged to use only secure wifi at home or the office, and if travelling, to consider the use of a privacy screen on their device.

GDPR benefits for individuals

Compliance: an ongoing obligation

Neil Ford from IT Governance explains the compliance challenges: ‘With three months until the GDPR comes into effect, firms that haven't started their compliance project face a number of challenges. Some of the most important areas to address are data protection governance, risk management and information security management” (see IT Governance’s blog 10 things you must consider for GDPR compliance).

Risk management

The Information Commissioner’s Office will want to see that a firm has considered the relevant risk or issue, can give reasons for its existence and evidence of the steps taken to address it. Oz Alashe explains: ‘While there has been lots of comment on the potential fines under the GDPR, in reality, if an organisation can demonstrate it has the technical and organisational controls in place to prevent a breach, the ICO is unlikely to impose a fine.’

Compliance should not be seen as a one-step process, but as a regular ongoing feature of a firm’s compliance framework. Having a proactive relationship with the ICO through regular communication can also pay dividends down the line, should a breach occur.

Do you need a data protection officer?

Article 37(1) of the GDPR requires a data protection officer (DPO) to be designated if the data processing activities of an organisation involve regular and systematic monitoring of data subjects on a large scale, or the processing of special categories of data on a large scale.

While some law firms may be required to appoint a DPO, even for those that don’t have to, it may still be worth making a voluntary appointment.

The Article 29 Working Party has further guidance on the appointment of a DPO. The Law Society will be also be issuing guidance shortly on DPOs. The guidance will be published as a work in progress and comments will be welcomed.

Information security management

Make sure all your data is encrypted. Secure all devices, including printers, by changing passwords. If all else fails, review how you are exchanging information with your client, and consider buying an off-the-shelf product that allows a secure, encrypted exchange of information. The Law Society Cyber Security Toolkit provides further guidance.

 

Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society. CybSafe and IT Governance  are both Law Society cybersecurity partners.

Further help:

The Law Society’s dedicated cybersecurity and scam prevention page where you can sign up to the cybersecurity news digest relevant to the legal sector, information on endorsed cybersecurity providers, and relevant Law Society training, events and guidance

 Solicitors Regulation Authority on cybersecurity

Look at the ICO’s ‘12 steps to take now’ checklist, as well as  its other online resources  and details of monetary penalty notices and assessments

Tags: cyber security

About the author

Maria Shahid has worked as an editor and journalist for nearly 20 years. She has an in-depth knowledge of the legal and property sectors and has written for and edited trade publications including the Law Society Gazette, Legal Business, Legal Week, Property News and Property in Practice. She writes for clients in the legal, property and  insurance sectors. Before becoming a journalist, she qualified and practiced as a solicitor in the City and West End.

Contact Maria

Follow Maria on Twitter

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bob Nightingale | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Eduardo Reyes | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Devine | Leah Glover and Julie Ashdown | LHS Solicitors | Lucy Parker | Maria Shahid | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matthew Still | Melissa Hardee | Neil Ford | Nick Denys | Nick Podd | Oz Alashe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sophia Adams Bhatti | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Ellen | Tony Roe Solicitors | Vanessa Friend | William Li