Meaning of GDPR?
- Thread starter taneshS
- Start date
- Feb 17, 2018
- 4,695
- 8,576
- Feb 17, 2018
- 4,695
- 8,576
Ok here's a brief introduction to the GDPR. Part 2 will focus on how it will impact law firms and their clients.
The General Data Protection Regulation or "GDPR" is an EU-wide regulation which regulates the processing of personal data. It's the biggest change to EU data protection law in decades and aims to harmonise the rules on data protection and security between member states.
When is it happening?
25 May 2018
Who does it apply to?
The GDPR applies to any EU-based organisation that controls and/or processes data. It also applies to organisations outside the EU, if they offer goods and services to, or monitor the behaviour of, EU citizens.
These organisations are called data controllers and data processors.
What's the difference between a controller and a processor?
A data controller determines why and how personal data is processed. A data processor processes personal data on behalf of the data controller.
For example, imagine MyStock is a company that sells stock photos to consumers. MyStock decides that it wants to track its website visitors. It hires Analytica, a website analytics company that tracks how users interact with websites. Here, MyStock is the data controller and Analytica is the data processor.
Why does this distinction matter?
The GDPR imposes different obligations on data controllers and data processors.
Data controllers should only hire data processors that prove to operate in compliance with the GDPR. They should also draw up a written contract in line with the GDPR requirements.
Data processors must implement measures to keep personal data secure, notify controllers of a data breach and maintain records of personal data and processing activities.
This is the first time that direct obligations are placed on data processors on an EU-wide level.
Data breaches
Under the GDPR, all organisations have to notify regulators 72 hours after they discover a data breach. They may also have to inform individuals if there’s a high risk that the breach adversely affects their rights and freedoms.
Users also get rights under the GDPR:
What happens if you don’t comply?
There are two tiers of fines depending on the breach. The lower tier is a fine up to €10m or 2% of annual turnover. The second is a fine of €20m or up to 4% of annual turnover.
Much of the current fuss surrounding the GDPR is based on the increase in fines. Currently, the total fine in the UK is up to £500,000 (under the Data Protection Act).
Who will be enforcing the GDPR in the UK?
The Information Commissioner’s Office (ICO).
What should companies do to prepare?
The impact of the GDPR on businesses and law firms - Part 1
What is it?
The General Data Protection Regulation or "GDPR" is an EU-wide regulation which regulates the processing of personal data. It's the biggest change to EU data protection law in decades and aims to harmonise the rules on data protection and security between member states.
When is it happening?
25 May 2018
Who does it apply to?
The GDPR applies to any EU-based organisation that controls and/or processes data. It also applies to organisations outside the EU, if they offer goods and services to, or monitor the behaviour of, EU citizens.
These organisations are called data controllers and data processors.
What's the difference between a controller and a processor?
A data controller determines why and how personal data is processed. A data processor processes personal data on behalf of the data controller.
For example, imagine MyStock is a company that sells stock photos to consumers. MyStock decides that it wants to track its website visitors. It hires Analytica, a website analytics company that tracks how users interact with websites. Here, MyStock is the data controller and Analytica is the data processor.
Why does this distinction matter?
The GDPR imposes different obligations on data controllers and data processors.
Data controllers should only hire data processors that prove to operate in compliance with the GDPR. They should also draw up a written contract in line with the GDPR requirements.
Data processors must implement measures to keep personal data secure, notify controllers of a data breach and maintain records of personal data and processing activities.
This is the first time that direct obligations are placed on data processors on an EU-wide level.
Data breaches
Under the GDPR, all organisations have to notify regulators 72 hours after they discover a data breach. They may also have to inform individuals if there’s a high risk that the breach adversely affects their rights and freedoms.
Users also get rights under the GDPR:
- The right to be informed about how personal data is collected and used.
- The right to privacy information – the purpose for processing personal data, retention periods, and who it will be shared with.
- The right to access personal data (users can submit a subject access request and find out what data a business has on them).
- The right to have inaccurate personal data rectified.
- The right to have personal data erased (the right to be forgotten).
- The right to object to the processing of personal data.
What happens if you don’t comply?
There are two tiers of fines depending on the breach. The lower tier is a fine up to €10m or 2% of annual turnover. The second is a fine of €20m or up to 4% of annual turnover.
Much of the current fuss surrounding the GDPR is based on the increase in fines. Currently, the total fine in the UK is up to £500,000 (under the Data Protection Act).
Who will be enforcing the GDPR in the UK?
The Information Commissioner’s Office (ICO).
What should companies do to prepare?
- Determine whether they are a data processor or data controller.
- Review how they use data, on what basis, and record these justifications.
- Review their privacy policies and sign up forms.
- Determine whether they need to ask existing customers for consent.
- Put in place procedures to respond to a subject access request.
- If they are outside the EU, appoint a representative inside the EU as a contact person.
- Implement breach detection, investigation and reporting procedures, and keep a record of any breaches.
- Bigger companies may need to hire consultants, implement training for staff and a review of their processes - estimates suggest the Fortune 500 will spend a combined sum of $7.8bn to comply.
- Encrypt sensitive data.
- Public authorities and certain companies that handle a lot of data will need to appoint a Data Protection Officer to advise the company on its obligations and monitor compliance.
Last edited:
- Feb 17, 2018
- 4,695
- 8,576
Some good resources on GDPR:
Video:
- A very entertaining watch considering the topic
Article: https://fleximize.com/articles/011622/late-starters-guide-to-gdpr - Practical advice for businesses
Part 2 still to come.
Video:
Article: https://fleximize.com/articles/011622/late-starters-guide-to-gdpr - Practical advice for businesses
Part 2 still to come.
- Feb 17, 2018
- 4,695
- 8,576
The impact of the GDPR on businesses and law firms - Part 2
So now that it's in force, let's take a look at the impact of the GDPR on law firms.
Does the GDPR apply to law firms?
Yes. Law firms control and process lots of personal data. All law firms that operate in the EU and international law firms that process the data of EU citizens, will be subject to the GDPR. So all of the law firms for our purposes.
Wait, but what about Brexit?
The UK has proposed a new Data Protection Bill to come in after Brexit. The bill will update UK laws to broadly mirror the GDPR.
But what personal data do the law firms process?
Law firms control and process large volumes of names, contact details, occupational information, ID's, IP addresses, HR records, documents and company sensitive information. These may relate to past, current or prospective clients, law firms, employees, suppliers and any parties to a transaction. If any of this information can be used to identify a particular person, then it's personal data and regulated under the GDPR.
So what should law firms do to comply with the GDPR?
1. Review existing data
Law firms should carry out a detailed audit of their data, identify the personal data and ask themselves - is the way they acquired that data compliant with the GDPR? If not, they'll need to take the appropriate steps to comply or they won't be able to use it anymore.
For example, let's say it's March 2018, a law firm publishes a report titled 'Real Estate Updates for 2018' on its website. Company X, an investment firm, tries to download the report. To download the report, the website asks Company X to enter its contact details into a form. The form includes a pre-ticked box which says 'You opt-in to receive marketing materials from our law firm'.
Fast forward to May 2018. The law firm reviews the GDPR and learns that pre-ticked opt-in boxes don't constitute valid consent under the regulation. So, to comply with the GDPR at the end of the month, the law firm will need to ask Company X whether it wants to opt in. If it doesn't, it'll have to remove Company X's contact details.
2. Update terms and records
Law firms will need to update any relevant data notices, contracts and statements to explain, among other things, what data it holds, why it's held and how it's held. This could include privacy policies or employee contracts.
Law firms will need to keep a record of how they collect and use personal data, and on what basis. This should be clearly documented in case individuals or regulators ask to see the information.
Note that under the GDPR, law firms can rely on grounds other than consent to justify their use of personal data. That's important because it would be costly and difficult if lawyers were required to get permission for all the personal data they process. For example, the GDPR allows personal data to be processed if it's necessary for a contract or if it's required by law,
3. Train staff
Lawyers deal with a variety of personal data including emails, precedents and contracts every day. If they breach the GDPR, their law firm could be held responsible. Therefore, law firms will need to train staff to make sure they act in compliance with the regulation.
4. Improve security
A number of law firms have faced data or security breaches over the years. If this happens under the GDPR, law firms could be sanctioned. To avoid this happening, they should check with their IT teams that their security systems are up to date. They should also train staff and have a procedure in place to handle a data breach. If there is one, they'll need to notify the relevant regulator (the Information Commission's Office in the UK) within 72 hours.
5. Appoint a Data Protection Officer
Most law firms will need to appoint a Data Protection Officer under the GDPR. Even if they aren't required to do so (perhaps they're a small specialist firm), they should still appoint someone to be responsible for GDPR compliance.
6. Prepare for individual requests
Under the GDPR, individuals have the right to see what personal data is held on them. Law firms should make sure they have a system in place to process and produce this information. For example, they should document employee data in an accessible and portable, it can be easily transferred if the employee changes law firm.
Individuals have other rights too, such as the right to have their personal data removed or corrected. Again, this comes down to law firm building a good system to document and organise personal data.
In some circumstances, law firms may be able to refuse these requests if there's a compelling reason to do so, for example, if it's necessary to keep the data for a legal action. Alternatively, law firms may be able to pseudonymise the data, so it's no longer identifiable.
7. Consider all departments and third-parties
It's important to remember that the GDPR applies to all sorts of personal data at a law firm, not just client data. HR teams will have new responsibilities for how they collect, use and store employee data, and they should inform employees of their new rights. The same goes for IT and tech teams. In fact, law firms may need to undertake Data Protection Impact Assessments (DPIA) if they introduce a new technology to the workplace. These risk assessments are designed to help law firms minimise the data protection risks of a new project.
In some instances, law firms will rely on third parties to process data on their behalf. For example, if a law firm instructs a barrister in a litigation dispute. If the barristers process personal data on behalf of the law firm, then law firms may be required to update their contracts or introduce new agreements to make sure they are GDPR compliant.
Last edited:
GDPR Assessment
The General Data Protection Regulation is compiled to deal with data protection and an individual’s privacy. This regulation exists in EU Laws, and also addresses the transfer of personal data outside the EU and EEA areas.
The General Data Protection Regulation is compiled to deal with data protection and an individual’s privacy. This regulation exists in EU Laws, and also addresses the transfer of personal data outside the EU and EEA areas.
