GDPR: the new “millennium bug” for law firms?

GDPR: four letters that have given senior partners in law firms sleepless nights. But it need not be like this if a measured approach is taken towards planning for GDPR compliance.

As countless articles published over the last eighteen months have highlighted, GDPR, the General Data Protection Regulation, is the new force to be reckoned with. It promises to transform data protection from an issue that is ordinarily the exclusive preserve of law firm IT departments (and risk and compliance professionals, for those law firms that have appointed them) into one which senior partners – much to their dismay – must address at the board room table. For the first time, data protection is not something that can be ignored until the annual Information Commissioner’s registration drops through the letterbox (that is, for those law firms that are registered – and not all are) and then forgotten about until the following year. It must, for the first time, assume a place higher up partners’ meeting agendas than ever before. With less than 6 months to go until the GDPR is applicable in the UK, the time really is now for law firms to embark on the compliance journey.

Law firms must view the GDPR as an opportunity, rather than a burden. It is an opportunity to demonstrate a willingness to comply with a law that clients will also have to contend with and on which they will increasingly ask their legal advisers for guidance as the deadline looms closer. A law firm that does not have its own house in order so far as the GDPR is concerned will instil little faith in its clients and will invariably be the victim of “do as I say, not as I do” – an approach that is unlikely to curry favour amongst clients.

The GDPR will also be the new gold standard by which law firms will be measured by their clients. It is already the case that clients, particularly in the public sector, are asking law firms at the pre-appointment or procurement stage as to whether they are, or intend to attain, ISO 27001 accreditation. GDPR compliance is inextricably linked to this, and prospective (and perhaps even current) clients will want – indeed demand – their legal advisers to be able to evidence their GDPR compliance. A law firm that appears empty handed in response to these requests will inevitably lose actual and prospective business, an undesirable outcome during these tough times for the profession.

What should law firms do to prepare for the GDPR?

There is no “one size fits all” approach to developing a GDPR action plan, and much depends on the size and complexity of the law firm in question, but the following steps are universally applicable in getting a law firm GDPR ready for 25 May 2018.

(1) Data mapping

The first step is to complete a data mapping exercise, which is essentially a stock take of all the personal data that a law firm holds. This exercise can be undertaken on either a systems or process basis.

The systems approach involves auditing the client, finance, HR and other document management systems in place at a law firm and determining what personal data is captured and retained within them and for what purposes.

On the other hand, the process approach examines the individual functional areas within a law firm and their respective data processing activities.

The result of either approach will be broadly similar, but experience would suggest that the second is more suited to a smaller legal practice, while the first is particularly effective for a larger practice with more complex document management systems.

(2) Data minimisation

Once a law firm has a map of the personal data that it holds, the GDPR offers a prime opportunity to do some spring cleaning by minimising the personal data held.

The GDPR requires that law firms only hold adequate and relevant personal data, which is limited to strictly what is necessary for the purposes for which it is held. Subject to Law Society and legal requirements, law firms should cleanse the personal data that they hold, both within the office and in archive facilities, and only keep what is necessary. This is usually the most time-consuming part of the compliance process, but it can also give rise to significant savings in freeing up costly office and archive space.

(3) Data retention

The third step in the compliance process is to implement a data retention policy, which sets out for how long the law firm will keep its newly mapped and freshly cleansed personal data.

This will involve a degree of research in terms of identifying any applicable legal requirements and determining how long personal data should be retained for. Unfortunately, there is no magic formula here, and it is rare that a statute will specify a fixed retention period that can neatly be “copied and pasted” into the policy.

In the absence of statutory requirements, law firms should determine the retention period based on business need and note that this is the basis of the period within the policy.

(4) Legal basis

While data protection law has always required law firms to find a legal basis for their personal data processing activities, the GDPR places an added emphasis on this, particularly since law firms will need to publicise the legal bases on which they rely within their transparency statements.

Careful consideration is required here, and a law firm should not automatically assume that it has a legitimate interest in processing the client, supplier and employee personal data that it holds, just because that personal data is necessary for business purposes. Consent, contract and legal requirements to which the firm is subject are also relevant legal bases and should not be accorded secondary status.

(5) Data security

Data security is a significant issue for law firms. The types of data security incidents concerning law firms reported to the Information Commissioner range from the loss of personal data in paper format through to personal data being sent by e-mail, post or fax to the incorrect recipient. Cyber attacks are also an emerging risk.

The existing law does not require law firms to report such incidents to the Information Commissioner, although the GDPR will require reporting in certain circumstances and within relatively tight timescales. Law firms are best advised to use the opportunity presented by the GDPR to review and update their data security measures – both physical and electronic – to mitigate the risk of the occurrence of an incident in the first place. The necessary impetus to undertake this review is provided by the fact that some of the highest fines under the GDPR are linked to data security failures.

(6) Training

The importance of staff training cannot be underestimated. It is, after all, people, and not machines, who are to blame for data protection breaches, although the “innocent” machine is often wrongly accused!

GDPR training can be rolled out at both the beginning and at the end of the GDPR compliance journey. The training at the start should focus on the GDPR generally and the steps that the law firm will take towards compliance over the coming months. The compliance action plan could be shared with staff to help build expectations.

The training at the end could highlight the progress that the law firm has made towards compliance, the policies that it has put into place (including changes to the terms of service) and deal with specific aspects of the GDPR that are relevant to individual roles within the firm. The data protection issues which a law firm’s HR department will have to deal with will invariably be different to those relevant to the finance or IT departments. In my experience, the more bespoke the training, the more likely it is that staff will understand and be motivated to comply with the rules.

The new “millennium bug”?

The GDPR is not the new millennium bug for law firms. Solicitors will not wake on 25 May 2018 to find that the world is a changed place and discover that they are hindered in their business because of the GDPR.

At the same time, however, unlike like the notorious millennium bug, the GDPR threat is not an empty one. The GDPR is very much here to stay and it will not go away, even post-Brexit – see the European Union (Withdrawal) Bill, which will conclude its House of Commons’ Committee stage before the festive break.

My advice to the profession is this: tackle the GDPR head on, put the necessary compliance measures in place and set a good example for clients, who will undoubtedly be expecting more from their legal advisers than they have hitherto when it comes to data protection.