The General Data Protection Regulations (GDPR) set out by the European Union, ties together previous laws emanating from the Data Protection Directive (DPD) and are coming into effect in 2018.
If planned correctly, Law Firms will find it a straightforward consolidation of data destruction practices carried out physically. However, leaving it until later, might give you a sore headache and an inspection from the ICO. Just last week the ICO fined eleven charities for misuse of personal data. Think about all those sensitive client documents you have saved on your practice management systems, the invoices, card details and personal banking data your legal cashiers may be processing during the case?
The general principles of GDPR places more power in the hands of data subjects and more responsibility on companies and internet providers to protect and destroy personal data on behalf of the data subject.
THE AIMS OF GDPR
The GDPR requires that personal data shall be:
- Processed lawfully and transparently,
- collected for legitimate interests,
- retained securely and accurately for no longer than required.
The GDPR creates the following new rights for individuals and strengthens some existing rights under the Data Protection Act. The right:
- to be informed;
- of access;
- to rectification;
- to restrict processing;
- to erasure;
- to portability.
The GDPR includes provisions that promote accountability and governance
Organisations must introduce technical and organisational measures to ensure and demonstrate compliance.
The GDPR imposes restrictions upon transfer of personal data outside the European Union, to third countries or international organisations to ensure protection of the individual is not undermined.
The GDPR requires organisations to notify the supervisory authority within 72 hours where breach is likely to result in risk to the rights and freedoms of individuals. If a breach is likely to result in high risk to rights and freedoms, individuals must be notified.
STEPS YOU CAN TAKE NOW
Start thinking about how you should frame your data protection policies in line with the principles set out by GDPR. Think about how you document the decisions you take about processing activity.
Mange your consents to data and think about how you distribute information to your clients and any of their personal data. Firms need to manage consents, policies and have the ability to access personal data efficiently
Document policies and processes including a Data Protection Impact Assessment, Distribution and Data Mapping.
Produce contract terms to reflect transfer requirements and document transfers and data flows. Implement processes to determine breaches, ascertain the scope of data at threat and inform all concerned parties swiftly.
SOME QUESTIONS TO GET ASKING YOURSELF
Have you mapped out where all your data is stored, distributed, secured and accessed digitally?
Does your Practice Management Systems comply with ICO guidelines on the storage of digital data?
How much stuff is the firm distributing via email?
How many third parties require the firm to transfer personal data, are individuals aware of this in your data protection policy?
Are individuals aware of this in your data protection policy?