A myth is a widely held but false belief and it’s quickly becoming very apparent that the new General Data Protection Regulation (GDPR) which is due to come into force on 25th May 2018 is causing an absolute avalanche of myths.
As a quality software partner to hundreds of UK law firms, we have been not only researching and preparing for GDPR ourselves for our own organisation’s compliance for some time, but we have also been considering how it will affect our clients, and what we can do to help them with GDPR.
Back in November we published a white paper for law firms entitled “Do You Have All Your GDPR Ducks In A Row?” which explores what the legislation is all about, provides lots of useful links for further background reading for law firms, and pointers for managing compliance.
However, as time ticks on, more and more misinformation, misinterpretation and confusion has ensued. This has led to our decision to publish this list of the top 7 GDPR myths we believe law firms need to be aware of:
#Myth No. 1
GDPR is all about IT
This head-in-the-sand attitude is the approach some business leaders are adopting. There is no software system anywhere on the planet that is going to prepare your firm for GDPR. Every law firm needs to take full responsibility for carrying out appropriate diligence to ensure compliance. If you haven’t done it already your starting point should be to carry out a detailed data audit and review all data processes so partners / law firm owners can be sure every possible measure is being taken to comply with the new legislation. It’s about the data you process via paper systems as well as data held and processed electronically. Our White Paper – “Do you have all your GDPR ducks in a row?” will help.
Beware any technology partner peddling GDPR compliance. Software alone will not suffice.
At Select Legal Systems we are working on a few sensible tweaks to our LAWFUSION software that will help law firms manage their GDPR compliance, but all of our clients understand that the software itself is only a tool that will help make life easier. Albeit a very good tool, our clients understand it will not do the job for them.
# Myth No. 2
Brexit Means GDPR doesn’t apply to UK law firms
This one couldn’t be more wrong!
Much of the lack of preparation we see is based on this myth because many believe that our impending exit from the European Union somehow negates the need to prepare for GDPR. Some people assume that UK- based organisations will not have to abide by laws set in Brussels. This is not the case with GDPR. If an organization, regardless of location, processes the personal data of individuals based in the EU, then they are bound by this mandate.
The ICO is the regulator responsible for enforcing GDPR in the UK and they say: “The General Data Protection Regulation (GDPR) is a new law that will replace the Data Protection Act 1998 and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
The ICO website offers a large amount of good quality information and guidance notes that law firms will find useful re how to comply. They offer a helpline – 0303 123 1113, online live chat and a specific advice service for organisations with under 250 employees.
#Myth No. 3
Consent is the only way to go with GDPR
This statement is not true and is the cause of much confusion. People got hung up on consent (often referred to as ‘opt-in’) very early on in the 2-year GDPR consultation period, and along with the big headlines about fines it is probably the GDPR topic that has had the most press coverage of all.
However, there are in fact five other grounds for legally processing personal data under GDPR:
• Contract – i.e. if you have a contract with the data subject.
• Compliance – i.e for compliance with a legal obligation.
• Vital interests – i.e. you can process the personal data if it’s necessary to protect someone’s life.
• Public task – i.e. for public interest.
• Legitimate interests: if you have a genuine and legitimate reason for processing an individual’s personal data (including commercial gain).
Legitimate interests is an interesting one for law firm marketers. Currently PECR sets out the rules for marketing via phone, text and email. To replace PECR marketers are waiting for the new e-privacy regulation which will sit alongside GDPR, but detail of this is still being debated at Government level. However, Elizabeth Denham, CEO of the Information Commissioner’s Office (ICO), the organisation responsible for enforcing GDPR in the UK, spoke at the Direct Marketing Association Conference in London on 28-2-18 and pointed out that a default for all consumer marketing to be opt-in is in the current draft.
That means electronic marketing in B2C (business to consumer marketing) will more than likely require consent (which is the case now anyway under current legislation). However, there is potential to use legitmate interests as a legal basis for processing in some circumstances, e.g. B2B (business to business marketing), but you must be confident that you can rely on it. The ICO has published guidance on Legitimate Interests, but has said it will publish further guidance shortly.
It is well documented that under GDPR consent is going to need to be clearer and less ambiguous than it is under current legislation. Until the e-privacy regulation comes into force, PECR will sit along side the GDPR.
#Myth No. 4
The Right To Be Forgotten Is Straight-forward
There are eight rights for individuals under GDPR in terms of how organisations will be allowed to process their personal data. One of the eight is ‘the right to be forgotten’, sometimes referred to as ‘the right to erasure’.
It sounds straight-forward enough. If a member of staff at your firm receives a request from a contact who wants to be forgotten, you would expect it to be as simple as the member of staff going ahead and deleting the record (or shredding the paper). However, if you don’t keep an audit trail of the fact that the contact has made the request, and the firm has fulfilled the request how can the law firm ensure that this contact’s personal data is not added back on to the system again in the future? An audit trail of the request for erasure and the deletion of the personal data is required, and it should be readily available and accessible to any member of staff involved in adding new records to the system, so they can check before adding personal data in the future.
Also there are a number of reasons why a law firm should not go ahead and delete a contact’s data simply because someone has requested it. E.g. if it is needed in order for the firm to comply with a legal obligation, if it is required for the establishment, exercise or defence of legal claims, also if it is manifestly unfounded or excessive – the firm has every right to question it, or charge for admin time. There are several other instances where the right to erasure does not apply – and they are explained here on the ICO’s website.
Lastly there is the matter of identification. A request for erasing data can be received verbally or in writing. If you are not 100% sure of the identity of the person making the request ‘to be forgotten’ you need to use every reasonable measure to verifiy their identity before doing so. This applies to any of the eight rights – all of which are listed here in our blog ‘Do you have your GDPR ducks in a row?’
# Myth No. 5
GDPR is mainly about targeting cybercrime
It’s true cybercrime is a real threat to all businesses today, law firms probably more than most due to the large sums of money they handle on behalf of clients for some areas of law.
It’s also true that current data protection (The Data Protection Act 1998) is 20 years out of date as internet usage wasn’t anywhere near the levels it has reached today when it was brought into force.
It is true too that the malicious shenanigans of these so-called ‘hacktivists’ tend to dominate our news posts with sensational data breach headlines such as: “Law firms report record £3.2m cybercrime theft”, “Will the Conveyancing industry ever be free from fraud?” and “Uber says 2.7 million in UK were affected by security breach”.
Hence you would be forgiven for not knowing that only 47% of data breaches, according to Ponemon Institute’s 2017 Cost of Data Breach Study, were due to cybercrime attacks? That the rest, more than half, were down to human error.
This means that the new policies and processes you put in place for your firm in order to comply with GDPR need to tackle this kind of unintentional mistake when processing the personal data necessary to run your business.
#Myth No. 6
GDPR = Massive fines
Although the Information Commissioner’s Office (ICO), the regulator for GDPR in the UK, will have the power to issue fines for non-compliance up to £17 Million / €20 Million or 4% of global turnover, whichever is the greatest, fines are not the only preventative measure in the ICO kitbag. The regulator also has the power to conduct audits, to order the suspension of processing, to issue warnings, reprimands and corrective orders.
The ICO’s CEO, Elizabeth Denham regularly stresses that the ICO is there to help and guide organisations with their GDPR compliance. They have no interest in putting firms out of business. In fact the ICO has a GDPR Helpline – 0303 123 1113 and on 1 November 2017 they launched a dedicated GDPR service for enterprises with less than 250 employees.
# Myth No. 7
GDPR is all set in stone and ready to go
With the 25 May 2018 deadline on the imminent horizon you would think that the legislation was all settled and complete. However, this is a huge piece of legislation that affects all of us. It is the product of a two-year consultation period and some aspects of the new regulation are still being debated at Government level.
Legitimate Interests is a good example of this. Discussion continues on this and new guidelines are expected soon.
This ‘What’s New‘ ICO page is a good resource – as it points to all the new information and guidelines being added to the website on a monthly basis.