Tips for GDPR compliance for law firms
When the General Data Protection Regulations (GDPR) came into effect over two years ago, the rules, regulations and business practices around data protection changed dramatically. It remains vitally important that law firms, which often hold large quantities of sensitive personal data, are compliant with these regulations, and have GDPR compliant case management systems in place.
A quick recap: what is GDPR all about?
GDPR impacts all individuals and businesses that handle the personal data of EU citizens and there is more accountability than ever before. When it comes to GDPR compliance for law firms, it’s about ensuring that consent for any data is held; being able to state what it’s being used for; showing how it is being protected and explaining why it is being stored.
Fines for non-compliance
Non-compliance with the GDPR could result in huge fines of up to £17m or 4% of global turnover, whichever is greater, for larger companies.
In October 2020, British Airways was fined £20m ($26m) by the Information Commissioner’s Office (ICO) for a data breach, which affected more than 400,000 of BA’s customers.
The general message is that firms still failing to be GDPR compliant are putting their businesses at risk and leaving themselves open to fines. With the financial stakes for data breaches being much higher than ever before, you can’t afford to be complacent.
How to be compliant: GDPR case management
Understand your data estate
It’s vital that you work out what data you have and make sure it adheres to your new working practices. You can think of data as managed or unmanaged. Managed data resides in a database, with access controlled by permissions. It can only be accessed through a secure connection.
Unmanaged data is the rest of it – your emails, stored on your PC and phone and tablet. Documents saved locally or “kept safe” on a USB stick, probably not encrypted, can so easily be lost or misplaced.
It is unmanaged data that is likely to pose the greatest risks to your firm, so understanding your data estate and taking steps to safeguard it couldn’t be more important.
Implement new working practices
Once you’ve worked out the nature of your data estate you need to bring this into line with GDPR and ensure all new data generated is done so in line with your new working practices. This should be relatively straight forward if you’ve set up new working practices and provided your staff with the necessary training.
Consider appointing a data protection officer (DPO)
Some firms are obliged to appoint a Data Protection Officer. For other firms, it may well be a prudent step to take. It may even be that you become the DPO! You or your DPO will take on the responsibility of understanding the nature of your data estate. Essentially this means all of your firm’s data. In addition, the DPO will work with your IT team to implement your agreed processes and procedures.
Monitor, review, report
Becoming GDPR compliant isn’t enough. One thing that many businesses have learned is that GDPR compliance requires constant attention and resource. Law firms are processors of large quantities of personal data.
It’s critical that you have buy-in right across the business, as you need to ensure that you continue to document your policies and procedures efficiently. This should take the form of staff training, auditing of your systems and data and reviewing your working practices.
If you embark on a new area of work then design the whole process with privacy in mind and don’t be tempted to add it on at the end. Considering privacy from the outset will make the implementation of the new working practice fit seamlessly alongside your other GDPR processes.
How to survive – and thrive – under GDPR
By using a case management system that enables you to be GDPR compliant your firm will be in a strong position – and you should be able to implement the vast majority of processes without having to disrupt the way you and your colleagues work.
GDPR is not designed to make our working lives more difficult. It’s about protecting data – and the rights of those individuals the data relates to.
Therefore, it’s essential to work with a software company that understands everyone’s responsibilities.
In addition, they should appreciate your need to drive efficiencies and improve your services, whilst maintaining and increasing profit margin.
Whilst the law may not be as well publicised GDPR has not gone away. We only need to look at some high profile cases over recent times – the British Airways fine is by no means an isolated one, as other firms have fallen foul too – to see the level of fines that are imposed for breaches. Your responsibility for the data you control and its protection must always remain at the forefront of your mind. Simple mistakes can prove very costly and can be avoided.
This is the key to surviving – and thriving – under GDPR.
If you found the tips in this blog helpful be sure to check out our blog on improving the effectiveness of your law practice management.