Do You Have All Your GDPR Ducks In A Row?
Blog: By Joanne Hunter, Head of Marketing, Select Legal Systems Limited
The General Data Protection Regulation – GDPR (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
It comes into force on 25 May 2018 and is the biggest shake up in data protection legislation for 20 years. The new law affects organisations based in all 28 EU member states including the UK despite the Brexit situation, and probably affects law firms more than most types of business due to the highly sensitive nature of data they tend to hold, and share, on the behalf of clients.
We at Select Legal Systems Limited, authors of LAWFUSION – the leading legal practice management software for law firms, have written this white paper for our clients. Having researched the subject matter thoroughly in order to enhance our best-of-breed software specifically with new functionality to help law firms comply with GDPR, we realised our findings could be useful to others across the profession. Therefore we are more than happy to share our document with any law firm preparing for GDPR.
This law-firm specific document makes a number of suggestions on how you might embrace GDPR sensibly, in bite-sized chunks, without allowing it to become a major distraction. It attempts to dispel some of the misleading myths surrounding GDPR and suggests how a law firm might get its 15 GDPR ducks in a row, in the right order, in time for the May 2018 deadline.
Establish Credible Sources
Preparing for GDPR is made harder by all the hype surrounding the imminent new regulation. Many bloggers, journalists and commentators are blowing some of the details out of proportion which has led to some outrageous headlines and significant levels of scaremongering. Misinformation about how GDPR is to be enforced is confusing many of us. Some of this is fuelled by organisations jumping on the bandwagon as they try to sell their products and services on the back of GDPR hype.
Try to separate the wheat from the chaff from the start by going straight to the ‘horse’s mouth’ of GDPR – the ICO – the Information Commissioners Office – the UK regulator responsible for GDPR. The ICO describe themselves as “the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals”. We recommend law firms look to the ICO as their main source of accurate and up-to-date information on GDPR.
The ICO’s CEO, Elizabeth Denham launched a blog recently to separate GDPR fact from GDPR fiction and there is a lot of other very useful information on the GDPR website. Here are just a few of their useful links:
- Overview of GDPR
- Preparing for GDPR – 12 Steps
- GDPR Consent Guidance
- ICO CEO’s Notes From Recent Speech At Institute of Directors
As Mrs Denham has explained on many occasions despite the ICO’s new powers to issue much larger fines under GDPR (i.e. up to £17 Million / €20 Million or 4% of global turnover, whichever is the greatest) the ICO’s remit is to guide, advise and educate organisations on how to comply with the law. It is not about crippling businesses with massive financial punishments. Mrs Denham insists fines are always a last resort.
The ICO has a helpline – 0303 123 1113.
Also on 1 November 2017 the ICO launched a dedicated GDPR service for enterprises with less than 250 employees.
If you take what the ICO is saying as ‘read’ and then enhance your research with articles, blogs and events from other trusted sources, and see them for what they are, you shouldn’t go far wrong.
Be Aware GDPR Is Not Yet Finalised
In the UK, GDPR replaces the Data Protection Act 1998 and associated legislation the Privacy & Electronic Communications Regulations (PECR). GDPR was passed in 2016 with a 2 year transition period and becomes enforecable on 25 May 2018. Certain aspects of the new legislation are still being debated at Government level in terms of how it will be enforced practically. A good example of this is the legal grounds to process personal information in terms of ‘legitimate interest’. This is currently on the agenda and an ICO Guidance document is expected, but not until the New Year.
This means you cannot put everything in place in readiness for GDPR right now, however, there is much you can do today if you haven’t already started your preparations. My best advice would be to keep your eye on new updates and guidance from the ICO, but don’t delay your preparations. You cannot afford to.
Understand The Key Principles of GDPR
GDPR is all about encouraging best practice with regard to the processing of ‘personal data’, and the most significant change from the current law is the ‘accountability factor’. i.e. GDPR requires you to show how you comply – i.e. you must document the firm’s decisions / policies on how it will process ‘personal data’ across the business once GDPR comes into force.
SO WHAT IS ‘PERSONAL DATA’?
Whilst the definition of personal data under GDPR is more expansive than under the DPA, the ICO says that its definition should make little practical difference. They point to a 30-page DPA document that defines ‘personal data’.
What we have gleaned from this document is that if you can identify an individual from the data relating to their personal life, their family life or their business/professional life, then it is classed as personal data. So a name alongside a home address, an online profile that gives a name and the company the person works for, or even a corporate email address – are all examples of personal data.
Personal data could also be HR records, customer lists and contact details. It is also IP addresses (Internet Protocol address) a unique string of numbers separated by full stops that identifies separate devices communicating over a network. There is also ‘special category personal data’ which covers information on a person’s health, sexual orientation, genetic or biometric data. This kind of data is handled even more strictly under GDPR.
Pseudonymised personal data (data that is key-coded) can fall within the scope of the GDPR too if it is not anonymous. But do check out the 30-page DPA document for yourself here to be absolutely clear about all the different types of data you process in your Practice.
SO WHY IS GDPR HAPPENING?
Well some say it is long overdue. GDPR replaces the Data Protection Act 1998. Twenty years ago when this act became law the internet hadn’t reached anywhere near the levels of sophistication, or use, it has reached today. This is the main reason why the powers that be now believe new legislation in the form of GDPR is sorely needed. The digital infrastructure we have today was absolutely unimaginable back in 1998. With it, the internet has brought the coming of age of several other ‘game-changing’ technologies such as ‘big data’ and ‘artificial intelligence’. Our reliance on the internet, and its many wonders, has fuelled the production of massive datasets that consistently grow on a second-by-second basis. Every time someone clicks ‘buy’, ‘book now’ or ‘submit’ more ‘personal data’ is processed adding to this huge dynamic dataset. And that’s what GDPR is all about – the ‘personal data’ and how we collect it, store it, process it and use it.
SO WHAT ARE THE KEY PRINCIPLES OF GDPR?
The principles of GDPR are that personal data shall be:
– processed lawfully, fairly and in a transparent manner
– collected for a specified, explicit and legitimate purpose (and not further processed incompatible with those purposes)
– adequate, limited to what is necessary
– accurate – every reasonable step should be taken to ensure this
– kept secure
WHAT ARE DATA CONTROLLERS & DATA PROCESSORS?
As a law firm you may wear both hats at different times depending on what you are doing.
Under both the DPA and the GDPR there are ‘data controllers’ and ‘data processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. The controller shall be responsible for demonstrating compliance with the above GDPR principles.
A law firm handling a litigation case on behalf of a client would need to process the client’s personal data. Under GDPR the firm must make the client aware of why they need their personal data and how they are going to use it in relation to the handling of the case. If the firm appoints an expert witness to give evidence as part of the litigation, the expert witness could be classed as a ‘data processor’ as they too will process the client’s personal data. But they are not in ‘control’, they will be acting under instruction from the law firm. In this instance the law firm will be the data controller. The expert witness will be the data processor.
Appoint A Data Protection Champion
Under GDPR it is NOT MANDATORY for an organisation to appoint a Data Protection Officer unless it is classed as one of the following:
- organisations that carry out large scale systematic monitoring of individuals
(for example, online behaviour tracking)
- organisations that carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
- public authorities (except for courts acting in their judicial capacity)
However, to ensure you have sufficient skills in the Practice to meet your GDPR obligations I would highly recommend you appoint a GDPR champion (or champions for different departments / branches ) depending on the size and scope of your firm. For example your criminal defence team may hold a significant amount of special category personal data on behalf of clients, compared with your conveyancing team. However, the data held by the conveyancing team is arguably just as sensitive but in a different way. Appointing a champion in each department that understands the nuances of the personal data they process would be a sensible move for some law firms.
It makes sense to explore how GDPR will affect the different areas of law that you practise within your firm and we recommend you task your GDPR Champion(s) to filter down to see how the new legislation will affect the day-to-day activities of each individual member of staff.
We recommend you put your champions in touch with the ICO via their helpline 0303 123 1113.
Build Awareness Inside The Practice
Once you have your first four ducks in a row, it’s time to start building awareness inside the firm. It is important that you get ‘buy-In’ from senior management, and then as a management team you need to start to make sure every member of staff is aware of GDPR, what it is, when it comes into force and why it is necessary.
It is important the whole team understands GDPR brings new rights for consumers and citizens. That it is an evolution of the current law and a step change that brings greater accountability, transparency and individual control.
The entire team needs to understand that clients will have stronger rights under GDPR in terms of being informed about how their personal data will be used by the Practice. Clients will have the right to request their personal data be deleted, and on how they give you their consent to process their personal data. They also have new rights around the portability of personal data should an individual decide to change law firms. (There is more detail on this further on in this blog under ‘Individuals’ Rights’).
If the people in your business understand why the legislation is so important, they will have a better understanding of how they can play their part in ensuring your law firm complies.
Awareness and buy-in are the keys to compliance and they have to be ongoing. One presentation at the start of your process won’t cut it. The sharing of information via regular face-to-face and written updates is required.
LAWFUSION can help you with this: As part of its GDPR Module there is a documents section where you can store all your credible information regarding GDPR and as you store them they can be automatically emailed to your staff list via LAWFUSION’s Outlook integration.
Understand The Rights of Individuals
The rights for individuals are far stronger under GDPR than they are currently under the DPA. Before you start to make any decisions about how you are going to change the firm’s procedures and policies there are eight GDPR rights you need to understand and consider. GDPR creates some new rights and strengthens others that already exist under the DPA. They affect every law firm. Please study them. Understand them. Discuss them with staff and clients. They are:
THE RIGHT TO BE INFORMED
The right to be informed encompasses your obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasises the need for transparency over how you use personal data.
You should publish your privacy notice, in easy to understand language, on your website, in your contracts and terms of business and send it out with your client care information. You should ensure in your firms procedures documentation you include clear instructions on how relevant employees are expected to process ‘personal data’. The information you include in your data privacy notice is determined by whether or not you obtained the personal data directly from the individual or not and the ICO provide a table on this which shows what you need to inform individuals about and at what stage.
HOW LAWFUSION CAN HELP WITH THE RIGHT TO BE INFORMED: Within the LAWFUSION GDPR Module you have a repository where you can store all your GDPR policy and procedures documents, including your ‘Privacy Notice’ with version control functionality.
THE RIGHT TO ACCESS
Similar to existing subject access rights under DPA a law firm should be prepared to provide the following, under GDPR to people who ask for it.
- Confirmation that their data is being processed
- access to their personal data
- and other supplementary information
Data Access Requests should be answered without delay and at the latest within one month of receipt of the request. The law firm is no longer able to charge a £10 fee for data access requests, as is the case under the current law, but can charge a reasonable fee if requests are excessive, unreasonable or repetitive.
HOW LAWFUSION CAN HELP WITH THE RIGHT TO ACCESS: The LAWFUSION GDPR module provides functionality to produce a ‘personal data’ report for any individual on the database. However, under GDPR you must take ‘reasonable measures’ to verify the identity of the person making the access request. LAWFUSION provides a ‘caller ID’ feature which gives users the ability to store five pieces of ‘verification’ information plus a password for each contact on the database. The idea is when a caller requests access to their records the software will randomly pick 2 verification items and two random characters from the client’s password so that users can verify the caller’s identity before giving access to the appropriate personal data records. The ID verification is logged in terms of which user carried it out, date and time stamped for a full audit trail.
Once identity is verified, at the click of a button the GDPR Module generates a detailed account of all personal data held on the individual. This report can be printed from LAWFUSION or provided as a PDF by email.
The GDPR module also provides Data Protection Officers functionality to log all ‘data access’ requests, date and time stamp them, and assign them to a user for action.
GDPR stipulates these requests should ideally be handled within one month of receipt, LAWFUSION can be configured to alert relevant users when pending requests are due for action, and it can also highlight overdue data requests escalating them to the relevant Data Protection Officer.
THE RIGHT TO RECTIFICATION
Individuals have the right to request the personal data you hold on them be rectified if it is inaccurate or incomplete. You must aim to respond to these requests as quickly as you can, within one month, or two if the request is considered complex. If you have shared the incorrect information with third parties, you must also inform them of the rectification wherever possible.
HOW LAWFUSION CAN HELP WITH THE RIGHT TO RECTIFICATION: Requests for rectification can be recorded in a similar way to requests for access described above, i.e. with a date and time stamp, how the request was rectified with reminders to users and management when requests are due / overdue. Of course the law firm must take ‘reasonable measures’ to verify the identity of the person making the request. LAWFUSION’s ‘verify caller’ functionality enables this by randomly selecting two of five fields of verification information plus two characters from the client’s password as a secure tool to be used in conjuction with the law firm’s security procedures.
THE RIGHT TO ERASURE / TO BE FORGOTTEN
The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
You will see by following the ICO link below that there are circumstances when an individual can ask their law firm to delete their personal data. E.g. when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing. There are also times when a law firm cannot fulfil this request, e.g. when the data is needed for the exercise or defence of legal claims.
In the context of a law firm, if an individual requests their personal data (i.e. a contact record) is removed from the firm’s practice management system, where a case is linked to the contact record, the request cannot be fulfilled, because case files have to be kept for a specific length of time by law of course. However, the law firm can explain to the individual other ways to satisfy their request. For example the record can be restricted for processing (more on this later) and its contents of their contact record can be scrambled so that only the data protection officer can see it until such time that the legal period for holding the case has expired. At which point it can be deleted.
Of course if there is a contact record for a prospective client that is not attached to a case, then this should be deleted.
HOW LAWFUSION CAN HELP WITH THE RIGHT TO ERASURE: Again erasure requests can be logged in the LAWFUSION GDPR Module. This provides the ability to record erasure requests with a date and time stamp, record when and how and by who it was actioned for GDPR compliance accountability evidence.
If you cannot fulfill the deletion request you may agree with the individual that you will obfuscate (or scramble) the data and tag if for no further processing, but set a destroy date for when it can be deleted. This means you will still have a hidden record of what it was that only the Data Protection Office can see. If that person decides for whatever reason to give the firm consent to process their personal data again in the future, a full audit trail of both requests and subsequent actions are saved for completeness. When the destroy date comes up, the firm can liaise with the client to confirm their deletion wishes.
Again law firms must take ‘reasonable measures’ to verify the identity of the person making the request for deletion. LAWFUSION provides ‘caller ID’ functionality. The software randomly selects two of five fields of verification data plus two characters from the client’s password (held against the contact record), allowing the user processing the request to clarify the caller is actually who they say they are. When a caller ID check is carried out on the system, it is logged with user, date, time and outcome as evidence that reasonable measures have been taken in this regard.
THE RIGHT TO RESTRICT PROCESSING
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
HOW LAWFUSION CAN HELP WITH THE RIGHT TO RESTRICT PROCESSING: LAWFUSION provides functionality that enables you to keep a full audit trail of requests, actions and relating details. The personal data in question can be scrambled in the LAWFUSION record so that only the Data Protection Officer can see it. At the same time it is coded so that no further processing can take place.
When a regular user searches for the record in question, it will still appear in their search results, but if they try to access the record LAWFUSION will display a message advising it is restricted under GDPR and advise the user to contact their Data Protection Officer. Again reasonable measures must be taken by the firm to ensure the person requesting restricted processing can verify their identity. The ‘caller ID’ functionality in LAWFUSION at contact record level facilitates this and logs evidence that it has been done.
THE RIGHT TO DATA PORTABILITY
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. A law firm could be expected to provide this data in a machine readable format and would not be able to charge for transferring this data.
HOW LAWFUSION CAN HELP WITH THE RIGHT TO DATA PORTABILITY: Requests of this nature are logged under ‘requests’ in the GDPR module. From within LAWFUSION a user at a law firm can extract a .csv file (a machine readable format) containing the client’s personal data and email it direct from LAWFUSION to the client. The user can log a record of the request and their email response. Reasonable measures to verify the identity of the person making the request are possible in LAWFUSION via the software’s ‘caller ID’ functionality which randomly selects two of five fields of verification data plus two characters of the client’s password assigned to contact records. The software also logs as evidence that reasonable measures have been taken to check the requester’s ID with details of the user, the date and the time.
THE RIGHT TO OBJECT
If you are processing information on behalf of an individual, they have the right to object to that processing.
If you process personal data for direct marketing purposes and someone objects you must stop processing personal data as soon as you receive an objection. There are no exemptions or grounds to refuse.
If you process personal data for the performance of a legal task or your organisation’s legitimate interests and an individual objects, you must stop processing their personal data unless:
- you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; (e.g. if you’re holding a copy of their passport for anti-money laundering evidence and you need to hold it for a specific period of time).
- the processing is for the establishment, exercise or defence of legal claims.
You must inform people of their right to object “at the point of first communication” and in your privacy notice. This must be “explicitly brought to their attention and presented clearly and separately from any other information”.
HOW LAWFUSION CAN HELP WITH THE RIGHT TO OBJECT: In the ‘Requests’ management area of the LAWFUSION GDPR module, firms are able to log objections of this nature. They are logged with a date and time stamp, allocated to a member of staff for action. The ICO guidance does not give a timescale for handling objections, but it would seem sensible to adopt the same timescale attributed to the other rights listed under GDPR – which is one month (with the opportunity to extend if the request is particularly complex). It would be sensible to call the ICO’s hotline on this if you are at all concerned about the timescale for handling objections – 0303 123 1113. Whatever you decide the software can handle a deadline and can be set up to remind users to action objections and escalate overdue objections to managers, if required. Identity verification is a must for objections and LAWFUSION accommodates this via its Caller ID functionality, which gives five identity verification fields plus password at contact record level, and randomly selects two out of 5 of the fields and 2 characters from the password so that the the user can be sure the the caller is who they say they are.
RIGHTS RELATED TO AUTOMATED DECISION MAKING & PROFILING
In this digital age there is a lot of automated processing of personal data going on behind the scenes that people might not be fully aware of. There are tools that trawl our use of social media and other websites and create datasets detailing our online behaviour for analysis. This kind of automatic processing could determine facts about our economic situation, our health and our personal preferences, even our location and movements in some cases. This kind of processing under GDPR is referred to as ‘automated decision making’ and ‘profiling’.
If your firm uses any of these automated processing tools, it must not, under GDPR involve the personal data of children. For adults the law firm must ensure that the people they are profiling can obtain human intervention, express their point of view and obtain an explanation of the automated decision and be able to challenge it.
HOW LAWFUSION CAN HELP WITH THE RIGHTS RELATED TO AUTOMATED DECISION MAKING & PROFILING: Once the identity of the person has been verified (via LAWFUSION’s five verification fields and contact level password) queries or requests to stop automated decision making and profiling can be recorded in the GDPR module under requests and managed there to ensure they are actioned within the timescale you set. Again reasonable measures must be taken to verify the identity of the person making the request. Users can do this by using the LAWFUSION Caller ID feature.
Carry Out A ‘Personal Data Audit’
It is never easy eating an elephant the size of GDPR. An audit will enable you to break your GDPR compliance task down into bite-sized chunks.
Your GDPR Champion(s) is / are the ideal people to be tasked with identifying what personal data the firm holds by way of a detailed audit.. As well as looking across the various legal departments in your Practice, they should also involve HR, IT and Marketing. I suggest they consider the following:
- Exactly what is held that constitutes personal data?
- Exactly what is held that constitutes special category personal data?
- How is that data collected?
- Do you have consent for processing it?
- Does the way you acquired that consent comply with GDPR?
- Where is it held and how secure is it?
- Do you have robust data security measures in place to prevent data breach?
- How long will you hold it?
- Is there is a legal requirement with specific timescale for holding it?
- Is it shared with third parties?
- How does the firm use / process this personal data?
- Is all personal data collected by the firm actually necessary?
This is not an exhaustive list, but it provides a good starting point for your data protection champion(s).
Data security is probably the most important aspect of your ‘personal data audit’ due to the highly sensitive nature of the data law firms hold and share on behalf of their clients, and the growing prevalence of cybercrime.
Information security breaches may cause real harm and distress to the individuals they affect. Lives may even be put at risk because of a data breach. Examples a law firm should consider in terms of the harm that could occur as a result of the loss or abuse of personal data are:
- fake credit card transactions
- witnesses at risk of physical harm or intimidation
- exposure of the addresses of service personnel, police and prison officers,
- exposure of the whereabouts of women at risk of domestic violence
- mortgage fraud
Select Legal Systems Limited is ISO 27001 security certified at company level and our datacentre for LAWFUSION Direct (our cloud option for law firms) is also ISO 27001 certified, so you can rest assured that your software partner follows absolute best practice for information security.
Give Extra Consideration For Children
You should start thinking now about whether you need to put systems in place to verify individuals’ ages in terms of GDPR. For the first time the law will bring in special protection for children’s personal data, particularly in the context of commercial internet services. GDPR states the age when a child can give consent to processing is 16 (although there is some discussion about this being lowered to 13 in the UK). If you hold contact records for children on your database for family law purposes, or any other reason, you ought to have a way of recording dates of birth, so you can keep abreast of their ages as time moves on. To process a child’s personal data, for whatever reason, is allowed under GDPR if consent is obtained from a parent or guardian of the child on their behalf. Of course you have to record evidence that you are complying with this.
HOW LAWFUSION CAN HELP YOU PROTECT CHILDREN’S PERSONAL DATA: LAWFUSION provides functionality to record dates of birth of contacts recorded on the database and can restrict processing according to age.
Review Any Arrangements You Have With Third Parties
Review your arrangements with all third parties with whom you share your personal data, whether it’s your clients or your employees or the personal data of other relevant parties. Your trusted business associates with whom you are sharing personal data should be part of your GDPR plans. Establish whether you are playing the role of ‘data controller’ or the ‘data processor’ within these arrangements and identify your obligations under GDPR when sharing data. You need to know what they are doing in terms of GDPR that will affect your data protection policy. You also need to know if there is anything they can do to help you and vice versa.
This could be witnesses, financial institutions, estate agents, the courts, the police, health professionals, etc. – or any third party to which the firm needs to transfer personal data to enable it to deliver legal services to its clients.
HOW LAWFUSION CAN HELP YOU MANAGE THIRD PARTY ARRANGEMENTS: Within the GDPR module in LAWFUSION you can store any GDPR agreements you come to with your third parties and store and retrieve them from the GDPR documents area of the system.
Decide On Which Lawful Basis You Are Going To Process Personal Data
Once the law firm senior management and your data protection champions have digested and understood the key facts about GDPR, you will be ready to start making some key decisions on how best to process the personal data you hold currently and also how you are going to continue to collect and process personal data in the future.
There has been a lot of hype about ‘Consent’ with regards to GDPR, which is just one of the lawful grounds under the new regulation upon which you will be allowed to process personal data. Indeed the subject of GDPR consent is a complex and daunting area. The ICO’s guidance document on consent reflects this, at 39 pages in length.
‘Consent’ as a data protection concept already exists under the DPA, it is about gaining consent or permission to process a person’s personal data, sometimes referred to as ‘opt-in’ when people opt-in to receiving your marketing material. Organisations collect consent via a variety of means e.g. check boxes on paper or online forms, via emails and other correspondence and so on.
GDPR sets a higher standard for consent and it’s not just about marketing. The biggest change is what this means in terms of your ‘consent mechanisms’. Law firms will need clear and more granular opt-in methods, good records of consent, and simple easy-to-access ways for people to withdraw consent. The changes reflect a more dynamic idea of consent: consent as an organic, ongoing and actively managed choice, and not simply a one-off compliance box to tick and file away.
GDPR insists that consent must be freely given, specific, informed, and there must be an indication signifying agreement. The indication must be unambiguous and involve a clear affirmative action.
There is much to read on this subject – the ICO Guidance document on consent is the best place to start. The ICO issued their guidance document on consent in March 2017 and a revised version is due out December 2017.
However, ‘consent’ is not the only way forward for law firms preparing to comply with GDPR. There are 5 other legitimate grounds for processing personal data under the new law:
- Contract – i.e. if you have a contract with the data subject.
- Legal Obligation – i.e for compliance with a legal obligation.
- Vital interests – i.e. you can process the personal data if it’s necessary to protect someone’s life.
- Public task – i.e. for public interest.
- Legitimate interests: if you have a genuine and legitimate reason for processing an individual’s personal data (including commercial gain).
Legitimate Interests is an interesting one especially for law firm marketers, as according to the ICO private sector organisations are able to consider the ‘legitimate interests’ basis if they find it hard to meet the standard for consent and no other specific basis applies. The ICO states that the law recognises that you may have good reason to process someone’s personal data without their consent (including for commercial gain) but you must ensure there is no unwarranted impact on them, and that you are still fair, transparent and accountable.
The jury is still out on ‘Legitimate Interests’. At the time of writing this white paper, Legitimate Interests is still being debated at Government level. The ICO have said they will provide further guidance on ‘Legitimate Interests’ in the New Year (in 2018). We have spoken to the ICO helpline about it and was told that consensus of opinion at the ICO is that legitimate interests will be the way to go for many UK businesses, especially with regard to processing personal data for marketing purposes. Bearing in mind under current legislation law firms would need consent for email or text marketing to consumers, sole practitioners and some partnerships. It is not yet clear whether legitimate interests will span all of these data subject types.
There is guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party.
Under the DPA and in particular the related legislation the Privacy & Electronic Communications regulation there was a perceived distinction in practice between B2C (business to consumer) marketing and B2B (business to business) marketing. For B2C marketing law firms and all other organisations would have already had to have ‘consent’ anyway for email and text marketing. However, under B2B as long as the law firm gave a clear and easy-to-use ‘opt-out’ clause they would have been OK to market via email or text without consent to corporate targets.
Under the DPA many organisations have tended to take a tick in the ‘marketing’ box as overarching consent for ALL marketing for both B2C and B2B. This will not be allowed under GDPR.
- An indication of consent must be unambiguous and involve a clear affirmative action.
- Consent should be separate from other terms and conditions.
- It should not generally be a precondition of signing up to a service.
- GDPR specifically bans pre-ticked opt-in boxes.
- It requires granular consent for distinct processing operations.
- You must keep clear records to demonstrate consent.
- The GDPR gives a specific right to withdraw consent.
- You need to tell people about their right to withdraw, and offer them easy ways to withdraw consent at any time.
- You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.
HOW CAN LAWFUSION HELP WITH MANAGING YOUR CHOSEN LEGITIMATE GROUNDS FOR PROCESSING DATA: Whichever of the six GDPR grounds you decide upon you will have the means within LAWFUSION to record this. For instance for the personal data belonging to your employees and clients – you may decide the grounds of ‘A Contract’ will be your choice for processing it. You can log this on your LAWFUSION database against each contact and you will have the functionality to apply this in bulk to a whole list and filter on this for processing purposes afterwards. However, when it comes to carrying out direct marketing to prospective, new, consumer clients on the other hand you may opt for processing on the grounds of ‘consent’. Under GDPR you need to have evidence that the consumer has consented to this kind of processing. In LAWFUSION you will be able to record not only their affirmed consent via a check-box, but you will also be able to save a copy of the electronic / or scanned in form, email or letter against the consent box as evidence.
LAWFUSION also provides similar functionality to manage opt-outs (i.e. when people decline or withdraw consent).
Understand What Is Expected Of You When There Is A Personal Data Breach
There are new rules under GDPR regarding personal data breaches. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Under GDPR a law firm, or any organisation, would have to notify the relevant supervisory authority, within 72 hours of them becoming aware of a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not meet this threshold.
Failing to notify a breach when required to do so can result in a significant fine, up to 10 million Euros or 2 per cent of your global turnover.
HOW LAWFUSION CAN HELP YOU MANAGE A DATA BREACH: There is a logging tool for breach notifications in the LAWFUSION GDPR module where you can record any breach instances and how they were reported, who by and who to, and how they were managed and rectified.
Get To Grips With Data Protection Impact Assessments (DPIAs)
Data Protection Impact Assessments (also known as Privacy Impact Assessments) are based on the well- documented concept of ‘Privacy by design’. Privacy By Design is an approach to projects that promotes privacy and data protection compliance from the start, rather than bolting on solutions to issues as an after-thought or ignoring them altogether.
Although this approach is not a requirement of the Data Protection Act (DPA) GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes DPIAs – mandatory in certain circumstances.
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example where a new technology is being deployed; where a profiling operation is likely to significantly affect individuals; or where there is processing on a large scale of the special categories of data.
If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR. You should therefore start to assess the situations where it will be necessary to conduct a DPIA.
HOW LAWFUSION HELPS WITH DATA PROTECTION IMPACT ASSESSMENTS: Law firms can store their DPIAs and results in the document area of the LAWFUSION GDPR Module which provides version control.
International Law Firms Should Determine Their Lead Data Protection Supervisory Authority
If you operate in more than one EU member state, you should determine your lead data protection supervisory authority, document it and make sure your Data Protection Officers are aware of it and what it does.
When a law firm operates in more than one EU member state, the lead authority is the one in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is, or else the location where decisions about the purposes and means of processing are taken and implemented. This is only relevant where you carry out cross-border processing. The ICO provides this link to further guidance on this topic.
Policies, Procedures & Training
Only at this stage once you have understood the new rights of individuals, carried out your audit and made your key data privacy decisions can you begin to update your procedures and policy documents.
Once you are happy with your new policies and procedures you need to train your staff on what’s expected of them in terms of GDPR compliance.
You should also include a section on GDPR in your induction material and training.
HOW LAWFUSION CAN HELP WITH MANAGING GDPR POLICIES, PROCEDURES & TRAINING: You can record all of this in the document area in the LAWFUSION GDPR Module.
Communicate With Your Market Via A Clear Privacy Notice
You need to have all your GDPR ducks in a row by 25 May 2018 so that you can tell the world how you collect, process and hold personal data on behalf of your clients in order to provide legal services.
The best way to do this is via your website with a specific page entitled “Our Privacy Notice” or “Our Data Protection Policy” and lay out, very clearly, exactly how you manage personal data. You should also include your Privacy Notice or Data Protection Policy with any contracts you issue. Consider providing them at client care letter stage too when you sign up a new client and ensure you notify them if you change it.
GDPR includes rules on giving privacy information to data subjects that are more detailed and specific than in the current Data Protection Act. It places emphasis on making privacy notices understandable and accessible. Data controllers are expected to take ‘appropriate measures’ to ensure the information you provide to people on how you process their personal data must be concise, transparent and intelligible and easily accessible. It stipulates that it must be written in clear and plain language.
There is more guidance via this link on ‘getting your privacy notice right’ from the ICO.
HOW LAWFUSION HELPS YOU MANAGE YOUR PRIVACY NOTICE: In LAWFUSION of course you can record your privacy notice in the documents area of the GDPR module and the software provides full version control.
Preparing for GDPR could easily become a major distraction for your law firm and get in the way of running your business and practising law. Try to put it into perspective for yourself and your staff. Chances are as a reputable law firm you have probably been doing most of it already under the DPA.
As long as you take data protection seriously, consider the principles of the new act when processing personal data and document what you are doing you will be well on your way to compliance.
Use the ICO – that’s what the organisation is there for – 0303 123 1113 / www.ico.org.uk
A good software partner should be doing all they can to help you comply with any new legislation that affects your business. We will launch our brand new GDPR Module next year, as part of our comprehensive LAWFUSION Legal Practice Management Suite of software for law firms.
If you would like more information about the new GDPR Module or any aspect of LAWFUSION – please contact us during office hours on 01482 567601 or online at any other time.
If you would like more information about the new GDPR Module or any aspect of LAWFUSION – we are looking forward to your call on 01482 567601 during office hours, or via our online form here at any other time.