What is the GDPR?
The EU General Data Protection Regulation (GDPR) modernises data protection law and comes into force in the UK and EU Member States on 25 May 2018. It imposes stringent accountability and transparency obligations on data controllers including mandatory reporting of data breaches.
The GDPR will replace the current Data Protection Act 1998. The new regulation is an evolution of the current data protection framework, with which law firms should already be compliant. A new data protection bill is currently making its way through parliament, and you can now track its progress.
How to prepare for the GDPR
The regulation introduces new elements and significant enhancements, which means that every organisation will have to start doing some things for the first time and also change some current processes. The EUgdpr.org website provides a useful summary of the changes brought by the GDPR.
The Information Commissioner’s Office (ICO) produces a more detailed monthly summary of what’s new.
Subscribing to ICO’s newsletter is a useful way to keep informed.
Data controller or processor?
Before starting to follow the 12 steps, determine whether your firm processes personal data as a ‘data controller’ or ‘data processor'; and then complete the ICOs checklist for data controllers and/or processors. Law firms will generally be data controllers.
Follow the 12 steps
While the new regulation is extensive, the ICO has published a 12-step guide that we strongly recommend you use to work towards compliance in bite-size stages.
Given the scale of the changes, you should consider appointing an individual to act as the business lead for your GDPR project. This does not necessarily have to be someone with data protection expertise.
While most law firms will not be required to appoint a data protection officer (DPO), we recommend that the first of the 12 steps that practices take is to consider the voluntary designation of someone with appropriate expertise and resources to lead on GDPR compliance.
Thereafter, we suggest that firms complete the information audit (step 2) to identify and document all of the personal data that your firm processes.
Access our guidance on appointing a DPO