The Quick Guide to GDPR Compliance
With only about a month to go until the General Data Protection Regulation (GDPR) takes effect, the indications are that a large number of businesses around the country – law firms included – have not yet taken any steps towards compliance. This year’s Global Forensic Data Analytics Survey from EY revealed that only about one third of businesses had a GDPR compliance plan with a further 39% of respondents indicating that they were not at all familiar with the GDPR. This latter figure was backed up by research from the Institute of Directors (IoD). The IoD figures, from October of 2017, indicated that nearly a third (30%) of UK business leaders have never heard of the GDPR whilst over a third (40%) didn’t know if the GDPR would affect their business.
Given the level of hype that has surrounded GDPR over the past year or so, it is difficult to imagine that anyone not lost in the rainforests of Borneo and Sumatra could have failed to hear about GDPR.
For many smaller businesses, there is still a belief among many that in reality they are not going to need to do a great deal. Certainly if the businesses in question have been in strict compliance to date with the provisions of the Data Protection Act 1998, have kept their data up to date and relevant and have not engaged in any questionable marketing practices, that may well be the case. Indeed, many law firms who do not market themselves electronically and retain only the basic amounts of data about clients, staff and third party contractors will already be doing much of what is required, and confidentiality regulations will have helped them to fill in any gaps over the years.
There will, however, inevitably be some gaps in compliance terms – some processes or steps not being taken that it would be safer to take.
Despite the title to this article, we should say at the outset that there is only one way to approach GDPR compliance, and that is properly. However, not everyone has either the resources or the ability to be able to undertake an in-depth implementation or the finances to pay someone else to do it. For that reason, we have produced this “quick guide” which we hope will help you to address the basics for now and formulate a plan to deal with other aspects as soon as circumstances permit.
A starting point
All businesses and organisations, law firms included, must comply with the GDPR although, to a degree, the steps they will need to take will depend upon the complexity and size of their businesses.
For a larger and more complex law firm – one with possibly multiple offices, a wide range of client types, a large number of partners or managers and carrying out electronic marketing of some form – then the amount required to be done to achieve compliance will be far greater than for a sole practitioner, possibly with only two or three staff and a limited or even specialised client base. This article really is aimed more at the latter than the former since hopefully the larger firms have had the resources and foresight either to appoint someone internally to concentrate on GDPR compliance or to employ an external consultant.
Whatever the situation, hopefully the following will act as a starting point either for implementation or a quick check before
We are not going to go through the various provisions of the GDPR in general terms – these have already been covered in an earlier article on this web site (GDPR and Your Firm) and in various other places across the Internet. What we are going to concentrate on here are some of the steps that you can take to help ensure compliance.
For those who want to start from scratch, so to speak, there is an excellent but brief summary of what is required that has been provided by the Information Commissioner’s Office (ICO) and entitled “Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now”. This identifies the 12 keys steps as:
- Information you hold,
- communicating privacy information,
- individual rights,
- Subject access requests (dealt with by us in our last article “Handling GDPR Subject Access Requests”),
- Lawful basis for processing personal data,
- Data breaches,
- Data protection by design and data protection impact assessments,
- Data protection officers, and
As well as the brief guide, there is an online resource called the “Data Protection Self-Assessment Toolkit” which, whilst stated to be aimed at small to medium-sized businesses, should be useful to most law firms. This is broken down into a number of sections covering:
- Data protection assurance checklists,
- Information Security,
- Direct marketing,
- Records management,
- Data sharing and subject access, and
Not only does the toolkit give you the chance to identify gaps in your compliance, it also provides brief explanations about each sections as you go through it.
There is also a full guide to the GDPR on the ICO web site (ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/) which can also be downloaded as a PDF document.
It is perhaps worth mentioning that, as yet there is little to no official guidance as to the interpretation of GDPR to legal practice. The SRA are currently taking the view that it is a matter of law, not regulation, and are thus declining to advise on it and the Law Society have yet to produce anything substantive – possibly because they are promoting commercially a business called GDPR Portal.
Finally, don’t forget that the GDPR is not the only game in town. Any firms (which will probably be most) that use electronic communications, especially any form of electronic marketing, must be aware, and take account of, of the latest provisions in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) – which will plan to cover in an article later this year.
Overlaps with regulations
Despite the SRA’s reluctance to be drawn on GDPR, it should be borne in mind that there are a number of overlaps between what GDPR requires and the existing regulatory rule book. Among these are:
- Outcome O(1.1) – that you treat clients fairly
- Outcome O(1.3) – when deciding whether to act, or terminate your instructions, you comply with the law and the Code
- Outcome O(4.1) – you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents
- Outcome O(4.5) – you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.
- Outcome O(7.5) – you comply with legislation applicable to your business, including anti-money laundering and data protection legislation
- Outcome O(7.9) – you do not outsource reserved legal activities to a person who is not authorised to conduct such activities – and by implication Outcome O(7.10)
Thinking about your firm
Before you embark upon any steps towards compliance, you should start by thinking about the nature of your firm, what it does and what you want it to do in the future. The ICO toolkit referred to above may assist you with this.
In particular, have an idea about:
- the type of information you hold,
- how up to date that information is,
- whether it is accurate,
- whether you hold data only for client related matters and employee details,
- whether you carry out any marketing,
- whether you already, or would you like to, produce a client newsletter,
- whether your data accessible electronically,
- whether you have a policy for file and data destruction.
Above all, be realistic but at the same have an eye to whether it would be regarded as reasonable if you were not to do something. For example, if you have an archive filled with thousands of paper files going back ten’s of years, how realistic is it that you are going to be able to go through them and weed out everything that is no longer necessary within a reasonable time-frame. A better approach in the short-term might be to take steps to ensure that they are secure – for example by thinking about how they are stored, who has access and how secure that storage is – and if they are not, taking steps to make them secure. Unless you have considerable resources, you cannot do everything at once and it is probably more important that you address the more current or pressing issues than that you deal with a historical one that might never arise.
That doesn’t mean that you can put it off for ever. If you can create and, importantly document, a plan for the gradual sorting of old files then you can demonstrate to the ICO, should the need arise, that you are taking reasonable steps.
You also need to think about those within your firm and whether or not they are sufficiently GDPR aware so as to protect your firm in the future. The chances are that in the case of many staff, even if they have heard of GDPR they will not know the detail. Think, therefore, about implementing some training sessions to raise awareness.
What data do you hold?
Having thought about the firm in the widest sense, you first need to get an idea of the data you hold and details about it.
This is probably going to be the hardest part of GDPR compliance but is necessary if:
- you hope to ever be able to demonstrate compliance – if you don’t know what data you hold how can you show you are compliant with regard to it;
- you want to be able to respond in a timely manner to things such as subject access requests; and
- you are going to be able to take steps to keep data secure and be aware of when there has been a data breach.
To do this, you will need to look at all of your data and record:
- the nature of the data that is held,
- why it is held,
- the legal basis for the processing,
- how it is collected,
- how and where it is stored,
- how it is kept secure,
- how it is used,
- who “owns”, controls and processes the data,
- what policies, if any, exist for the retention and deletion of the data,
- what the retention period is,
- whether the data is up to date and accurate,
- what processes exist for keeping it accurate, and
- whether it is special category data.
Bear in mind that you will need to analyse alongside of the data types, the processes within the firm in which it is used, and record each of these separately.
The Six Key Principles
There are six key principles set out in Article 5 of the GDPR and they are:
- Lawfulness, fairness and transparency – that is to say personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
- Purpose limitation – where personal data must only be collected for specified, explicit and legitimate purposes and must not be processed in any manner incompatible with these processes
- Data minimisation – only that data which is necessary and relevant should be collected and processed
- Data accuracy – any data which is held should be accurate and kept up to date and every reasonable step must be taken to make sure that inaccurate data is either deleted or rectified
- Storage limitation – all data must be kept in such a way that the data subject can be identified and should be kept for no longer than is necessary for the purposes for which it was collected
- Integrity and confidentiality – any data should be stored and processed securely and protected from unauthorised or unlawful processing, loss, destruction or damage.
As a data controller, your firm will be responsible for being able to prove that these six principles have been complied with and so you should bear them in mind when conducting your review of the data you hold.
Thus you need to establish, in relation to both existing data and data you may acquire going forward:
- that you know that there is a lawful basis for processing it (see below),
- why it was collected,
- that it is limited to what is necessary,
- that it is accurate and up-to-date,
- that you can identify the subject to whom it relates,
- that it is kept for no longer than is necessary, and
- that it is secure.
You will recall from the overview of GDPR, that individuals are given certain rights by the GDPR. The first of these is the right to be informed – which will usually take the form of a privacy notice.
The GDPR specifically provides that individuals have the right to be informed about the collection and use of their personal data and that as a data controller you must provide them with information which includes:
- your purposes for processing their personal data,
- your retention periods for that personal data, and
- who it will be shared with.
This information must be provided to individuals at the time you collect their personal data from them or, if you obtain personal data from other sources, you must provide it within a reasonable period of obtaining the data and no later than one month.
Consequently, therefore, the firm needs to look at its privacy notices – which may be in standard letters, terms of business, at the foot of emails or on a web site – and decide whether they provide sufficient information and, most importantly, are concise, transparent, intelligible, easily accessible, written in clear and plain English and provided free of charge.
Other Individual Rights
The GDPR also provides that individuals have other rights in relation to their data.
- the right of access (which we covered in our last article on Subject Access Requests),
- the right to rectification,
- the right to erasure,
- the right to restrict processing,
- the right to data portability (possibly of less relevance to most law firms),
- the right to object, and
- the right not to be subject to automated decision-making including profiling (again not one likely to trouble many law firms.
Unless you know what data you hold, where it is held and how you will access it, then all of these rights are going to be somewhat difficult to observe.
You need as a firm to make sure that all personnel are aware of these rights and you need to have in place a process to follow in the event that a data subject chooses to exercise any of these rights. That particularly applies in relation to the right of access where there are strict time limits in relation to responding to a subject access request. remember that a subject access request will not always state that it is one and may not be sent to the correct person in the firm. In either case, that makes it no less valid.
Lawful Basis for Processing
It is vital that as a firm you establish the lawful basis under which you process any data.
There are six lawful bases:
- Consent – where the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation – the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests – the processing is necessary to protect someone’s life.
- Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
If you cannot establish a basis then you should neither hold nor process the data in question.
So far as consent is concerned, you can only rely on this provided you are able to show that the data subject gave their consent freely and in an informed and unambiguous way. It must also be able to be shown that it was in relation to the particular purpose for which the consent was sought.
Consent can be written, electronic or even verbal. It can, for example, be shown by positively ticking a box on a web site or in a form to say that consent is given. However, it cannot be shown by negatively not ticking a box to say that it is not given or by unticking an already ticked box.
In other words silence, pre-ticked boxes or inactivity can never amount to consent.
Furthermore, consent cannot be tied in with some other service – e.g. we will only do X if you agree to Y and consent must be able to be withdrawn at any time.
This is the basis which is likely to apply most often to the data you hold and process and will apply to clients, employees, contractors and other third parties with whom you have a business relationship. You should generally rely on this basis in your everyday dealings with these rather than any other basis – especially consent which can be withdrawn.
This is going to apply wherever you, as a firm, do something with personal data because you are obliged to do so – e.g. MLR checks, reporting to HMRC in relation to tax or dealing with the SRA.
Vital Interests & Public Tasks
These are less likely to be of relevance to the average law firm on a day-to-day basis.
Legitimate interest is one of the more complex concepts within these six bases. It means in effect that the data controller must be able to demonstrate that their own legitimate interests to process the data subject’s personal data are not overridden by the interests or fundamental rights and freedoms of the data subject. To know whether this is the case, the data controller must carry out what is known as a legitimate interest assessment and must only rely upon it if the assessment reveals that the data subject’s rights do not override those of the data controller. Even then, the processing must be within the ‘reasonable expectations’ of the data subject.
Legitimate interest processing might be used by the firm:
- in order to process data about employees or clients that do not relate specifically to the subject of a contract between them – for example internal planning of resources or calculating demographics of the client or employee base
- or to prevent fraud,
- or for direct marketing provided that other regulations are observed.
A practical use for it may be in relation to the thorny issue of file retention. Once the matter for which you collected client data comes to an end there is an argument under GDPR for saying that the data should be destroyed since the purpose for collecting it has ceased to exist. However, you may wish to retain the files for say at least seven years in case the client decides to sue the firm and you need to defend that claim. What you should probably do, therefore, is to carry out a legitimate interest assessment, establish that your needs in terms of retaining the data are not overridden by those of the client’s needs for them not to be retained, record that decision and then retain the file and data in a secure manner. Where the MLR applies, legal obligation will cover the retention of files for 5 years (see the MLR 2107).
Special Category and Criminal Offence Data
The firm should also consider whether any of the data which it processes comes within the categories of special category data or criminal offence data since there are additional requirements that must be complied with in relation to the handling of both.
Special category data is personal data which the GDPR says is more sensitive, and so needs to be given a greater amount of protection. That data includes information about an individual’s:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
and in order for it to be lawfully processed, the data controller must identify not only one of the six lawful bases set out above but must also, as a separate condition for processing special category data, be able to comply with the conditions set out in under Article 9 of the GDPR. These do not have to be linked. There are currently ten conditions for processing special category data in the GDPR itself, but it is anticipated that the Data Protection Bill will introduce additional conditions and safeguards.
Those conditions include:
- the data subject has given explicit consent,
- the processing is necessary to carry out obligations in the field of employment and social security and social protection law,
- to protect the vital interests of the data subject or third part where the data subject cannot give consent;
- processing by a not-for-profit body with a political, philosophical, religious or trade union aims for the benefit of members etc.
- processing relates to personal data made public by the data subject;
- the processing is necessary to establish, exercise or defend a legal claim;
- there is a substantial public interest proportionate to the aim pursued;
- the processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health care or the management of health or social care systems;
- processing is in the public interest in the area of public health, such as protecting against serious cross-border threats to health; or
- the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes and is a proportionate aim to be pursued.
Criminal offence data is personal data about criminal convictions or offences, and in order to process these the data controller must have both a lawful basis as set out above and either legal authority or official authority for the processing that data given under Article 10.
Article 10 states that processing personal data relating to criminal convictions and offences or related security measures shall be carried out only under the control of official authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects and that any comprehensive register of criminal convictions shall be kept only under the control of official authority, Anyone wishing to process this data must determine that the condition for lawful processing of offence data exists before the processing begins and it should be documented.
In relation to both these types of data firms would be best advised to take extra care not only in how they collect and process it but in relation to the security surrounding its retention.
Accountability and Governance
The GDPR includes provisions that promote accountability and governance by data controllers and processors. These require that data controllers and processors will put into place comprehensive but proportionate measures to ensure that they are able to comply with the provisions of the GDPR and the principles of good practice such as privacy impact assessments and privacy by design.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place. It will also, it is suggested, be harder for smaller organisation to implement due to lack of resources than it will be for larger ones that can set up departments and hire in the skill needed.
Fortunately, for most law firms, proportionality will apply to this so that the procedures that are implemented can be reasonable in the circumstances and the steps that would need to be taken by a 100 partner city firm would be different from those that would need to be taken by a sole practitioner in a small market town.
In order to be able to demonstrate compliance with this the firm would need to be able to show that they have implemented appropriate technical and organisational measures that ensure and demonstrate compliance.
This may include:
- internal data protection policies such internal audits of processing activities, and reviews of internal HR policies;
- staff training;
- maintaining relevant documentation on processing activities;
- where appropriate, appointing a data protection officer (not always necessary);
- implementing measures that meet the principles of data protection by design and data protection by default;
- data minimisation;
- pseudonymisation – i.e. the process of rendering data neither anonymous nor directly identifying;
- allowing individuals to monitor processing;
- creating and improving security features on an ongoing basis;
- using data protection impact assessments where appropriate.
Other aspects of accountability and governance include:
- ensuring that the firm has written contracts with data processors that contain certain compulsory terms including that:
- the processor will only act on the written instructions of the controller (unless required by law to act without such instructions);
- the processor will ensure that people processing the data are subject to a duty of confidence;
- the processor will take appropriate measures to ensure the security of processing;
- the processor will only engage a sub-processor with the prior consent of the data controller and a written contract;
- the processor will assist the data controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
- the processor will assist the data controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
- the processor will delete or return all personal data to the controller as requested at the end of the contract; and
- the processor will submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
- documentation requirements including explicit provisions about documenting processing activities and maintaining records on things such as processing purposes, data sharing and retention. Bear in mind that the firm may be required to make the records available to the Information Commissioners Office on request and that generally, records must be kept in writing (including electronically) and must be up to date and reflect current processing activities.
Next we are going to consider the topic of security and in particular data breaches.
A key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’ – this is the ‘security principle’. Doing this requires things such as risk analysis, organisational policies, and physical and technical measures are considered and that account is taken of additional requirements about the security of the processing.
An adequate security response will be one which takes account of the state of the art and costs of implementation so that they are appropriate both to the firm’s circumstances and the risk the processing poses and should ideally include processes such as pseudonymisation and encryption.
The aim is that the measures which are implemented should ensure the ‘confidentiality, integrity and availability’ of the systems and services and the personal data that is processed within them.
In addition, the measures must also enable the controller or processor to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
There are essentially three strands to data breaches within the GDPR:
- Security – which is covered in Article 32;
- Breach Reporting to the Supervisory Authority – which is covered in Article 33; and
- Communication with the Data Subject – which is covered in Article 34.
So far as security is concerned Article 32 requires that in particular, the data controller or processor must take account of the risks from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data and should take steps to ensure that others who have access to personal data only process them under instructions from the data controller.
So far as breach reporting is concerned, Article 33 provides for the reporting to the correct supervisory authority (the ICO in the UK) of breaches as and when they occur. It states that, where there has been a personal data breach, the data controller must report that breach without undue delay and ideally within 72 hours of becoming aware of it. This will not apply, however, if the breach is unlikely to result in a risk to the rights and freedoms of those whose data is being processed. In the event that the notification cannot be made within 72 hours then the supervisory authority must be given a reason for the delay within the 72 hours deadline.
Article 33 goes on to specify what must be included in the report. This includes:
- the nature of the breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the breach; and
- the measures taken, or proposed to be taken, to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
Article 34 makes provision for informing the data subject about the data breach. It requires that where the breach is likely to result in a high risk to the data subject’s rights and freedoms then the controller shall communicate the personal data breach to the data subject without undue delay. The communication needs to describe in clear and plain language the nature of the personal data breach and in addition inform the data subject of:
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the likely consequences of the breach;
- the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
However, communicating with the data subject will not be necessary if:
- technical and organisational steps had been taken to render the personal data unintelligible to any person who is not authorised to access it, such as encryption;
- subsequent measures had been implemented so as to ensure that the high risk to the rights and freedoms of data subjects referred to above will not happen;
- a disproportionate effort would be involved. If this is the case then there would need instead to be a public communication or similar measure whereby the data subjects are informed in an equally effective manner – for example a press release, an advert in a paper likely to be read by the data subject or a prominent notice on a website.
Therefore your firm must have processes inn place for dealing with a data breach – the time limits for dealing with them are not generous – and they must make sure that all staff are aware of what constitutes a data breach and the steps they must take to report it.
Remember also that a data breach does not have to be an intentionally criminal act on the part of a fraudster or cybercriminal. Loss of an un-passworded memory stick or laptop, the loss of an unencrypted file, inadvertently attaching the wrong person’s document to an email, accidenttally deleting a data record, leaving a file open on a desk where a client can see it or being overheard talking about a client’s personal information are all data breaches. If you are the person responsible for that particular breach, then you need to be aware that it must be reported internally to the person responsible for dealing with such breaches – just as much as you should be keeping an eye open for attempted hacking or phishing attacks on the firm.
Note, however, that not all data breaches need to reported to the ICO or the data subject. Some will be trivial. Some will be capable of being put right – for example the deleted data file restored from the firm overnight backup. Others however, will need to be reported – for example the loss of a paper file on a train containing the client’s personal details or a data breach that reveals client’s bank account details or passwords – and if this is the case then the firm has very strict time limits in which to report the matter. Any delay on your part or any misunderstanding of your responsibility could have major financial, regulatory and reputational repercussions for the firm.
Privacy by Design, Data protection Officers and International Arrangements
Finally just a brief word about these three areas which are likely to be of less importance to the majority of firms, simply because they will not apply.
Privacy by design is one of the “innovations” of the GDPR and what it is does is that it places a duty upon your firm as a data controller or processor to implement technical and organisational measures to show that you have considered data protection and implemented it into your day-to-day data processing activities. It is still a fairly vague concept but probably requires from a practical perspective that you consider data protection whenever you implement a new type of work or a new process or collect a new form of data and that when you consider technological deployments such as new data bases, case management software or new hardware that you give thought to the data protection implications of doing so.
Data protection officers will not be relevant for the majority of law firms. You are required to appoint a data protection officer (DPO) if you are a public authority or if you carry out certain types of processing activities. Their role is to assist you in monitoring internal compliance, to inform and advise on your data protection obligations, to provide advice regarding Data Protection Impact Assessments (DPIAs) and to act as a contact point for data subjects and the supervisory authority. A DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. Note that, if you appoint someone within the firm to have an overall responsibility for data protection, don’t appoint them as DPO unless you really need to because even though it is not compulsory for you to have one, your DPO will become subject to the same duties and liabilities as if you did.
International issues will only apply if you operate in more than one state or if you have dealings with those in other countries. It is suggested that in the vast majority of cases this will not apply.
So to conclude, every firm needs to give some degree of thought to GDPR and should tailor its activities and processes so as to ensure that it complies.
You cannot guarantee that it will not have a practical effect upon you – even if it is just an aggrieved client making the most of the rights which they have to make a subject access request or the need to report a data breach.
For most firms, external consultants should not be necessary provided that they take a sensible approach to data and make an effort to analyse their data, know how they will deal with the various scenarios and ensure that going forward they are as compliant as it is possible to be.