How can law firms remain compliant with GDPR?
By Fran Finch
24 Oct 2019
Nearly 18 months has passed since the General Data Protection Regulation (GDPR) was introduced on May 25th, 2018. Complying with the legislation has been an expensive exercise for many businesses, with 40% of multinational companies spending more than $10 million (£8 million) on preparations.
However, a TrustArc survey published one month after GDPR came into force showed a fifth of organisations did not believe they were compliant. Worse still, 7% said they were unlikely to be compliant by the end of this year. Cisco research echoed these results, with 9% of respondents stating in January that they weren't fully following the new rules and it would take longer than 12 months to be compliant.
In this article we'll explore the importance of avoiding the regulator's wrath on GDPR, as well as the best ways to stay compliant.
Why does GDPR compliance matter for law firms?
- GDPR breaches come with a hefty punishment. The worst offenders could receive a fine of up to €20 million or 4% of annual revenues, whichever is higher. Prior to the regulation's introduction, the Information Commissioner's Office (ICO) could only impose a maximum fine of £500,000.
- There were a staggering 59,000 breaches reported within GDPR's first 8 months and the ICO has already announced its intention to hand out sizeable fines to the country's biggest companies.
- British Airways and Marriott International are facing penalties of £183 million and £99 million, respectively, for contravening the regulation.
What does this mean for law firms? Well, DLA Piper was the UK's top law firm in terms of revenue in 2018, generating nearly £1.8 billion. If the organisation was to suffer the most serious type of data breach, it could be fined approximately £77 million based on its annual revenues.
This is just an example, but the financial ramifications are clear. A regulatory breach would also lead to bad PR for law firms, particularly those that provide GDPR or other data compliance legal services. How can clients trust GDPR advice from a law firm that falls foul of regulators itself?
Ensuring GDPR compliance for law firms
Law firms store a huge amount of sensitive data. The level of legal privilege and confidentiality expected between lawyers and their clients makes breaches especially damaging. Law firms must therefore concentrate on both achieving and maintaining compliance; the implementation deadline may have passed, but even firms that believe they are currently compliant must ensure their processes remain fit for purpose.
Here is our guide to remaining compliant with GDPR in 5 simple steps:
- Appoint a Data Protection Officer
Data Protection Officers (DPOs) are mandatory for some organisations, including public authorities and businesses that carry out certain types of processing activities. However, most firms can benefit from hiring a DPO if they don't already have one.
These experts will help monitor internal compliance, as well as inform and advise firms about their data protection obligations. They also often act as a crucial point of contact between the business and data subjects or supervisory authorities.
- Provide GDPR training and raise awareness
Senior decision-makers at law firms should be aware of GDPR's impact, but it's important to ensure every staff member is familiar with their obligations and understands data-handling best practice.
Ongoing training and development help people refresh their memory, while offering law firms the opportunity to raise awareness of any GDPR updates that have recently occurred. Training should focus on key areas such as data subject access requests (SARs), consent and what types of information staff are permitted to process.
- Review and document data-handling processes
Many law firms conducted a full information audit prior to the GDPR deadline to understand what data they held, where it was located and how it was being used. But this is not a 'one and done' process - firms must continually audit their data to provide assurance that compliance efforts are working, while identifying any new or emerging risks.
Following an audit, law firms should review and amend any policies and procedures accordingly. This may involve updating privacy notices or conducting data privacy impact assessments where necessary.
- Strengthen cyber security measures
Some of the world's largest data breaches have occurred when cyber criminals have hacked into a business's IT systems. All 3 billion of Yahoo's accounts were compromised in a 2013 cyber-attack, while 500 million people had their personal details exposed last year when Marriott International's security failings were exploited.
Law firms must put in place the right technology; train staff about malware, phishing and other common cyber-crime tactics; create the right culture regarding cyber security; and seek insurance policies that cover worst-case scenarios.
- Ensure external data processors are also compliant
A law firm is typically a data controller, but external organisations often have access to and process various pieces of information on the business's behalf. These providers are called data processors and may include companies such as legal content marketing suppliers or third-party technology vendors.
Both data controllers and data processors are jointly and severally liable with regards to GDPR obligations. Law firms should therefore carefully review all of the data processors within their supply network and gain assurances they are fully compliant with the regulation.
Why you should take a proactive approach to GDPR
- GDPR is here to stay, and regulators have already shown they are taking the regulation seriously. Law firms should therefore take proactive steps to ensure the information they hold is appropriately handled, stored and protected.
- A comprehensive compliance strategy is required, which should include investing sufficient time, money and resources into the right staff, technology, processes and training.
- No firm is ever invulnerable to breaches, but best-practice approaches can mitigate the chances of a data disaster.
How we can help
At BeUniqueness, we have a deep understanding of the legal industry and the challenges firms face with GDPR. Our digital marketing services are fully compliant with the regulation and we pride ourselves on keeping up to date with the latest regulatory developments, to ensure we remain in line with new or revised data laws.