You may be breathing a sigh of relief – the 25 May 2018 deadline has passed and you can now put GDPR on the back burner and get on with some ‘proper’ work. But, can you?
I am a solicitor in the Law Society’s Practice Advice Service. This is a helpline, staffed by solicitors, which provides free and confidential telephone advice for members.
Our team continue to receive enquiries on GDPR on issues such as:
- Do I need to write to all existing clients to obtain consent?
- I’m exercising a lien; do I need to respond to a Subject Access Request?
- What should I include in the client care letter?
Where shall I start?
First, it is important to get your firm’s house in order. GDPR should then be a ‘work in progress’ to be kept under constant review. Familiarise yourself with the ICO website and bookmark it as a favourite!
The ICO has produced useful data protection checklists which will help you prepare an action plan. They cover:
- Controllers checklist
- Information security
- Records management
- Data sharing and subject access
- Direct marketing
It is worth completing these checklists as the answers you give generate a report outlining what you can do to comply.
The Law Society has produced a guide for law firms which includes a checklist for firms to work through based on the ICO’s 12 steps.
Keep your eye on the ball
Security of data and subject access requests are the areas where most breaches are likely to occur, giving rise to potential complaints and triggering a notification to the ICO.
GDPR requires that you have in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual’s rights. A key component of this is making sure that the information you hold is kept securely. This includes electronic and paper records. Consider:
- How secure are your premises?
- Are paper files locked away at the end of the day?
- Do you operate a clean desk policy?
- Do you have a homeworking policy in place?
- How secure are the files kept at home?
- Is there a register to record the files taken out of the office?
Subject access requests (SAR)
You should have in place a policy for dealing with requests for personal information within the new one-month time limit. You should ensure that all staff are aware of the policy and they can recognise a SAR.
A SAR can be made verbally or in writing as long as it is clear that the individual is asking for their own personal data. It does not need to include the term ‘subject access request’. There is no longer a fee.
Staff should know who in the firm is responsible for dealing with requests for information so that the SAR can be dealt with without delay.
The data protection lead will need to search all the data the firm holds. This is why it is important that any files held (whether electronically or in paper format) are only retained for as long as necessary. The less unnecessary information the firm holds the less time you spend searching following a SAR.
Client care information
Our Client care information practice note has been updated to reflect GDPR and includes:
- information to be given to clients when you collect their personal data
- information on privacy notices
- links to the Law Society webpages on GDPR
- links to the European data protection regulator’s guidance on meeting the transparency requirement.
How do you demonstrate accountability?
GDPR introduces the new principle of accountability. To demonstrate compliance, you will need to start documenting your data protection policies and procedures. Review and update the current ones and consider which new ones are necessary for your firm. Examples include:
- appointing a data protection officer
- having written policies on data protection, security, homeworking, email, IT, data breaches, retention policy, training, confidentiality; clear desk; disciplinary; use of mobile technology etc.
- contracts with processors
- risk assessments and documenting these
Everyone in your firm who handles client data should understand and follow the firm’s policies. You must arrange regular training to ensure they remain up to speed.
For further practical advice and information please call the Practice Advice team on 0207 320 5675 - lines are open 9.00 to 17:00 Monday to Friday.
We have produced a guide for law firms which includes a checklist for firms
Our Client care information practice note has been updated to reflect GDPR
While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.