You are here:
  1. Home
  2. News
  3. Blog
  4. GDPR: how we support our members

GDPR: how we support our members

11 September 2018
by 

You may be breathing a sigh of relief – the 25 May 2018 deadline has passed and you can now put GDPR on the back burner and get on with some ‘proper’ work. But, can you?


I am a solicitor in the Law Society’s Practice Advice Service. This is a helpline, staffed by solicitors, which provides free and confidential telephone advice for members.

Our team continue to receive enquiries on GDPR on issues such as:

  • Do I need to write to all existing clients to obtain consent?
  • I’m exercising a lien; do I need to respond to a Subject Access Request?
  • What should I include in the client care letter?

Where shall I start?

First, it is important to get your firm’s house in order. GDPR should then be a ‘work in progress’ to be kept under constant review. Familiarise yourself with the ICO website and bookmark it as a favourite!

Action plan

The ICO has produced useful data protection checklists which will help you prepare an action plan. They cover:

  • Controllers checklist
  • Information security
  • Records management
  • Data sharing and subject access
  • Direct marketing

It is worth completing these checklists as the answers you give generate a report outlining what you can do to comply.

The Law Society has produced a guide for law firms which includes a checklist for firms to work through based on the ICO’s 12 steps.

Keep your eye on the ball

Security of data and subject access requests are the areas where most breaches are likely to occur, giving rise to potential complaints and triggering a notification to the ICO.

Security

GDPR requires that you have in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual’s rights. A key component of this is making sure that the information you hold is kept securely. This includes electronic and paper records. Consider:

  • How secure are your premises?
  • Are paper files locked away at the end of the day?
  • Do you operate a clean desk policy?
  • Do you have a homeworking policy in place?
  • How secure are the files kept at home?
  • Is there a register to record the files taken out of the office?

Subject access requests (SAR)

You should have in place a policy for dealing with requests for personal information within the new one-month time limit. You should ensure that all staff are aware of the policy and they can recognise a SAR.

A SAR can be made verbally or in writing as long as it is clear that the individual is asking for their own personal data. It does not need to include the term ‘subject access request’. There is no longer a fee.

Staff should know who in the firm is responsible for dealing with requests for information so that the SAR can be dealt with without delay.

The data protection lead will need to search all the data the firm holds. This is why it is important that any files held (whether electronically or in paper format) are only retained for as long as necessary. The less unnecessary information the firm holds the less time you spend searching following a SAR.

Client care information

Our Client care information practice note has been updated to reflect GDPR and includes:

  • information to be given to clients when you collect their personal data
  • information on privacy notices
  • links to the Law Society webpages on GDPR
  • links to the European data protection regulator’s guidance on meeting the transparency requirement.

How do you demonstrate accountability?

GDPR introduces the new principle of accountability. To demonstrate compliance, you will need to start documenting your data protection policies and procedures. Review and update the current ones and consider which new ones are necessary for your firm. Examples include:

  • appointing a data protection officer
  • having written policies on data protection, security, homeworking, email, IT, data breaches, retention policy, training, confidentiality; clear desk; disciplinary; use of mobile technology etc.
  • contracts with processors
  • risk assessments and documenting these

Training

Everyone in your firm who handles client data should understand and follow the firm’s policies. You must arrange regular training to ensure they remain up to speed.

For further practical advice and information please call the Practice Advice team on 0207 320 5675 - lines are open 9.00 to 17:00 Monday to Friday.

practiceadvice@lawsociety.org.uk

We have produced a guide for law firms which includes a checklist for firms
Our Client care information practice note has been updated to reflect GDPR

While every effort has been made to ensure the accuracy of the information in this article, it does not constitute legal advice and cannot be relied upon as such. The Law Society does not accept any responsibility for liabilities arising as a result of reliance upon the information given.

About the author

Sonia Aman is a solicitor in our Practice Advice Service and has been advising members on practice and procedure in a number of areas of law, compliance and anti-money laundering for over 10 years.

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bob Nightingale | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Eduardo Reyes | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Gustavo Bussmann | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Leah Glover and Julie Ashdown | Leanne Yendell | LHS Solicitors | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matt Oliver | Matthew Still | Melissa Hardee | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nikki Alderson | Oz Alashe | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Ellen | Tony Roe Solicitors | Umar Kankiya | Vanessa Friend | William Li