You are here:
  1. Home
  2. News
  3. Blog
  4. Data protection for the 21st century: Here’s what law firms need to do to comply with GDPR

Data protection for the 21st century: Here’s what law firms need to do to comply with GDPR

12 September 2017

The GDPR (General Data Protection Regulation) is a buzzword in the legal sector at the moment, and you may well be sick of hearing about it – but that doesn’t make it less important an issue for firms to address. 

You probably already know that the legislation comes into force in May 2018. You've probably already heard about the potential sanctions for companies which do not comply with the legislation – fines of up to four per cent of worldwide annual turnover, or €20m, whichever is greater. It might all just seem like a huge and unnecessary compliance burden. But do you know why the changes are being made, and how they will benefit individuals – including you?

Why are the changes being made and how do individuals benefit?

Since 1995, when the Data Protection Directive became law, there has been a massive adoption of the internet and social media, and of technology such as smartphones and tablets. Businesses, meanwhile, are using ever more sophisticated processes to analyse and track individuals' online behaviour to increase the effectiveness of their marketing activities and drive sales. Many practices are so complex and/or opaque that the average person may struggle to fully understand how their personal information is being used, let alone be able to control businesses' use of it.

Data protection legislation is now over 20 years behind this trend. It needs to be updated to take account of the major changes in how we share our own data and how businesses use it.

Rather than being simply pointless European red tape, the GDPR aims to redress the balance in favour of the individual, by enshrining the protection of personal data as a fundamental human right.

If the European Commission fulfils its ambition, in the coming years we are likely to see a seismic shift as the use of personal information becomes a highly regulated activity.

What do law firms need to do about it?

1. Learn the basics

If you are responsible for your organisation's compliance, and starting from zero, it is essential to gain at least a high level understanding of the GDPR, its scope and its requirements. A crucial starting point is to understand the key concepts and principles. The ICO provides a wealth of information on its website, while for lawyers (whether in private practice or in house) The Law Society provides a range of information including webinars, conferences and publications.

2. Set the tone from the top 

A compliance program that is not supported and adequately resourced by the organisation's highest level of management is doomed to failure. Your organisation's management must be aware of the implications of the GDPR, invest in the appropriate resources necessary to enable compliance, and set the appropriate 'tone from the top'.

3. Identify your data 

Organisations must be able to identify the personal information they hold about their employees, customers and suppliers, and how it is used, including the systems in which it is stored. The level of risk will depend on the nature of the business, for example, a private clinic is likely to hold a large volume of sensitive information about individuals, while a wholesale manufacturer may only hold limited contact details for a relatively small number of business customers.

4. Check your use of data is compliant 

There is a lot of misinformation in circulation concerning the requirement for consent. The GDPR imposes stringent requirements upon organisations when they rely on consent in order to process individuals' information. However, consent is not the only legal ground for processing. There are many others. As well as establishing a legal basis for using personal information, organisations must also ensure that their use is in line with the other principles of the GDPR, such as data minimisation, storage limitation, and use in accordance with individuals' rights.

These steps will set the ball rolling on what for many organisations is likely to be a long journey. As data protection escalates in significance to a highly regulated activity, it is a very important exercise, and with less than a year before the GDPR takes effect, a very urgent one.  

My book is aimed at private practice and in-house lawyers seeking to gain a detailed understanding of the GDPR. It explains the key concepts and their practical application, with  comparisons against the Data Protection Directive and incorporates applicable European guidance.

Take a look at James' new book EU General Data Protection Regulation A Guide To The New Law

Read Neil Ford on how to Keep your papers under wraps for GDPR compliance

Anna Drozd, our EU policy advisor, discusses Your money or your data: 4 reasons to comply with GDPR

Read Peter Wright on the GPDR requirement about notification of a data breach to the Information Commissioner's Office (ICO) within 72 hours

Explore our GDPR resources

Tags: risk

About the author

James Castro-Edwards is a partner and the head of data protection at Wedlake Bell. He advises organisations in the private, public and third sectors on data protection issues. His experience includes managing global data protection compliance projects for multinational companies, providing advice on discrete data protection issues and advising companies that have suffered a data breach.

Follow James on Twitter

  • Share this page:

Abigail Bright | Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alan East | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | Coral Hill | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Eloise Skinner | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Greg Treverton-Jones | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Law Gazette Jobs | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt O'Brien | Matt Oliver | Matthew Still | Max Rossiter | Melinda Giles | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nigel West | Nikki Alderson | Oz Alashe | Paris Theodorou | Patrick Wolfe | Paul Bennett | Paul Rogerson | Paul Wilson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Rebecca Atkinson | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robert Forman | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susa | Susan Acland-Hood | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney | Zoë Paton-Crockett