GDPR: four letters that have given senior partners in law firms sleepless nights. But it need not be like this if a measured approach is taken towards planning for GDPR compliance.
As countless articles published over the last eighteen months have highlighted, GDPR, the General Data Protection Regulation, is the new force to be reckoned with. It promises to transform data protection from an issue that is ordinarily the exclusive preserve of law firm IT departments (and risk and compliance professionals, for those law firms that have appointed them) into one which senior partners – much to their dismay – must address at the board room table. For the first time, data protection is not something that can be ignored until the annual Information Commissioner’s registration drops through the letterbox (that is, for those law firms that are registered – and not all are) and then forgotten about until the following year. It must, for the first time, assume a place higher up partners’ meeting agendas than ever before. With less than 6 months to go until the GDPR is applicable in the UK, the time really is now for law firms to embark on the compliance journey.
Law firms must view the GDPR as an opportunity, rather than a burden. It is an opportunity to demonstrate a willingness to comply with a law that clients will also have to contend with and on which they will increasingly ask their legal advisers for guidance as the deadline looms closer. A law firm that does not have its own house in order so far as the GDPR is concerned will instil little faith in its clients and will invariably be the victim of “do as I say, not as I do” – an approach that is unlikely to curry favour amongst clients.
The GDPR will also be the new gold standard by which law firms will be measured by their clients. It is already the case that clients, particularly in the public sector, are asking law firms at the pre-appointment or procurement stage as to whether they are, or intend to attain, ISO 27001 accreditation. GDPR compliance is inextricably linked to this, and prospective (and perhaps even current) clients will want – indeed demand – their legal advisers to be able to evidence their GDPR compliance. A law firm that appears empty handed in response to these requests will inevitably lose actual and prospective business, an undesirable outcome during these tough times for the profession.
What should law firms do to prepare for the GDPR?
There is no “one size fits all” approach to developing a GDPR action plan, and much depends on the size and complexity of the law firm in question, but the following steps are universally applicable in getting a law firm GDPR ready for 25 May 2018.
(1) Data mapping
The first step is to complete a data mapping exercise, which is essentially a stock take of all the personal data that a law firm holds. This exercise can be undertaken on either a systems or process basis.
The systems approach involves auditing the client, finance, HR and other document management systems in place at a law firm and determining what personal data is captured and retained within them and for what purposes.
On the other hand, the process approach examines the individual functional areas within a law firm and their respective data processing activities.
The result of either approach will be broadly similar, but experience would suggest that the second is more suited to a smaller legal practice, while the first is particularly effective for a larger practice with more complex document management systems.
(2) Data minimisation
Once a law firm has a map of the personal data that it holds, the GDPR offers a prime opportunity to do some spring cleaning by minimising the personal data held.
The GDPR requires that law firms only hold adequate and relevant personal data, which is limited to strictly what is necessary for the purposes for which it is held. Subject to Law Society and legal requirements, law firms should cleanse the personal data that they hold, both within the office and in archive facilities, and only keep what is necessary. This is usually the most time-consuming part of the compliance process, but it can also give rise to significant savings in freeing up costly office and archive space.
(3) Data retention
The third step in the compliance process is to implement a data retention policy, which sets out for how long the law firm will keep its newly mapped and freshly cleansed personal data.
This will invo