The General Data Protection Regulation will apply soon. Making sure you’re up to speed with it also presents an ideal opportunity to look at your own data policies and practices.
One of my clients wanted me to reassure him a few weeks ago: ‘GDPR – tell me it’s a big fuss over nothing!’ The GDPR (General Data Protection Regulation: Regulation (EU) 2016/679
) replaces the current Data Protection Act 1998 and applies from 25 May 2018. It strengthens the rules concerning personal data and requires organisations to be more accountable and transparent. It also gives people greater control over their personal data.
There have been headlines about the maximum fine for data breaches: €20m or four per cent of annual turnover, whichever is higher. The Information Commissioner’s Office (ICO) has stated that these will be reserved for only the most serious of breaches, rather than being the ‘norm’, but that doesn’t mean you can afford to ignore the GDPR.
What is ‘personal data’?
‘Personal data’ under the GDPR means any information relating to an identified or identifiable natural person who can be directly or indirectly identified (including by reference number or other identifier) (article 4(1)). Legal practices clearly hold a lot of personal data, on their own personnel and on their clients.
Under the GDPR, data can only be processed if there is at least one lawful basis for doing so (article 6(1)). There are several lawful bases for processing data but, in most cases, you need to have the person’s explicit consent for the specific purpose for which you hold the data. This means, for example, that you can’t use a client’s details to send him/her marketing newsletters simply assuming s/he will want to hear from you after his/her case is closed. You will need to obtain explicit consent. You also need a privacy notice on your website, allowing people to opt in or out of ‘cookies’, which create more tailored browsing.
You need to keep records of the consents obtained (eg, data protection consent forms on client files, from members of staff in relation to personnel data, records of consent for those asking to be included on distribution lists for email updates etc). You need to inform those whose data you hold (data subjects) of the lawful basis under which you will hold their data, what you will use it for, and how long you will hold it. You also need to provide information about how to complain to the ICO if a data subject has a problem with the way you handle his/her information.
Right of access
Data subjects have the right to know what data you hold about them. Your data controller has to provide this information upon request, within one month (article 12(3)). Data subjects can correct any information that is incorrect, and have the right to erasure of their data if there is no longer a lawful reason to hold it (article 15(1)).
You may need to review your data retention policies, both hard copy and electronic, including, for example, emails. Up to now, many lawyers have taken the view that it is OK to keep data almost indefinitely as long as you are confident that it is secure, because ‘you never know when it might be useful’. This would be hard to justify under the GDPR.
Under the GDPR, the data controller is under a legal obligation to notify the ICO without undue delay and must do so within 72 hours after s/he has become aware of a data breach (article 33(1)). Data subjects have to be notified if the breach could have an adverse impact on them (article 34(1)).
Take action now
You are required to document the personal data you hold, where you obtained the information from and with whom you may share it (eg, client data may be shared with the Legal Aid Agency, experts, counsel, your financial and quality auditors).
Support and training
The ICO has a dedicated advice line to help small organisations prepare for the GDPR (0303 123 1113 – option 4). There are also resources on the ICO website
You will need to ensure that all members of your practice are provided with GDPR update training. Matthew Howgate (freelance compliance consultant and Legal Aid Practitioners Group (LAPG) committee member) says: ‘GDPR is a great opportunity for all lawyers to consider their approach to personal data. A simple information audit is the best place to start. In February, LAPG will be running training
on the practical steps to prepare for the new regs.’