GDPR for law firms – it’s more than just a Privacy Statement!
There was a massive rush to get everything in place by the 25 May deadline last year when the General Data Protection Regulation and the latest Data Protection Act came into force. Before the deadline law firms took various positions from “this doesn’t apply to me” through to “we can do this all in-house”. Many of my clients realised the scale of the task and asked me to help – and my GDPR for law firms service was born.
Many firms who thought they could go it alone quickly realised that the process was complex. They discovered that they didn’t have the right tools to complete the documentation they needed to become compliant. The process takes time with the need to work through the different stages. Even the most courageous began to lose the will to live when they had to create a Legitimate Interests Assessment!
This inevitably resulted in many firms simply copying a suitable Privacy Statement from the website of someone who had done the work and pasting it onto the privacy page on their own website. A few tweaks and – voila! – compliance! Except, it’s not compliance.
This was a quick fix and there was always the intention of getting the rest of the documentation in place now that the pressure was off. Business being as busy as it was and is, it’s easy to see why completion of the compliance documentation would be put on the back burner. The problem is that this could be a ticking time bomb!
Whilst a Privacy Statement is an essential element of the GDPR, it’s not the be all and end all. What’s not clearly understood is that it’s the compliance stages you have to complete lead you to the Privacy Statement.
The 6 stages to compliance
On our GDPR for law firms page on our website (click here to view) we take you through the six stages of compliance. You can read about them in detail by clicking here. The important aspect of this is that each stage builds on the other starting from the Data Audit. This is where you map out the categories of personal data you process. This allows you to establish your Lawful Basis for Processing each category and, where appropriate create your Legitimate Interests Assessment – and believe me when I say that lawyers need to complete a number of these given the nature of the personal data they process.
All law firms work with third parties who process their clients’ personal data – some are more obvious than others You need to chart these and check you have a third party data processing contract in place. The next stage is setting down your data policies before them creating your Privacy Statement – and remember, you need one that’s public facing and one for your employees.
If you’ve counted the steps so far, you’ll realise there are only five.
Perhaps the most overlooked stage is the final stage. This is when you should consider reviewing the nature and extent of the data you currently hold. There is a principle that says if your data isn’t accurate, you shouldn’t have it. How many client records do you have where the address and other contact information is inaccurate? If it is, you need to either correct it or delete it.
This, again, is a huge challenge in the GDPR for law firms process. If your clients no longer live at the address you have for them in your Practice Management or Accounts system, that’s either because you haven’t updated it when you acted for them when they moved house or you have no idea where they are. Perhaps it’s because their record hasn’t been updated – if that’s the case, you can easily correct it. If it’s not, how do you know your contact data is accurate?
How can I check if my data is “adequate”?
There is a simple straight forward way to check your addressing data by comparing it to the Royal Mail address file. Apart from Royal Mail (who will charge you a minimum fee of £1,000 for data processing work) there are other online facilities available that will allow you to self-check your data – and provide you with details of those clients who no longer live at the address you have for them. This enables you to correct your data (although there are issues concerning clients where you hold a Will or other important papers but where the address check reveals they no longer live at the address you have for them!). If you need further information to help you deal with this please get in touch – we can point you in the right direction to make sure you can complete the final stage in the GDPR for law firms process.
The GDPR compliance challenge
Becoming and keeping compliant is a challenge that all law firms face. Please don’t take the risk that you won’t be found out. If you don’t complete the compliance process and provide your compliance documentation to the Information Commissioner should it be asked for, the Information Commissioner’s capacity to levy eye wateringly high fines is enormous – don’t be the first to fall foul of this. If you do need any help with this, please get in touch.
If you would like further information or guidance on the the General Data Protection Regulation or the Data Protection Act 2018, the following resources may help:
Information Commissioner’s website – Guide to GDPR – click here.
The Data Protection Network – Practical Guide for Businesses (free membership sign up required) – click here.
The DMA – click here.