Data protection for the 21st century: GDPR & Law Firms
In the first of our blogs on General Data Protection Regulation (GDPR), Craig Matthews, CEO of Pracctice Ltd, says it’s vital that solicitors and other professionals ensure they are ready for the changes
When GDPR becomes law on 25 May 2018, it will change the rules, regulations and business practices around data protection dramatically, so it’s vitally important that law firms, which often hold large quantities of sensitive personal data, are compliant with the new regulation.
What’s GDPR all about?
GDPR will impact all individuals and businesses that handle the personal data of EU citizens and there is more accountability than ever before. Law firms will need to show that they have consent for any data held; be able to state what it’s being used for; show how it is being protected; and explain why it is being stored.
The GDPR includes breach notification provisions, which apply to both “controllers” and “processors” of information. Firms will be obliged to report a breach of security that leads to the loss, destruction, alteration or unauthorised disclosure of personal data.
As a controller, firms are obliged to report any breaches – with certain exemptions – to the Information Commissioner’s Office (ICO) without delay and always within 72 hours of awareness of the breach.
Fines for non-compliance
It’s vital that firms understand the consequences of non-compliance with the GDPR, which could lead to huge fines of up to £17m or 4% of global turnover, whichever is greater, for larger companies.
Firms shouldn’t be under the illusion that GDPR doesn’t affect them (and ignorance is no defence against the huge fines for failure to comply). The fact that Britain is leaving the EU makes no difference, since GDPR will come into force on 25 May 2018 when the UK will still be in the EU and so it will become domestic law.
Implementing GDPR in your firm
Getting processes and procedures right will be equally as important as choosing the right software package to implement these successfully. As a landmark data protection reform, GDPR can’t simply be pushed through to your firm’s IT team in the hope that they can “make you compliant”, but providing them with software designed specifically with privacy in mind, which has functionality that will help you meet your regulatory requirements, is most certainly a step in the right direction. You may have to implement changes to your working practices to be compliant so it’s important that you have well designed software in place, which has the ability to add functionality seamlessly and that doesn’t impact your use of the application or disrupt your business.
If we consider the true purpose of GDPR – to protect an individual’s data – then by applying good business practices and having the right software that’s fit for purpose, you are not only compliant with GDPR but also protecting your business for the future.
Given the increased level of liability and specific contractual requirements under GDPR, it’s vitally important that your firm reviews its current supplier agreement to ensure it is compliant with GDPR.
Craig Matthews is CEO of Pracctice Ltd, developers and suppliers of Osprey Approach, a truly integrated, practice management solution. Today, over 800 law firms, and in excess of 8,000 individual users, use Osprey on a daily basis.