This is the first in a series of fortnightly updates on data protection compliance issues for law firms. In this update we review what has been happening since 25 May, when the EU General Data Protection Regulation (GDPR) and the new Data Protection Act 2018 (DPA) came into force.
The challenge of the past six months has been to move from theoretical anticipation of the Regulation to operational compliance. Law firms’ early experiences in doing so were explored at a Law Society conference in September: The first 100 days: Issues, lessons and successes from delivering the GDPR.
Experts at the conference noted rising numbers of complaints to regulators across Europe, including the Information Commissioner’s Office (ICO) in the UK, along with a steady increase in data breach notifications. Law firms should try to avoid the over-reporting and late or incomplete reports noted by the ICO.
You may also want to review the ICO’s Regulatory Action Policy, which is intended to enable you to predict how the ICO will carry out its regulatory activity in connection with information notices, assessment notices, enforcement notices and penalty notices.
It states that the ICO will consider each case on its merits but also acknowledges that ‘as a general principle, the more serious, high-impact, intentional, wilful, neglectful or repeated breaches can expect stronger regulatory action.’
A follow-up conference, Data protection in transition: GDPR and DPA compliance for law firms, will be held to review the position post-Brexit.
Other important developments include the establishment of the European Data Protection Board (EDPB), which is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor.
The EDPB contributes to the consistent application of data protection rules throughout the EU and amongst its tasks provides general guidance to clarify the law. It has already issued an opinion on the ICO’s list of when Data Protection Impact Assessments (DPIAs) should be carried out.
Finally, the EDPB has endorsed a list of GDPR-related Guidelines issued by the EDPB’s predecessor body, the Article 29 Working Party. They include guidelines on consent, the appointment of Data Protection Officers, personal data breach notifications and Data Protection Impact Assessments.
In future updates we will be exploring topics ranging from GDPR/DPA and legal professional privilege to the ICO’s enforcement powers and privacy notices. Data protection compliance is an ongoing challenge and you may still find the Law Society’s Preparing for the GDPR checklists relevant. All our GDPR resources are collated on our GDPR advice and guidance pages.
The ICO has just published a call for views on its Direct Marketing Code of Practice. The consultation closes on 24 December.
GDPR in practice
Want to share how your firm has tackled the practical challenges of GDPR? Please email us at firstname.lastname@example.org