By now you have heard the news...the European Union’s General Data Protection Regulation (GDPR) will be in effect as of May 25, 2018. Many companies have been actively preparing for GDPR for the past year. Law firms have likely found themselves providing guidance to clients as part of these preparations. But, has your law firm conducted their own GDPR assessment and prepared for compliance? It is no small task! Hopefully, the following will be helpful in confirming your GDPR readiness steps.
Understand the regulation
Of course, the first step in determining what needs to be done is understanding the regulation, itself. There are many ambiguities - or at least uncertainties, at this point - when it comes to interpreting the regulation. A general understanding of what the law is striving to achieve will help you best determine where you need to focus your compliance efforts. Of course, if you do not conduct business in the European Union (EU), or market to clients in the EU, your GDPR compliance needs are likely quite limited, if even necessary.
Key points
The GDPR provides certain data privacy rights and protections to EU citizens (data subjects). The intent is to ensure that personal privacy rights are not compromised when the personal information of individuals is collected by an organization, even if for business purposes. One must understand that the EU, unlike the U.S., defines data privacy as a basic human right. This can be difficult for some U.S. Companies to appreciate, as the definition of privacy is much broader than in the U.S. Thus, information, such as contact information which a law firm might use to send clients or potential clients an electronic update on recent case law, is considered to be protected information under GDPR and must only be provided with the consent of the data subject.
The regulation also defines key terms which are also important to understand in determining your compliance risk assessment. For example, in the context of GDPR, are you a data controller? A data controller is an organization who physically controls personal information regarding a data subject and who determines how that data is handled. The data processor actually processes the data, or arranges for the data to be handled by another sub-processor. If you are a law firm who manages client contact information for marketing purposes, or who maintains employee information for those employees housed in the EU offices of your firm, you are a data controller and must take steps to ensure compliance with GDPR. If you conduct analyses, or otherwise use the data you control, you are also a data processor. Another example is if you are a law firm managing e-discovery, in which case you are both a processor and a controller. These roles impose certain data protection obligations on your organization pursuant to GDPR.
Another key, but certainly confusing, concept of the regulation is that of “legitimate interests”. The regulation provides for processing of certain data when the legitimate interest of the data controller permits such processing. For example, data subject consent may not be required if the controller needs to maintain certain information to ensure compliance with regulatory requirements. Using “legitimate interest” as a basis for processing requires a balancing analysis that the organization should undertake to ensure the data privacy rights are not overruled.
Assemble a team
Another key step in your GDPR compliance readiness is to assemble a team responsible for assessing and directing your compliance program. This team should likely include Information Technology staff, the firm’s risk management partner, law firm security, law firm general counsel, Records or Information Governance, and if possible, an attorney with GDPR expertise. The team will be responsible for prioritizing the steps necessary to achieve compliance. It is likely this team will have an on-going role in maintaining compliance, as well. In addition, you will need the participation of key business representatives (HR, Marketing, Finance, and e-Discovery are top examples). Further, you will potentially need to appoint a Data Protection Officer, if not designate an existing person to assume this role.
Understand your data flow
One of the biggest tasks on the road to GDPR compliance is understanding your data repositories and data flow. What are the key repositories of information which contain EU citizen personal data? Likely prioritized locations include HR systems (applicant data, employee personnel files, payroll information), marketing systems which maintain client and potential client contact information, and e-discovery platforms. Keep in mind that, in the law firm environment some of these repositories might be outsourced to third-parties, introducing sub-processors to your data protection requirements.
Develop a matrix and chart your risk
As you speak to the law firm business units, it is recommended that you develop a matrix comparing your data sources and repositories with the regulatory requirements of GDPR. The matrix can be used to assign risk categories, and to document your needs requirements. The matrix should include the data repository, business owner, type of data maintained, how the data is used, indication of PII maintained, retention period, and GDPR requirements. For marketing data, you might have your CRM system as a key repository, which contains personal contact information for clients and potential clients. The GDPR requirement should include consent requirements and, possibly a requirement for a data privacy policy made available to the client/potential client.
Develop documentation
Once the assessment has been performed, any necessary documentation should be created. Documentation might include a data privacy policy and standard consent forms. You might also require data processing agreements, both in your firm’s role as a data processor, and also for any sub-processors who process data on your behalf. This could include third party platforms which host applicant and employee data or cloud-based e-discovery platforms.
Data security
Data security has been an area of focus for many law firms over the past several years, with many law firms pursuing and obtaining security certifications, such as ISO 27001. GDPR incorporates the data security concerns and requires notification to data subjects within 72 hours in the event of a data breach. If your firm has not already addressed data security, now is the time to ensure that you are positioned to meet the breach notification requirements of GDPR.
Right to be forgotten
GDPR also provides data subjects with “the right to be forgotten”. Thus, as an example, in the event a former employee invokes this right, the firm must be in a position to identify and delete the information regarding that employee, or be in a position to explain why that data needs to be maintained for the legitimate interests of the firm. For those managing e-discovery, this is quite likely something already in place, if you have had to deal with deleting e-discovery data pursuant to a protective order. If not, a procedure around this process will need to be developed.
Conclusion
While daunting, and still subject to review of how it will be enforced, GDPR compliance for your firm is achievable. However, time is of the essence. If you have not started, it is highly recommended that you review the regulation, form your compliance team and begin the data mapping exercise, creating your data matrix/risk assessment to prioritize your path to compliance.
And if you missed the first blog in our GDPR series, please check it out HERE
If you would like to read the third, and last, blog in the series please check it out HERE
#GDPR