GDPR will bring good data to your practice

gdpr in a nutshellThe holding of personal data is regulated in England and Wales by the Data Protection Act 1998. This Act will be superseded by the General Data Protection Regulation (GDPR) when its provisions take effect on 25th May 2018. The principles of the GDPR are similar to those of the Data Protection Act 1998, however, the GDPR includes significant new obligations for organisations and grants individuals a range of new rights.

GDPR will be a positive benefit for organisations that are serious about protecting their client’s personal data. Early compliance with GDPR will position firms to pick up business where an incumbent supplier has failed to embrace the new regulations.

GDPR will be policed by the Information Commissioner’s Office (ICO) in the same way that the Data Protection Act has been. The ICO will no longer levy the annual £35 corporate charge but will instead be fully funded by the fines it imposes on business who fail to comply with GDPR. Fines will increase significantly under GDPR compared with those imposed by the ICO under the Data Protection Act. The maximum fine will be €20,000,000 or 4% of group annual turnover compared with £500,000 currently.

There is an informative guide to GDPR available on the ICO website to help explain the provisions of GDPR to enable firms to prepare. Training is an essential element for a business to be compliant with GDPR. Well educated personnel are less likely to make mistakes and cause a breach of personal data. eLearning is an ideal way for practice managers to ensure all staff obtain the training they require in convenient bite size chunks.

The GDPR Academy is dedicated to providing up to date information about GDPR and the Data Protection Bill currently working its way through Parliament. GDPR Academy courses combine video, animations, infographics and downloadable technical documents combined with multiple choice quizzes to ensure a topic has been successfully learned.12 steps to take now

Law firms hold vast amounts of customer personal data with the nature of transactions, including data for conveyancing, family law and corporate transactions, so any law firm data breach will be taken very seriously by the ICO. Firms must protect themselves as diligently as possible and demonstrate that they have taken all possible steps to avoid a data breach.

Firms need to identify that all personal data that they hold in relation to staff, clients, prospects and suppliers is not only secure but that it has been compiled according the GDPR regulations and that it is managed accordingly. The past ways of gathering a prospect list won’t necessarily be compliant with the new regime. Firms now needs to demonstrate good procedure, compliance and express permission from the owners of the data.

Law firms must demonstrate that they have a data protection policy, including a data protection breach policy as a breach must be notified to the ICO within 72 hours of occurrence.

Cyber security is an integral part of protection against data breach, and law firms are at high risk of cyber-attack due to the very nature of their business, for example the conveyancing frauds that we have seen recently where emails have been spoofed to dupe purchasers to transfer funds into the accounts of criminals. The Government Cyber Essentials programme is a good place to start to establish how well your practice is protected against cyber attacks.

Protection against cybercrime is as much based on the human element as it is on technological solutions. A firm’s defences are only as strong as the weakest element and a junior person clicking on a malware link can infect the whole firm’s system and leave it vulnerable to a cyber hack. This is where training is of the utmost importance, and by taking eLearning courses a firm’s training can be continually monitored, thus affording the firm a measure of accountable protection against the consequences of any breach.

It is estimated that only 20% of UK businesses will be GDPR-ready by the time the regulation comes into force. Good governance aids good practice and firms that are properly prepared for GDPR and best protected against cyber threats by demonstrating their compliance with policies, training and management will be able to use this governance to run their firms more smoothly and take advantage of the new regulations.

Dominic Cullis, GDPR Academy