If you are an attorney who wants to be on top of his game, it is critical that you understand the implications of the new General Data Protection Regulation known as GDPR, or Regulation EU 2016/679. The regulation will be fully enacted on May 25, 2018, replacing the Directive 95/46EC from 1995. The GDPR aims to give EU citizens and residents more control over how organizations and businesses handle, store and use their personal data, as well as simplify the regulations for international business, by unifying the procedures within the EU.
Law firms and data
Due to the nature of their business, law firms store vast amounts of personal data. That being said, they have a great responsibility to keep personal information safe and take full accountability for how they collect, store and use that information. In order to ensure compliance with the EU standards, U.S. law firms will have to adjust the procedures they use for collecting, storing and using personal data of their EU clients.
Differences in ‘privacy’ laws
The 28 EU member states observe privacy as a fundamental human right and legislate access to their citizens’ data accordingly. Even before the GDPR came into power, the EU model employed a comprehensive approach to privacy law. In essence, when it comes to collecting, using and sharing personal information, nothing can happen without the notice and consent of the individual subject of that data.
By contrast, the U.S. law doesn’t legislate that privacy is a fundamental human right. The word ‘privacy’ doesn’t even appear in the Constitution. Instead, privacy laws tend to be created when a need for them arises. Due to its history and commitment to First Amendment protection, the U.S. does not view privacy rights in the same context as the EU: the privacy laws in the U.S. are sectored across industries. Law firms in the U.S. have to ensure that their compliance programs can safely transfer personal information to the U.S.
Impact of the GDPR on law firms
The layout is simple: if your law practice collects, stores and uses personal data of EU citizens, you will be subjected to GDPR. According to GDPR, the parties are either ‘controllers’ or ‘processors’. A data controller is an organization or a business that specifies how and why personal data is processed, while a processor does the actual data handling. In the scope of this article, a controller could be a law firm, while a processor could be an IT firm hired to process and store data. One important aspect is that even if your business is based outside the EU, the GDPR still applies as long as you deal with EU citizen’s personal data. For non-compliance, fines could amount to 2% of annual worldwide turnover, or 10 million, whichever is greater.
Accountability and records
Among other obligations the GDPR imposes on law firms, one of the most important is accountability. It means that a firm must keep an accurate record of the data it handles, demonstrate how it was collected and if the collection method was lawful. Next, a company must be able to prove that it is managing personal data in a way that is compliant with the regulation. On request, firms must be able to present the details of the data they hold and how it is being used.
More affirmative consent
Under the GDPR, consent must be given freely, affirmatively, and specifically, and should include an unambiguous indication of the individual’s wishes. Law firms will need to review how they collect and handle consent, with no room for passive options and pre-ticked boxes.
Greater rights for citizens
The GDPR will create additional rights for individuals and enhance some of the rights that are currently enacted under the DPA. On the business end, law firms will have to ensure they allow individuals to exercise a range of individual rights. This includes the right to be forgotten, right of data portability and right of access. Basically, it means that individuals can request access to their data in ‘reasonable intervals’ and the controller must respond within one month.
With the arrival of the GDPR, data protection doesn’t solely lie within the responsibility of IT processors. The new EU legislations also holds controllers accountable, so the protection and accountability for clients’ personal data must be embedded into your company’s procedures. Biography: Stella is an MBA student and a writer who specializes in business management and cyber-security.
Hundreds of Business Opportunities – Visit the Home Business EXPO
