Orlagh Kelly of Briefed (providers of GDPR training to the Bar Council), a barrister, trainer and consultant specialising in GDPR, explains how these regulations have affected law firms and what you should be doing about GDPR compliance. (Updated 17 March 2021)
The General Data Protection Regulation rules continue to have an enormous impact on how law firms collect and use data.
On 1 January 2021, the UK formally adopted the GPDR into domestic law. It is now referred to as the UK-GDPR.
As things stand, the status quo will remain until June 2021. At the end of February 2021, the European Commission issued a draft adequacy decision for the UK. If formally implemented, this will mean that any law firm receiving data from the EEA (European Economic Area), including any EEA data centres, will be able to continue its data transfer relationship without having to implement any additional safeguards. But regardless of any adequacy decision, your firm's privacy notice should reflect the existence of any international data transfers by your firm. (In the absence of an adequacy decision, lawyers would have to ensure they have an alternative safeguarding mechanism in place to allow for the lawful continuation of such data transfers. Checks should be made to ascertain the location of data centres where firms are using cloud storage for their data.)
Meanwhile, it is becoming clearer where the big risks lie for law firms. ‘Sensitive’ data needs to be protected with particular care. All law firms have employment records and those who practise employment law will have sensitive data in their case files: medical records and information that relates to ethnic and religious backgrounds, political affiliations and sexual orientation. Financial information such as bank account details – a particular target for hackers and fraudsters – is the other obvious risk.
As ever, there are practical steps you can take to help ensure compliance with the key requirements of GDPR.
"If you can show that you are taking reasonable steps to comply, you are unlikely to face the hair-raising penalties (up to 4% of annual worldwide turnover) that GDPR allows for."
Charles Attwell, senior risk management consultant, Travelers
Your use of personal data
Your first step should be to review your firm's use of personal data. What personal data do you hold and where does it come from? How and why do you use it? Is it shared with anyone else (such as any provider of 'cloud' IT services that you use)?
For most law firms, understanding what personal data you hold should be relatively straightforward, and much the same as under the pre-GDPR data protection rules. But GDPR has extended the definition of 'personally identifiable information (PII)' to potentially include other data that you might be collecting, such as the IP addresses of visitors to your website.
Review the types of data you hold. Aim for data minimisation and storage minimisation. Do you really need all of that data, or could you achieve the same business objectives with less data? Are you holding any data longer than you need to?
At the same time, you should introduce a system for assessing the privacy impact of any new data processing activities (or significant changes to existing practice) that you introduce. A data protection impact assessment (DPIA) is a useful way of doing this.
A DPIA is legally required if there is a high risk to individuals. For example, you might need a DPIA before introducing new systems for processing sensitive client information, or monitoring employees' internet activity or using CCTV.
"Consent must be freely given and unconditional. For example, asking employees for consent to process their personal data as part and parcel of their contract of employment is not acceptable, as they may feel under pressure to agree."
Olivia Sinfield, associate director, Osborne Clarke
GDPR requires firms that process sensitive personal data on a 'large scale' to appoint a Data Protection Officer (DPO). Whether your firm's activities qualify as large scale may be open to interpretation – for example, a sole practitioner is unlikely to be required to appoint a DPO – but it's good practice to appoint someone in the firm to take primary responsibility for data protection compliance.
Ideally, you want someone who is an expert in data protection law and who also understands how your firm collects and uses data. In practice, that might involve collaboration between the firm's marketing and IT personnel – supported, where necessary, by advice from an in-house data protection lawyer or external specialist.
If you are legally obliged to have a DPO, you can appoint an external service provider to the role.
Whatever arrangements you make, it's essential that your data protection lead can promote good practice throughout the firm. As well as having the personal expertise and authority to do this, top level commitment and support from the firm's management team is vital.
"Contrary to popular belief, there isn't an automatic exemption from the DPO requirement for small firms."
James Boyle, partner, Taylor Vinters
Lawful processing and consent
Under GDPR, you can only process personal data if you can identify a lawful basis for doing so. For example, legitimate reasons include processing the personal data involved in pursuing or defending a legal claim.
In terms of marketing your law firm, processing personal data can generally be justified on the basis of pursuing the firm's 'legitimate interests'.
Separate regulations continue to apply for electronic marketing (currently, these are the UK’s Privacy and Electronic Communications Regulations (PECR), although the EU is expecting to update the law in this area to bring it in line with GDPR).
You are allowed to email a current or previous client, or the business email address of a limited company (and any person using that email address), provided that any mailshots include an option to opt out.
Emailing private individuals is a different matter – and this includes sole traders and some partnerships. You need their consent before you email them, or you must be able to demonstrate you meet the ‘soft opt-in’ requirements of PECR. For example, you are allowed to email people whose details you have obtained through the course of negotiations for sale (eg an enquiry), but there are parameters you need to meet. The Information Commissioner’s Office has produced a 57-page guide to explain the details.
For those situations covered by GDPR (rather than PECR), you need to ask for consent using simple, clear language that explains what the individual is allowing. You must ask for consent separately from any other terms and conditions the individual is agreeing to. And you must keep clear records of consent – which can be withdrawn by the individual at any time.
Consent must be actively given – pre-ticked consent boxes are explicitly ruled out. You'll need to think carefully about how you can encourage people to give consent, by stressing the benefits. Asking individuals to choose between two (equally prominent) options – consent or no consent – tends to lead to a higher level of opting-in than a single opt-in choice that can be ignored.
You can continue relying on existing consents, but only if they meet the GDPR requirements. For example, consents that were obtained using a pre-ticked box will no longer be valid. You should check how consents have been obtained by any mailing lists you use.
As before GDPR, you must make it easy for individuals to withdraw their consent – for example, by including an 'unsubscribe' option on marketing emails. It must be as easy to withdraw consent as it was to give consent in the first place. You should also aim to 'refresh' existing consents periodically (every two years is a guideline).
"Consent has to be separate from other terms and conditions and so shouldn't be a precondition of your service. But you may choose to incentivise consent – for example, by offering a free guide to people who join your mailing list."
Charles Attwell, senior risk management consultant, Travelers
GDPR includes more detailed requirements for privacy notices than the Data Protection Act that it replaced.
Privacy notices must be easy to understand. That includes writing them in simple language and keeping any policy reasonably concise. The notice should include:
- The firm's identity and contact details, and contact details for the data protection officer (if applicable).
- Why you want to process individuals' personal information and on what basis (for example, if you are asking for their consent).
- The names or categories of any organisations their information may be shared with.
- If the information will be transferred to any third country and what protections are in place.
- How long the information will be kept, or how you will work out when to delete it.
- What rights the individual has (for example, to withdraw consent, to ask for inaccurate information to be corrected, and so on).
The overriding aim is to provide transparency, so that individuals can really understand what is being done with their personal data.
Individuals' rights have been extended under GDPR. You need to make sure that you have procedures and systems that allow you to respect these rights. This may include upgrading the capabilities of your IT systems to give you better control over the data you hold.
- Individuals must be informed about how their data is being used – typically, through an appropriate privacy notice.
- Individuals are entitled to know that their data is being processed, and to see a copy. Unlike the previous system, you can no longer normally charge a fee for subject access requests. Information must be provided as soon as possible, usually within a month at most. You need to be able to verify the identity of the individual, and to supply information in a commonly-used electronic format.
- If the information you hold is inaccurate, you can be asked to correct it. If you have shared the information with third parties, you should also notify them of any corrections.
- In some circumstances, individuals have a 'right to be forgotten', meaning that you erase their data and can no longer process it. For example, if the data is no longer needed for its original purpose, or when an individual withdraws consent. There are some exceptions, including retaining data that you need for making or defending legal claims.
- In some circumstances, individuals can restrict or object to processing of their personal data. This includes the right to withdraw any consent they have given. There are also various safeguards relating to profiling and automated decision-making.
You must have appropriate security in place to help protect personal data. This will typically include technical measures such as systems to reduce the risk of your computer network being hacked. Protecting data with encryption will help minimise the risk that a security incident will put personal data at risk.
You should also put in place appropriate organisational measures. For example, these might include restricting access to confidential information, policies on transferring personal information to personal or portable devices, and so on. Employees should be trained in the importance of data security and how to minimise risks.
GDPR is a good opportunity for your firm to review data security. Given the sensitive nature of much of the data held by law firms, security should be given a high priority. Effective security helps protect individuals' data and minimises the likely consequences – to individuals' and the firm's reputation – if something goes wrong.
You can find out more about the risks to law firms and steps to take from the Solicitors Regulation Authority report on IT security. You can also use the government's Cyber Essentialsscheme to help assess and improve your security.
In the last quarter of 2020, the ICO reports that the largest source of data breaches within the legal sector are as result of data being sent to an incorrect recipient by email. The legal sector remains in the top five sectors within the UK to have reported data breaches.
If there is a data breach that is likely to harm individuals, you must report it. This is likely to be the case for any incident involving personal information that isn't already publicly available.
Typical incidents involve clients' (or employees') personal information being accidentally disclosed, or accessed by someone who isn't authorised. Incidents can also include problems where information is accidentally or maliciously destroyed or altered, or becomes unavailable (eg because of a systems failure) – for example, if this means that you cannot properly defend a client.
You must report the breach to the Information Commissioner's Office (ICO), within 72 hours (where feasible) of becoming aware of it. While you may not yet know all the details, you will need to let them know what has happened. If possible, this should include explaining what individuals and what data has been put at risk.
You need to outline what the likely consequences of the breach are. You also need to explain what you have done, and what else you plan to do, to deal with the problem and to help reduce the risk to the individuals involved.
Data breaches that involve a 'high' risk to individuals must also be reported to the individuals concerned, as soon as possible. For law firms, data breaches are likely to be high risk. For example, you would need to let clients know if unencrypted confidential information had been exposed, or tell employees if a data breach meant that they were at risk of identity theft.
See the ICO infographic 'Summary of data security incidents relating to solicitors and barristers reported to the ICO in 2015/16'.Although dated, it provides a useful snapshot of the risks.
"Showing you had clear data protection policies and controls in place, along with training for all employees, can help to reduce the risk and severity of any fine."
James Boyle, partner, Taylor Vinters
Using service providers
It's likely that your firm uses external IT service providers to process personal data. For example, you might be sharing personal data with a payroll provider, storing documents 'in the cloud', and so on.
These 'data processors' must meet the requirements of GDPR. And you have a responsibility to check that any processors you work with are compliant.
Key issues to check include:
- Do you have a clear contract, setting out exactly what the service provider does with the data? They should be prohibited from using your clients' personal data for their own purposes.
- What security measures are in place to protect personal data? As well as encryption, these might include 'pseudonymisation' preventing personal data being linked to the individuals concerned. Does the supplier have any certification to show that they meet security standards?
- What restrictions are in place to prevent your clients' data being shared with others, such as subcontractors? If any subcontractors are used, what guarantees are there that they too are GDPR-compliant?
- Does your use of external suppliers, and the solutions they offer, meet the GDPR requirements for data minimisation and storage minimisation? Are you unnecessarily sharing more data than you need to?
- Will all personal data be transferred back to you and/or deleted from your supplier's systems when you stop using them?
- Do the solutions help you meet your GDPR obligations? For example, by allowing you to provide copies of individuals' personal data when asked to.
While major providers should be actively taking steps to ensure compliance, smaller companies may not – or may not even be aware of GDPR. In cases like these, you may need to actively work with a supplier to check and improve GDPR compliance, or look to use an alternative supplier instead.
Similar considerations apply if you share personal data with barristers when you instruct them. You need to make sure they have signed an appropriate data sharing agreement. Otherwise, if the barrister has a data breach your firm could face sanctions for failing to take proper security measures.
To access barristers who meet a high standard of GDPR compliance, validated externally, there is a directory of GDPR-certified barristers. It is produced by Briefed.pro in partnership with the Bar Council of England and Wales.
GDPR top ten
- Appoint an individual to take responsibility for GDPR compliance and organise any specialist advice you need.
- Invest in law-firm-specific training on GDPR and data breach risks – throughout the firm.
- Carry out a data audit to establish what personal data you hold and how you use it.
- Review whether you could reduce the amount of personal data you hold or how long you store it for.
- Introduce a system of carrying out a privacy impact assessment before introducing new personal data processing.
- Upgrade your consent process to ensure individuals genuinely opt-in; review existing consents and mailing lists.
- Make sure you can respond to individual requests to see, correct or delete their data.
- Review and if necessary upgrade the firm's data security measures.
- Be ready to notify ICO of any data breach promptly.
- Before sharing personal data with barristers or IT providers, check their GDPR compliance and put in place the right data sharing agreement.