The General Data Protection Regulation will introduce new reporting requirements and financial penalties with regard to data breaches. Anna Drozd, EU professional practice policy advisor, and Arfah Chaudry, intern, look at the key changes for law solicitors.
Unlike the current directive 95/46/EC, the GDPR introduces specific provisions on data breaches and when and how they should be notified to the supervisory authority (in the UK, the Information Commissioner’s Office (ICO)). With the GDPR introducing very high penalties for data breaches and the nature of data held by law firms, the questions concerning data security and data breaches become all the more pertinent.
However, the GDPR’s requirements concerning data breach and data security must also be seen in a broader context of solicitors’ obligations to keep clients’ affairs confidential (Chapter 4 of the 2011 Solicitors Code of Conduct). These cover, among others, the obligations to identify and mitigate the risks to clients’ information and making sure that outsourcing of some services does not compromise clients’ confidential information.
The Solicitors Regulation Authority (SRA) has identified information security as one of the key risks that law firms should take into account (see most recent SRA Risk Outlook for 2017/2018).
Data breaches in law firms
Data breach remains one of the top concerns of law firms due to the nature of information held by them and the risks it poses to clients and the firms’ reputation.
Despite growing publicity of cybersecurity incidents around the world, law firms’ top concern remains the security of the paper files. The ICO data breach report for 2015/2016 indicates the two main data security issues affecting the legal sector are loss and theft of paperwork (27 per cent of reported breaches) and data being posted or faxed to the incorrect recipient (17 per cent). These are followed by the theft of an unencrypted device and sending an email to the wrong recipient (both 10 per cent).
It is not possible to state with certainty how many UK law firms have been affected by cybersecurity incidents, as data breach reporting is not yet mandatory (it will be once the GDPR starts to apply in May 2018).
Who should notify a data breach, when and to whom?
The GDPR defines personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’ (Article 4(12)).
Article 33 obliges the data controller to notify a personal data breach to the supervisory authority (determined in accordance with Article 55) only when it is likely to 'result in a risk to the freedoms and rights of natural persons.' If the data breach has a cross-border impact or your firm operates across borders, or both, you should check which supervisory authority would be the lead one (see guidelines for identifying lead supervisory authority). It remains to be seen how the cooperation will work between the supervisory authorities as reported by the first Pan-European Personal Data Breaches Exercise, carried out by the Commission’s Joint Research Centre with several EU regulators.
It is also possible that your firm will have to notify the data breach to SRA (see Responsibilities of COLPs and COFAs) and other regulators if your firm operates across borders.
The breach resulting in a risk to the freedoms and rights of data subjects also has to be communicated to the data subjects affected (Article 34, subject to several exceptions). The notification has to be made ‘without undue delay’ and up to 72 hours after becoming aware of it. If the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.
Data processors will have to notify data controllers without undue delay after becoming aware of a personal data breach.
According to Article 33(5) your firm will have to maintain documentation on data breaches, their nature and the remedial actions taken.
What should the notification include?
Article 33 of the GDPR specifies that the notification to the supervisory authority must include:
- the nature of the data breach (including the categories of data, number of data records or number of data subjects affected)
- name and contact details of the data protection officer
- likely consequences of the breach and
- measures taken to address the breach.
Why does that matter?
Because it will cost you your money, your clients and your reputation. The GDPR introduces a threshold of up to €10m or two per cent of the total worldwide annual turnover of the previous financial year, whichever is higher. The breaches may also result in substantial reputational damage, loss of billable hours or more spending to replace hardware and/or software. Also, losing sensitive information about your client’s affairs may result in financial and reputational losses for them and may have a negative impact on your business in the long term.
What can your firm do?
There are steps you can take to get ready for the new data protection and data security regime:
- Map what personal data your firm is holding, how it is stored, managed and who the persons responsible for coordinating data security policies are.
- Consider the risks that your processing operations pose to the data subjects (your clients, your employees, members of the public, etc.).
- Think about how you can mitigate those risks, bearing in mind the GDPR obliges the controller and the processor to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (Article 32) and even suggests measures that could achieve that goal.
- Consider reviewing your current information and data security policies and carrying a risk assessment of IT and physical data you store. The SRA Risk Outlook for 2017/2018 includes some helpful advice and steps to take to protect client information. You can also look at the UK Government Cyber Essentials (recommended by the ICO) or the recent Law Society blog Keep your papers under wraps for GDPR compliance summarising key points your firm could consider in its data and information security policy.
- Consider setting up a regular awareness raising and training sessions for your staff, including data breach notification training.
What to look out for in the near future
In the coming months, the Law Society will be busy reviewing its current practice notes to reflect the requirements of the GDPR. The EU regulator, WP29, is expected to publish its guidelines on data breaches in the second half of 2017, along with guidance on international data transfers, profiling and consent.