“We don’t do marketing.” “We already comply with the DPA.” “We outsource our IT.”
Does the legal sector need to worry about GDPR?
These are all bedtime stories some in the legal sector have been telling themselves about GDPR. The truth is, like any business, the legal sector must be ready for GDPR-day in May. There’s a lot of evidence to suggest it isn’t.
Law firms are both controllers and processors of their client’s data, meaning there are quite a lot of rules that must be followed. Current data collection methods, particularly consent, must be reviewed before May. It’s crucial to review the conditions for processing data and identify the correct legal basis. Some conditions, like consent, may not be valid for all processing activities after May.
US FinCEN rules to come into force in May
Another vital reason to invest in getting GDPR compliance right for your law firm, particularly if your firm operates in the US, is the adoption of new FinCEN rules, also in May. The United States Financial Crimes Enforcement Network (FinCEN) is requiring financial institutions operating in the US to process and vet sanctions data, negative-news data, corporate associations, individual associations and more on ultimate beneficial owners. Essentially, institutions will need to be able to track the entire relationship from customer to UBO, and all the corporate vehicles in between them.
Processing large quantities of data
Mass amounts of data will need to be processed and researched for tens of millions of companies worldwide. Trawling the internet for data on UBOs and seeking out the natural owners of accounts will doubtless net a number of EU citizens, whose data must be treated with GDPR compliant procedures come May. Even storing that information must be done in accordance with EU laws.
It becomes more complicated the further the data travels. If it is sent on to third parties, sent to third countries, or combined with other information about an EU citizen, there must be strict processes in place to keep it safe.
If a customer requests their data, they must have it provided for them free of charge and within one month of the request. It’s not as simple as it sounds though, as various exemptions can apply, not to mention disclosure rules and the potential pitfalls of prejudicing investigations.
Current contracts, particularly third party agreements will need to be reviewed and amended, and they must be aware of what they can and can’t do with it. You’ll also need a system to record and report data breaches, and a data protection officer (or someone who carries out that function) to help ensure compliance. Cyber security attacks are not something law firms can easily ignore, with one in five law firms experiencing attacks every month. Nor, for that matter, is ensuring compliance with GDPR.
VinciWorks’ online GDPR training
VinciWorks has recently updated and expanded its course, GDPR: Privacy at work, to provide an in-depth training approach to GDPR. The course includes new modules, refreshed scenarios, up-to-date guidance on GDPR and the latest GDPR developments. You can demo the course for free by clicking the button below.
This blog is the fourth in a series of GDPR Mythbusters VinciWorks will be publishing to help businesses determine between helpful guidelines and scary myths. Sign up to our GDPR Mythbusters webinar.