You are here:
  1. Home
  2. News
  3. Blog
  4. Data protection for the 21st century: Here’s what law firms need to do to comply with GDPR

Data protection for the 21st century: Here’s what law firms need to do to comply with GDPR

12 September 2017

The GDPR (General Data Protection Regulation) is a buzzword in the legal sector at the moment, and you may well be sick of hearing about it – but that doesn’t make it less important an issue for firms to address. 


You probably already know that the legislation comes into force in May 2018. You've probably already heard about the potential sanctions for companies which do not comply with the legislation – fines of up to four per cent of worldwide annual turnover, or €20m, whichever is greater. It might all just seem like a huge and unnecessary compliance burden. But do you know why the changes are being made, and how they will benefit individuals – including you?

Why are the changes being made and how do individuals benefit?

Since 1995, when the Data Protection Directive became law, there has been a massive adoption of the internet and social media, and of technology such as smartphones and tablets. Businesses, meanwhile, are using ever more sophisticated processes to analyse and track individuals' online behaviour to increase the effectiveness of their marketing activities and drive sales. Many practices are so complex and/or opaque that the average person may struggle to fully understand how their personal information is being used, let alone be able to control businesses' use of it.

Data protection legislation is now over 20 years behind this trend. It needs to be updated to take account of the major changes in how we share our own data and how businesses use it.

Rather than being simply pointless European red tape, the GDPR aims to redress the balance in favour of the individual, by enshrining the protection of personal data as a fundamental human right.

If the European Commission fulfils its ambition, in the coming years we are likely to see a seismic shift as the use of personal information becomes a highly regulated activity.

What do law firms need to do about it?

1. Learn the basics

If you are responsible for your organisation's compliance, and starting from zero, it is essential to gain at least a high level understanding of the GDPR, its scope and its requirements. A crucial starting point is to understand the key concepts and principles. The ICO provides a wealth of information on its website, while for lawyers (whether in private practice or in house) The Law Society provides a range of information including webinars, conferences and publications.

2. Set the tone from the top 

A compliance program that is not supported and adequately resourced by the organisation's highest level of management is doomed to failure. Your organisation's management must be aware of the implications of the GDPR, invest in the appropriate resources necessary to enable compliance, and set the appropriate 'tone from the top'.

3. Identify your data 

Organisations must be able to identify the personal information they hold about their employees, customers and suppliers, and how it is used, including the systems in which it is stored. The level of risk will depend on the nature of the business, for example, a private clinic is likely to hold a large volume of sensitive information about individuals, while a wholesale manufacturer may only hold limited contact details for a relatively small number of business customers.

4. Check your use of data is compliant 

There is a lot of misinformation in circulation concerning the requirement for consent. The GDPR imposes stringent requirements upon organisations when they rely on consent in order to process individuals' information. However, consent is not the only legal ground for processing. There are many others. As well as establishing a legal basis for using personal information, organisations must also ensure that their use is in line with the other principles of the GDPR, such as data minimisation, storage limitation, and use in accordance with individuals' rights.

These steps will set the ball rolling on what for many organisations is likely to be a long journey. As data protection escalates in significance to a highly regulated activity, it is a very important exercise, and with less than a year before the GDPR takes effect, a very urgent one.  

My book is aimed at private practice and in-house lawyers seeking to gain a detailed understanding of the GDPR. It explains the key concepts and their practical application, with  comparisons against the Data Protection Directive and incorporates applicable European guidance.

Take a look at James' new book EU General Data Protection Regulation A Guide To The New Law

Read Neil Ford on how to Keep your papers under wraps for GDPR compliance

Anna Drozd, our EU policy advisor, discusses Your money or your data: 4 reasons to comply with GDPR

Read Peter Wright on the GPDR requirement about notification of a data breach to the Information Commissioner's Office (ICO) within 72 hours

Explore our GDPR resources

Tags: risk

About the author

James Castro-Edwards is a partner and the head of data protection at Wedlake Bell. He advises organisations in the private, public and third sectors on data protection issues. His experience includes managing global data protection compliance projects for multinational companies, providing advice on discrete data protection issues and advising companies that have suffered a data breach.

Follow James on Twitter

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Alex Barr | Alex Heshmaty | Alexandra Cardenas | Amanda Jardine Viner | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Ben Hollom | Bob Nightingale | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Ciaran Fenton | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Elizabeth Rimmer | Emily Miller | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Karen Jackson | Kate Adam | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Devine | Leah Glover and Julie Ashdown | LHS Solicitors | Lucy Parker | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matthew Still | Meena Toor | Melissa Hardee | Neil Ford | Nick Denys | Nick Podd | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sophia Adams Bhatti | Steve Deutsch | Steve Deutsche | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | Tom Ellen | Tony Roe Solicitors | Vanessa Friend

Tags

access to justice | anti-money laundering | apprenticeships | archive | artificial intelligence | Autumn Statement | bid process | brand | Brexit | British Bill of Rights | Budget | business | careers | centenary | charity | city | communication | Conservatives | conveyancing | court closures | court fees | courts | CPD | criminal legal aid | cyber security | David Cameron | development | Diversity Access Scheme | diversity and inclusion | education and training | elderly people | emotional resilience | employment law | equality | European Union | Excellence Awards | finance | George Osborne | human rights | human trafficking | immigration | in-house | International Womens Day | Investigatory Powers Bill | IT | Jeremy Corbyn | justice | knowledge management | Labour | law management | Law Society | leadership | legal aid | legal professional privilege | LGBT | Liberal Democrats | library | Liz Truss | Magna Carta | mass data retention | mediation | members | mention | mentoring | merger | modern slavery | morale | National Pro Bono Week | Parliament | party conferences | personal injury | Pii | politics | president | pro bono | productivity | professional indemnity insurance | represent | retweet | risk | rule of law | security | social media | social mobility | SRA | staff | strategy | stress | talent | tax | tax credits | team | technology | Theresa May | Time capture | training | Twitter | UKIP | value proposition | website | wellbeing | Westminster weekly update | wills