Frequently asked questions about the GDPR
Do law firms need to appoint DPOs under the GDPR?
GDPR will require some organisations, including some law firms, to appoint data protection officers (DPOs). To decide if you need to appoint a DPO you should familiarise yourself with Article 37 of the GDPR, relevant guidance from the Information Commissioner and the Article 29 Working Party guidance. If you decide you do not need to appoint a DPO, you may decide to make a voluntary appointment. We recommend that you document your decision-making.
How long should I retain personal data and documents?
Article 5(1)(e) of the GDPR sets out personal data retention requirements. It does not significantly differ from current requirements. You may wish to review your existing retention schedules in order to prepare for GDPR.
How should I apply the new rules on consent?
The ICO has published draft guidance on consent. However, this guidance will not be finalised until the Article 29 Working Party finalises its own guidance. This is currently expected to be available in December 2017.
Are there special rules for legally privileged material?
The current Data Protection Act exempts personal data in respect of which a claim to legal professional privilege could be maintained in legal proceedings from the subject information provisions - see Sched 7, 10.
There are no comparable provisions in the GDPR but the Data Protection Bill currently making its way through parliament exercises a derogation in Sched 2.17 that mirrors existing provisions. There are also provisions concerning the handling of privileged material by the ICO (see s.128).
What do I need to know about cybersecurity and the GDPR?
Cybersecurity remains as important under GDPR as it is under the current data protection framework. See our advice and support on cybersecurity. For general advice and support on all aspects of cybersecurity, including their recently published small business guide, visit the National Cyber Security Centre's website.
For information on mandatory data breach notification, read the ICO's blog GDPR – setting the record straight on data breach reporting.