The countdown to GDPR is still ticking away with only seven months left for businesses to prepare: if you don’t, you’ll have the EU to deal with on matters of compliance.While seven months may seem like some time away, in business time it’s essentially a blip. We took some time to think about GDPR and how this will affect businesses in general in our blog series, but then we got to thinking - what about law firms specifically? Surely, working in the legal sector, law firms should be on top of this whole GDPR thing, right?
This wasn’t actually the case after speaking to several local law firms. Many had actually been looking for outside advice to see how it would affect not only their business but their legal marketing too.
To combat this, we’ve written a short summary of what law firms need to think about when it comes to GDPR and what they should start doing now in order to be compliant before the 25th May deadline arrives.
Here’s What Law Firms Need to Consider:
- The rights of any persons to have control over their data - this includes their rights for their information to be erased and/or forgotten.
- Information regarding the processes of collecting and handling data - there needs to be a clear understanding of how law firms collect data from individuals and how they will handle it.
- The need for Data Protection Officers (DPO) - these are assigned individuals who will oversee all compliance, regulation and assessments within a firm.
- The need for Data Protection impact assessments - DPO’s will need to undertake assessments with the help of all departmental heads to audit current processes and identify areas that need to be amended, changed or stopped.
- Receiving consent from clients and how their personal data will be used - law firms will need to explain in clear, easy-to-understand language when asking permission for consent from an individual and detail how their data is intended to be used.
So what can your law firm start doing? We’ve put together a list of six key steps that can kickstart your firm’s journey to GDPR compliance:
1. Set-Up a Plan
Formulate an action plan that is broken down into manageable sections of everything your firm needs to do to start ensuring they are compliant. A good tip would be to start with the items that will take the longest to complete so that you can give your firm enough time to complete it.
2. Verify Consent Now
Regardless of when you initially received consent from a client or any other individual (could be yesterday or it could have been six months ago), it’s vital you gather explicit consent again from all parties to hold and process their data. This is done using the double-opt-in method where individuals need to fully verify their consent twice.
3. Update Your Website
As part of your action plan in Step 1, you’ll need to include looking at your website. Review every aspect of your law firm’s website and start updating any section, form or checkbox that requires an individual to impart personal information that doesn’t follow the GDPR guidelines.
4. Amend Records
Start amending or deleting records of those individuals who have either denied consent or have not responded by the deadline. Give yourself a timeframe to collect answers from people so that you’re not waiting months on end for consent.
5. Update Processing and Handling
Ensure all data can be easily viewed, deleted or transferred if needed. If an individual requests deletion of their information, then consent should be easy to withdraw. Reviewing your processing and handling of data is vital in becoming compliant with GDPR.
6. Use Best Practice for Safety
Safety and security of data are paramount with GDPR stipulations. Should your firm suffer a data breach of any kind, it’s vital that there are measures put in place at every level to ensure the security of any further consequences. Failure to deal with data security could lead to hefty fines - at least a minimum of 4% of your annual turnover.
Even if you work in the legal sector, you may be unsure about any of the processes and guidelines set out by GDPR. We recommend that you seek advice from a specialist who can help you identify any concerns or issues you come across.
Remember that these changes are taking place for the greater good, replacing stale data protection laws that left both individuals and businesses at risk. So if you haven’t started a data compliance review, now is the time to do so.
If your law firm needs more guidance, we’ve provided a useful (and free) GDPR Toolkit Bor Businesses which you can download to give you everything you need to know about compliance and data protection.