The countdown to GDPR is over!
If you haven’t got your house in order by now, you’ll have the EU and the ICO to deal with on matters of compliance.
We took some time to think about GDPR and how it affects businesses in general in our blog series, but then we got to thinking - what about law firms specifically? Surely, working in the legal sector, law firms should be on top of this whole GDPR thing, right?
After speaking to several local law firms, this, however, wasn’t actually the case. Many had actually been looking for outside advice to see how it would affect, not only their business, but their legal marketing too.
To combat this, we’ve written a short summary on what law firms need to think about when it comes to GDPR and what they should start doing now.
Here’s What Law Firms Need to Consider:
- The rights of any persons to have control over their data - this includes their rights for their information to be erased and/or forgotten.
- Information regarding the processes of collecting and handling data - there needs to be a clear understanding of how law firms collect data from individuals and how they will handle it.
- The need for Data Protection Officers (DPO) - these are assigned individuals who will oversee all compliance, regulation and assessments within a firm.
- The need for Data Protection impact assessments - DPO’s will need to undertake assessments with the help of all departmental heads to audit current processes and identify areas that need to be amended, changed or stopped.
- Receiving consent from clients and how their personal data will be used - law firms will need to explain in clear, easy to understand language when asking permission for consent from an individual and detail how their data is intended to be used unless they choose to go down a route such as legitimate interest. For more on that, visit our other blog post.
So, what can your law firm start doing? We’ve put together a list of six key steps that can kickstart your firm’s journey to GDPR compliance:
1. Set-Up a Plan
Formulate an action plan that is broken down into manageable sections of everything your firm needs to do to start ensuring they are compliant. A good tip would be to start with the items that will take the longest to complete so that you can give your firm enough time to complete it. After all, the deadline was way back in May!
2. Verify Consent Now
Regardless of when you initially received consent from a client or any other individual (it could be yesterday or it could have been six months ago), it’s vital you gather explicit consent again from all parties to hold and process their data. This is done using the double-opt-in method, where individuals need to fully verify their consent twice. Again, if you can legitimately prove another interest in processing their data, such as ‘vital interest’, you don’t need explicit consent.
3. Update Your Website
As part of your action plan in Step 1, you’ll need to include looking at your website. Review every aspect of your law firm’s website and start updating any section, form or checkbox that requires an individual to impart personal information that doesn’t follow the GDPR guidelines. Remember, asking an individual to check a box in order to opt-out of marketing materials isn’t compliant anymore.
4. Amend Records
Start amending or deleting records of those individuals who have either denied consent or did not respond by the deadline. Give yourself a timeframe to collect answers from people so that you’re not waiting months on end for consent.
5. Update Processing and Handling
Ensure all data can be easily viewed, deleted or transferred if needed. If an individual requests deletion of their information, then consent should be easy to withdraw. Reviewing your processing and handling of data is vital in becoming compliant with GDPR.
6. Use Best Practice for Safety
Safety and security of data are paramount with GDPR stipulations. Should your firm suffer a data breach of any kind, it’s vital that there are measures put in place at every level to ensure the security of any further consequences. Failure to deal with data security could lead to hefty fines - at least a minimum of 4% of your annual turnover.
Even if you work in the legal sector, you may be unsure about any of the processes and guidelines set out by GDPR. This is a complicated issue so we recommend that you seek advice from a specialist who can help you identify any concerns or issues you come across.
Remember that these changes are taking place for the greater good, replacing stale data protection laws that left both individuals and businesses at risk. So, if you haven’t started a data compliance review, now is the time to do so.
If your law firm needs more guidance, we’ve provided a useful (and free) GDPR Toolkit for Businesses which you can download to give you everything you need to know about compliance and data protection.