Are You and Your Clients GDPR Compliant?

Many law firms and clients alike will be affected by the advent of the EU General Data Protection Regulation (GDPR) on 25 May 2018.  It appears that businesses have only recently started to appreciate the significant impact that GDPR will have on them.  

For many businesses it will involve a major overhaul of their approach to the management of data.  In addition to that, penalties for failure to comply can be severe.  Various different bands of fines have been introduced with more serious infringements carrying the maximum fine of €20M or 4% of the global annual turnover of a business – whichever is the greater. 

Data controllers and data processors will now share joint and several liability for compensation to any data subjects for breaches. 

In light of the significant changes, it is of critical importance that businesses plan and prepare now to ensure immediate compliance when GDPR comes into force.

GDPR will now apply to all those businesses in the EU who control data or undertake data processing.  It will also apply to non EU businesses where they are doing businesses within the EU.

Some of the existing rights under the current Data Protection Act have been altered while some entirely new rights have been introduced, such as a right to data portability; an extended right to be forgotten; and an enhanced subject access right.

Significantly, businesses should be reviewing direct mailing lists and databases to ensure that they have the appropriate legal basis for processing and using the data. The GDPR makes it more onerous to use consent as a legal basis. The consequences of being caught out are serious.

Data processors are now required to maintain original records of all the processing activities which must be disclosed to demonstrate compliance when required.  Some data controllers will also need to appoint a Data Protection Officer where data has been processed on a large scale and in a systematic manner or where the data falls into certain specified categories such as sensitive personal data (High Risk). 

Law firms who are, for example, undertaking large volumes of family, criminal and/or medical negligence claims may find themselves requiring to engage the services of a Data Protection Officer in order to comply with the GDPR.

Data Controllers will be required in certain circumstances to carry out a data protection impact assessment in certain high risk situations. 

Furthermore, whereas there was no legal requirement to report security breaches under the current Data Protection Act, under the GDPR, this is no longer the case.  It becomes mandatory to report a breach to the regulator (the Information Commissioners Office) within 72 hours of the Data Controller becoming aware of the breach.  Those affected by the breach, such as data subjects, must also be informed without undue delay. 

The GDPR also makes some notable changes to the subject access right.  Currently under the Data Protection Act, £10 could be charged for a subject access request and the 40 day time limit applied.  Under GDPR it is no longer possible to charge for the service and the time limit is reduced to one month.  Businesses would be well advised to put in place proper strategies for efficient management of such requests. 

This is just a brief overview of some of the key features of GDPR and law firms and clients alike would be well advised to consider and implement appropriate strategies for dealing with the GDPR now.  

For further information please contact Alan Strain. 

Disclaimer 
The matter in this publication is based on our current understanding of the law.  The information provides only an overview of the law in force at the date hereof and has been produced for general information purposes only. Professional advice should always be sought before taking any action in reliance of the information. Accordingly, Davidson Chalmers LLP does not take any responsibility for losses incurred by any person through acting or failing to act on the basis of anything contained in this publication.