The final text of the new EU General Data Protection Regulation (GDPR) was released in April 2016. Since this deals with the handling of personal data it is likely to apply to almost every law firm as you will hold personal information regarding your clients and staff as part of your everyday work. Whilst we are told ‘Brexit means Brexit’, it is highly likely that the UK will still apply the GDPR rules.
The new EU GDPR rules & Brexit – a brief summary
The new EU GDPR rules have been put forward to make Europe fit for the digital age, and for the UK are an update to the Data Protection Act. The EU GDPR rules will apply to all entities, regardless of where in the world they are located, which hold or use the personal data of an EU citizen.
The new EU GDPR rules come into law on 25th May 2018 and whilst it might be tempting to say the UK will not have to apply them, the likelihood is that we will. Irrespective of the form of Brexit the UK takes, the UK is likely to adopt the EU rules as the other alternative is to adopt UNECE rules (covering Europe, North America and Asia) which are very similar.
Irrespective of EU GDPR, the Law Society and other regulators it is just good business sense to take steps to protect the data of your clients and staff, above all your firm’s reputation is at stake. Ideally, you should start to take action now to review current business procedures and implement appropriate measures ready for the new regime.
The rules bring radical changes to how organisations process personal data, giving greater protection to the public and greater powers to authorities to take action against companies that breach the rules. One of the most important changes EU GDPR stipulates is regarding the mandatory reporting of breaches.
Unlike the Data Protection Act, EU GDPR rules apply to a data processor in exactly the same way as a data owner and law firms cannot exclude themselves from responsibility or liability.
Data breaches will now be far more expensive than ever before, and where there is a breach and a failure to comply with the new regulations there will be fines of up to the greater of €20m and 4% of annual global revenue.
12 things you should be doing now to prepare for EU GDPR
The Information Commissioner’s Office (ICO) has released a 12 step plan to help companies prepare for EU GDPR.
It is important you begin to prepare for the new EU GDPR rules before the regulation comes into law on 25th May 2018.
You need to determine your risks and take the necessary measures before the new GDPR rules come into force. This is a process that could easily take two years.
Here are 12 things the ICO recommends you should be doing now:
- Appoint a data protection officer
- Raise staff awareness of the new EU GDPR rules
- Implement procedures to detect, report and investigate data breaches
- Audit the information you hold (including its source and use)
- Review privacy information and implement appropriate changes
- Consider individual’s rights (including the right to be forgotten)
- Update subject access request procedures
- Establish and document your legal basis for processing data
- Review consent mechanisms and implement appropriate changes
- Incorporate data protection by design and privacy impact assessments
- Update procedures for processing data about children
- Determine the data protection authority for international organisations
As you can see, for a number of organisations there will be a lot of work to do and less than two years to get everything in order. Failing to do so could result in considerable fines and loss of reputation.
How we can help you
Our data protection experts have a great deal of experience in this area, working closely with businesses to implement information security management systems. If you are looking for help in this area, please get in touch with Charles Kavazy, Director of IT Services at Hawsons, on 0114 266 7141.