How to prepare for GDPR part 1: Awareness and implications
This is first of a five-week series of articles with advice on how to prepare for the GDPR.
This week focuses on introducing you to the GDPR and its implications for law firms.
What is the GDPR?
The EU General Data Protection Regulation (GDPR) modernises data protection law. It comes into force across EU member states, including the UK, on 25 May 2018.
The GDPR replaces the current EU Data Protection Directive which was transposed into UK law in the Data Protection Act 1998. A new Data Protection Bill is currently making its way through parliament.
The GDPR is an evolution rather than a revolution in data protection. However, it imposes stringent accountability and transparency obligations on data controllers including compulsory data breach notification.
What does it mean for law firms?
The GDPR applies to law firms as it does to other data controllers. Law firms should already be compliant with the Data Protection Act 1998 and this will provide a good foundation for achieving GDPR compliance.
Law firms should follow the Information Commissioner’s guidance on preparing for the GDPR: 12 Steps to Take Now.
Who in your firm is in charge?
The Law Society recommends that law firms appoint someone with appropriate expertise and resources to lead on GDPR compliance. You may wish to read our guidance on Appointment of a Data Protection Officer. This should be actioned as soon as possible to ensure your firm has time to prepare appropriately.
Who needs to be aware of GDPR?
As well as ensuring that everyone in your firm has an understanding of the relevant parts of the GDPR, you should also ensure that organisations with whom you share personal data, or who process personal data on your behalf, are aware of their obligations.
Firms will be responsible for the actions of their employees and data they share with other parties. Ensuring compliance will be the responsibility of everyone in the firm.