There can be little doubt that one of the major compliance issue of this year will be the implementation of the GDPR on 25th May.
You will be bound to have received regular e-mails warning you of the disasters ahead if the new provisions are not fully addressed before the start date. However, although there is no shortage of reading material providing an overview of the new provisions, so far there has been precious little advising what this will all actually mean for the legal sector and what you will actually need to do in order to achieve compliance.
There are probably good reasons for this. A Data Protection Bill, designed to supplement the regulation and to make allowance for a changed position post-Brexit, is still making its way through Parliament despite there being barely three months to go before the start date. Rather like the Money Laundering Regulations last year, we might yet find ourselves in the unsatisfactory position of having final provisions to be addressed at a very late stage indeed.
In an attempt to help Infolegal members deal with GDPR, Infolegal has produced – and will be continuing to produce over the next few weeks – a range of materials designed to assist your firm with compliance.
As to the likely impact of the new regulation, the view of many seems to be that there is little that is new about the GDPR (other than a new duty to be able to evidence compliance and issues relating to consent) and that those who have been compliant with the Data Protection Act 1998 to date should find compliance to be relatively straight forward.
Where the key difference may lie in the future is in relation to enforcement. To date, the data protection regime has been relatively relaxed – ensuring that the firm is duly signed up to the ICO’s registration scheme and taking due care over the handling of data and the effectiveness of the firm’s IT security systems. This may change. Indeed, much has been made of the more extensive obligation to report major data breaches (from the private sector as well as the public sector, as is already the case) and of the fines that might be levied in serious cases.
However, for law firms, COLPs are already under an obligation to report confidentiality lapses that amount to a material breach of the Code of Conduct to the SRA and so this is nothing new as such. What will be required, however, is much closer control of the personal data for which the firm is responsible (combined with a clearer understanding of where it is stored and how it is used), clearer information for staff members and other outsiders on what is held and how it must be treated, and greater attention to the rights of clients and potential clients as data subjects.
Despite any uncertainty as to the precise interpretation of the main provisions it is already clear what the major issues will be and it would clearly be wise for firms to take steps so as to ensure that preparations for the new regime are under way.