The EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into force in the UK on 25 May 2018.
Together they bring the most significant change in data protection regulation in 20 years. The regulation is designed to align privacy laws across Europe and increase protections and data privacy rights for individual citizens.
This page brings together guidance and support with education and learning resources from the Law Society and external agencies to help you and your firm understand the regulation.
Law firms generally face the same issues as other organisations in seeking to comply with the GDPR and, through our ongoing discussions with firms, we are identifying and exploring specific issues of concern around compliance.
This page will be regularly updated as we continue to consider what guidance we can provide in light of the evidence from GDPR compliance.
The potential for high fines under the GDPR has attracted considerable publicity but in practice the ICO has many more enforcement tools.
If the UK leaves the EU without a deal, law firms and other businesses will need to consider whether their cross-border data flows are GDPR-compatible.
The GDPR and DPA 2018 enforce a high level of transparency on data controllers, including solicitors. We look at what this means in practice.
This is the first in a series of fortnightly updates on data protection compliance issues for law firms.
We have produced a guide 'Preparing for the GDPR: A guide for law firms' to support firms to work towards compliance.
In the final run-up to GDPR - there are now fewer than 35 working days until it comes into force - two significant events have taken place. They both offer insights into some of the questions law firms are grappling with.
We answer some of the questions raised from our series of articles on preparing for the GDPR.
Frequently asked questions about the GDPR.
Nick Denys, policy advisor at the Law Society, explores some of the challenges organisations face to remain GDPR compliant.
Sarah Richardson, who supports the Law Society’s children law sub-committee, discusses how the EU GDPR affects the data protection rights of children.
Andrew McWhir, policy advisor at the Law Society, discusses the Law Society’s GDPR guide for law firms.
The GDPR and the Data Protection Act (DPA) 2018 came into force in the UK on 25 May 2018. The DPA replaces the DPA 1998 and supplements the GDPR by filling in sections of the regulation left to Member States to interpret and implement.
The GDPR imposes stringent accountability and transparency obligations on data controllers, including mandatory reporting of data breaches.
The new regulation is an evolution of the previous data protection framework, with which law firms should already be compliant.
The regulation introduced new elements and significant enhancements, which meant that every organisation had to start doing some things for the first time and to change their previous processes. The EU GDPR.ORG website provides a useful summary of the changes brought by the GDPR.
The Information Commissioner's Office (ICO) produces a more detailed monthly summary of what's new. Subscribing to the ICO's newsletter is a useful way to keep informed.
It's key to determine whether your firm processes personal data as a 'data controller' or 'data processor'. You should then complete the ICO's checklist for data controllers and/or processors. Law firms will generally be data controllers.
The ICO has published a 12-step guide (PDF 238kb) that we strongly recommend you use to work towards compliance.
Given the scale of the changes, you should consider appointing an individual to act as the business lead for your GDPR project. This does not necessarily have to be someone with data protection expertise.
While most law firms are not required to appoint a data protection officer (DPO), we recommend that firms consider the voluntary designation of someone with appropriate expertise and resources to lead on GDPR compliance.
We also suggest firms complete the information audit to identify and document all of the personal data that your firm processes.
Access our guidance on appointing a DPO
Please contact us if you or your firm have a specific issue you would like to raise.