The new GDPR (General Data Protection Regulation) comes into force on 25 May 2018. It is the biggest shake up in data protection legislation for 20 years and it will affect all businesses in all 28 EU member states, of course including law firms.
However, beware! Not everything you read about GDPR is true. There is mis-information out there. Some article writers, bloggers and conference speakers are latching onto a single aspect of the new legislation and taking it out of context. Some companies are seeing GDPR as a chance to scaremonger and sell on the back of it. And of course everyone is talking about the large fines for non-compliance which can be up to £17 Million / €20 Million or 4% of global turnover, whichever is the greatest.
Select Legal Systems Limited are recommending to their clients that they look to the ICO for accurate information. The ICO (Information Commissioners office) is the UK’s regulator responsible for GDPR. Their CEO, Elizabeth Denham, has recently launched a series of myth-busting blogs to separate GDPR fact from GDPR fiction.
Ms Denham explains in her first blog that the ICO’s remit is guiding, advising and educating organisations about how to comply with the law, not about crippling businesses with massive financial punishment, and that fines are always a last resort.
The hype about consent is a good example of the kind of misleading information causing confusion. Elizabeth Denham’s blog “Consent is not the silver bullet of GDPR compliance” highlights how commentators are mis-representing what ‘consent’ means under GDPR. Many are focusing on consent out of context and either not realising, or not reporting, that in fact it is only one way to comply with GDPR.
The ICO’s guidelines on consent (a draft consultation document, due for final publication Dec 2017) lists 5 other lawful grounds for processing personal data under GDPR. It states that personal data can be processed without consent if it’s necessary for:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests (necessary to protect someone’s life)
- A public task (in public interest)
- Legitimate interests
Legitimate interests is an interesting one for any private sector organisation, including law firms. The ICO Consent Guidelines says the following about “Legitimate Interests: “If you are a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.”
The ICO insists GDPR is about greater transparency, enhanced rights for citizens and increased accountability and will build on current legislation – i.e. the Data Protection Act 1998 and the Privacy & Electronic Communications Regulations (PECR).
The ICO has a GDPR helpline 01625 545 745. Select Legal’s Head of Marketing, Joanne Hunter, spoke to the helpline recently, she said, “When I asked for more clarity about legitimate interests I was told the regulation is still being debated at Government level, but the consensus of opinion at the ICO is that legitimate interests will be the way to go for many UK businesses, especially with regard to processing personal data for marketing purposes. Bearing in mind under current legislation law firms would need consent for email or text marketing to consumers, sole practitioners and some partnerships. It is not yet clear whether legitimate interests will span all of these data subject types.”
Elizabeth Denham, the ICO’s CEO said the following about legitimate interests in a recent blog, “We recognise that organisations want more information about it. There is already guidance about legitimate interests under the current law on the ICO website and from the Article 29 Working Party. We’re working to publish guidance on it next year.”
Select Legal Systems Limited is a specialist provider of software for law firms. Their comprehensive practice management system, LAWFUSION offers software modules covering every aspect of running a modern law firm today. Select Legal is working closely with law firms to understand their GDPR needs and taking steps to develop new functionality for LAWFUSION that will help firms comply. For more information please call LAWFUSION SALES on 01482 567601. For enquiries outside of normal office hours please take advantage of our online form.