You can find GDPR guidance and templates provided by the Law Society for the profession in this section.
Guidance - 1 to 11
- Becoming Aware
- Becoming Accountable
- Communicating with staff and service users
- Personal Data Protection Rights
- Subject Access Requests (SARs)
- Lawful basis for processing personal data
- Processing Children's Data
- Data Breach Protocol
- Data Protection Impact Assessment
- Data Protection Officer
Guidance 1: Becoming Aware
- Has a person with appropriate seniority been appointed to drive GDPR compliance in the firm?
- Are staff generally aware of data protection rules?
- Are staff aware of the consequences of failure to apply data protection rules?
- Have staff completed basic data protection and basic information security training?
- Are your staff able to recognise and respond to a subject access request?
- Are your staff able to recognise and respond to a data security breach?
- Are staff trained in data protection matters?
The most important aspect of ‘Becoming Aware’ is to appoint a responsible person to drive GDPR compliance, to raise awareness of risks, to identify training requirements and to implement protocols such as how to respond to subject access requests and data security breaches.
It may not be expected, nor desirable, that everyone in the firm would take responsibility for responding to a subject access request or data breach, but it is important that every staff member knows what these events look like so that the matter can be referred internally to the person who is trained in how to respond.
Awareness is an ongoing obligation and refresher training will be required to keep staff up to date with, and conscious of, requirements.
Guidance 2: Becoming Accountable
- Has your firm completed a record of its processing activities (a data inventory)?
- Is your firm able to provide a record of its personal data processing to the Data Protection Commission if they requested it?
- Does your firm have an agreed schedule to review and update the data processing record?
The GDPR requires organisations to demonstrate and document the ways in which they comply with data protection principles. This is called the ‘accountability principle’ (Article 5(2) GDPR). This generally involves
- documenting the personal data processed by the firm, key risks relating to that data and measures that the firm is taking to protect that data (creating a ‘data inventory’) and
- maintaining records of data processing activities (see Article 30 GDPR). In the light of these provisos it is likely that the vast majority of law firms will need to have a record of processing activities.
The firm should also consider and document other matters such as transfers of personal data outside the EEA, special categories of data, data relating to children or minors and processing which causes a security risk such as bank details of clients or counterparties.
The reasoning behind these measures is to assist with other requirements in the GDPR. For example, if there is a data breach, the firm will have a list to hand identifying who to notify. It may even assist with identifying the source of a data breach. Another example of the utility of the record is where personal data of some individuals are affected by the breach and not others; there may be a common service provider for the affected data that can be identified as the source of the breach. The record can also be of assistance where personal data is inaccurate. In that circumstance, the firm will be required to follow up and correct that information with all the third parties with whom it shared the inaccurate data.
Note that with respect to the requirement to maintain records of data processing activities, there is a derogation for entities with less than 250 employees. However, the derogation cannot apply if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data (Article 9(1) GDPR) or personal data relating to criminal convictions and offences (Article 10 GDPR).
Many types of processing carried out by law firms, particularly relating to client data but also relating to any non-occasional processing such as that relating to employees, is unlikely to be able to avail of the derogation from the requirement to maintain records. For further information on this issue, please see Article 29 Working Party Position Paper on Article 30(5) of GDPR.
Note: The data inventory template is a basic template to assist a firm in getting started with GDPR compliance. It should be tailored to the activities of each firm and built upon by each firm.
Creating a data inventory can be very complex. The complexity is not necessarily proportionate to the firm’s size. A small firm that deals with family law, employment and personal injury litigation may be dealing with many different types of data, including special categories of data. A large firm that deals with the business matters of corporate clients may hold no special categories of data on behalf of clients and limited personal data.
Return to top
Guidance 3: Communicating with staff and service users
- Has your firm made a list of all documents and notifications used to communicate about personal data?
- Has your firm updated these (or where required, implemented additional notices) to GDPR level of transparency?
- Is the information concise, transparent, easily accessible and easy to understand?
The next step is to communicate to relevant parties about how your firm uses personal data.
Make a list of all the documents that your firm currently uses to communicate about personal data. This may include the privacy statement on your website, your engagement letter and your employee contracts. Unless drafted with GDPR considerations in mind, these communications and terms are unlikely to be of the standard required for notification under GDPR and will need to be updated. In some circumstances your firm might identify a new area where a notification is required and will need an entirely new document.
The requirements for notifications are contained in Articles 13 and 14 of GDPR. There are different notification requirements for data which is collected directly from an individual and data which is obtained from a third party. These templates apply where the data is collected from the data subject. Where the data is sourced from a third party there are additional requirements, please see Article 14.
Note that there are extra requirements relating to the form of such notices where the notice is directed to children or vulnerable people.
In order to complete these templates, firms will have to consider the lawful basis upon which they process the personal data. For a list of lawful bases to process data, please see Article 6 of GDPR. When law firms rely on the ‘legitimate interests’ ground, they must specify the legitimate interests upon which they are relying in the Article 13 and 14 notifications.
Firms may consider referring to the privacy notice in their terms of engagement and attaching the privacy notice as a schedule to the terms of engagement or the s.150-152 notices. It is not recommended to embed the privacy notice in the body of the text of the terms of engagement as this is unlikely to be considered appropriate for the GDPR notification standards. Also, firms may need to update a privacy notice from time to time and it may be convenient to do so without amending the entire terms of engagement.
The Article 29 Data Protection Working Party Guidelines on Transparency are a useful source of information to consider when drafting a privacy notice. One common sense rule contained in that guidance relating to the privacy notices is that the people whose personal data is processed should not be taken by surprise at a later point about the ways in which their personal data is used.
Article 14 of GDPR contains some exemptions from the requirement to provide information where the data has been obtained indirectly and Member States are permitted to legislate for further restrictions on the scope of data subject rights related to transparency. The Irish Data Protection Bill will be of importance as it will set out these restrictions, for example, for important objectives of general public interest such as for the establishment, exercise or defence of a legal claim where ‘necessary and proportionate’ (draft section 59 of the Data Protection Bill).
It is a difficult task to communicate appropriately about data processing in privacy notices as there is a conflict between the complexity of the information required to be provided and the obligation to present that information in clear and plain language.
Back to top
Guidance 4 - Personal Data Protection Rights
- Is your firm aware of the rights for data subjects under GPDR?
- Can you comply with data subject rights without undue delay and within the required time limits?
- Have you analysed your systems and procedures to see if they help you to comply with obligations related to data subject rights?
- Who in the firm is responsible for managing responses to requests from data subjects to exercise their rights?
The rights for data subjects under GDPR build on existing rights and add some new rights. They are as follows:
- to access personal data held about them (Access)
- to have inaccurate personal data corrected (Rectification)
- to erasure of their personal data (‘Right to be forgotten’)
- to restrict processing of their personal data (Restriction)
- to data portability
- to object to direct marketing and processing on ‘legitimate interests’, ‘public interests’ and research grounds (Right to object) and
- not be subject to a decision based solely on automated decision-making, including profiling.
A further right is the right to be informed about the intended uses of personal data collected from the data subject. The data subject must be informed about the intended uses of their personal data upon its collection where the personal data is collected directly from the data subject, and within one month if the information is obtained indirectly (Article 13 and 14 GDPR).
The rights listed at 1-7 above must be described in your privacy notices (see Guidance 3).
Firms will have to comply with requests to exercise the data subjects’ rights listed at 1-7 above without undue delay and within one month. Where the matter is particularly complex and involves a number of requests, this may be extended by two further months where necessary. If the extension of time is required, the firm must notify the data subject of the delay and the reason for the delay within one month of receipt of the request. If the firm decides that it cannot comply with the request, it must inform the data subject and explain the reason why it cannot comply and inform the data subject that they may make a complaint to the Irish Data Protection Commission or seek judicial remedy.
Restrictions on data subject rights
An important limitation on data subject rights is contained in s.162 of the Data Protection Act 2018, relating to data that is subject to legal advice privilege, litigation privilege and relating to data about which performance of the rights would constitute contempt of court.
Important limitations on these rights are also contained at s.60 of the Data Protection Act 2018 which are restrictions for important objectives of general public interest. Amongst other listed types of processing, these restrictions relate to processing:
- in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure (s.60(3)(a)(iv) Data Protection Act 2018)
- for the enforcement of civil law claims, including matters relating to any liability of a controller or processor in respect of damages, compensation or other liabilities or debts related to the claim (s.60(3)(a)(v) Data Protection Act 2018)
- for the purposes of estimating the amount of the liability of a controller on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the commercial interests of the controller in relation to the claim (s.60(3)(a)(vi) Data Protection Act 2018) or
- where the personal data relating to the data subject consists of an expression of opinion about the data subject by another person given in confidence or on the understanding that it would be treated as confidential to a person who has a legitimate interest in receiving the information (s.60(3)(b) Data Protection Act 2018).
The Data Protection Act 2018 states that additional restrictions may be made by regulations where such restrictions are necessary for the purpose of safeguarding important objectives of general public interest. Examples of the public interest are provided, including ‘avoiding obstructions to any official or legal inquiry’ ((s.60(7)(a) Data Protection Act 2018) or ‘preventing, detecting, investigating or prosecuting breaches of ethics for regulated professions’ (s.60(7)(d) Data Protection Act 2018).
In contrast with the broad limitation contained in section 162, any restriction on data subject rights arising out of s.60 of the Data Protection Act 2018 must be necessary and proportionate. With respect to s.162, however, it must be noted that despite the absence of the ‘necessary and proportionate’ wording, the guidance in the GDPR states that any restrictions on data subject rights should be in accordance with the requirements in the Charter of Fundamental Rights of the European Union and the European Convention for the Protection of Human Rights and Fundamental Freedoms (Recital 73 GDPR).
Interestingly, the section 162 legal privilege exception also applies to communicating data breaches to data subjects. We will deal with the data breach issue further in Guidance 9.
We include detail on the right of Access in Guidance 5.
Rectification is the right to have inaccurate personal data corrected. In addition, this may include having the right to have an incomplete record completed, including by means of a supplementary statement.
If a firm has shared inaccurate personal data with a third party, they have the obligation to contact the third party to correct this information unless this proves impossible or requires a disproportionate effort (see Articles 16 and 19 GDPR). This obligation to inform third parties with whom personal data has been shared also applies to data affected by erasure or restriction of processing.
‘Right to be forgotten’
A data subject will have the right to obtain the erasure of personal data concerning him or her, and the firm will have the obligation to erase the data subject’s personal data, where one of the following applies:
- the personal data is no longer necessary for the purposes it was collected or processed;
- the data subject withdraws their consent to the processing, where the processing is based solely on consent;
- the data subject objects to the processing which has been undertaken on ‘legitimate interests’, ‘public interests’ or ‘official authority’ grounds and there are no overriding legitimate grounds for the processing;
- with respect to direct marketing, including profiling, where the data subject objects to such processing;
- the personal data was unlawfully processed;
- where required to comply with a legal obligation in EU or member state law to which the firm is subject; or
- the personal data was collected in relation to the offer of information society services (this ground is unlikely to apply to law firms).
If the data has been made public, the firm will have an obligation to take reasonable steps to inform other data controllers of the data subject’s request.
If, however, the processing falls into one of the following categories, the erasure will not be required to the extent the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation, performance of task carried out in the public interest, or the exercise of official authority vested in the firm;
- for reasons of public interest in the area of public health;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
- for the establishment, exercise or defence of legal claims.
Obviously, the last ground will be relevant in particular to law firms, such as in a situation where an opposing party in litigation requests the erasure of personal data held about him or her.
This is a complex area and to a large degree a new data subject right under GDPR (Article 17 GDPR).
Restriction of processing
Restriction of processing means marking a data subject’s stored personal data with the aim of limiting future processing.
Where a data subject requests restriction of the processing of their personal data, with the exception of storage, it can only be processed for the following reasons:
- with the data subject’s consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another natural or legal person; or
- for reasons of important public interest of the EU or a member state.
In addition, the personal data can only be processed for the above purposes where the firm has notified the data subject before the restriction has been lifted.
The data subject can request restriction if:
- the accuracy of the personal data is contested;
- the processing is unlawful and the data subject objects to the erasure of the personal data and requests restriction instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
- the data subject has objected to the processing on the grounds of the controller’s legitimate interest, prior to verification of whether the legitimate interest grounds of the controller override those of the data subject.
Restriction could include updating access controls so that the data is available to few within the firm and read-only, removing data published on a website, etc.
Restriction is a new right under GDPR (Article 18 GDPR).
The right to data portability applies to processing a) carried out pursuant to a contract or on the basis of the consent of the data subject and b) where that processing is carried out by automated means.
It is the right to i) receive personal data provided to the firm in a structured, commonly used and machine-readable format and ii) to transmit that data to another controller without hindrance from the controller to which the personal data was provided.
The issue of the solicitor’s lien on the client file will come to the mind of many solicitors on reading of this new right under GDPR. As under current law, the solicitor’s lien does not override the data subject’s rights relating to their personal data. It is worth pointing out, that this right of data portability applies to the personal data concerning the data subject which the data subject has provided to the firm. It does not relate to all personal data about a data subject held by a firm. In many situations, this may be an academic distinction, but in others, it may be an important distinction.
In order to comply with this right, firms may consider the approach of many technology companies that are pre-empting portability requests by providing an easy access portability mechanism to their service users. For a law firm, this may take the form of a client portal solution, where the client is able to securely view, access and download their client file to their own system at any time.
Data portability is a new right under GDPR (Article 20 GDPR).
Right to object
A data subject has the right to object to processing of their personal data when processed on the grounds of ‘public interest’ or ‘legitimate interests’, including profiling based on those grounds. The controller must cease to process the data unless there are compelling legitimate grounds which override the interests, rights and freedoms of the data subject or, importantly, for the establishment, exercise or defence of legal claims.
The data subject also has the right to object to processing for direct marketing purposes. There is no balancing test to consider where the processing is related to direct marketing. Where the data subject objects to direct marketing, the processing for direct marketing purposes must cease.
The data subject must be provided with information on the right to object under the grounds above at the latest at the time the first communication is sent to the data subject and this must be presented clearly and separately from other information.
In addition, there is a right to object to the processing of personal data for scientific, historical research or statistical purposes and such processing must cease unless the processing is necessary for the performance of a task carried out for the public interest.
The right to object is largely a new right under GDPR (Article 21 GDPR).
Automated decision-making, including profiling
A data subject has the right not to be subject to decisions which produce legal effects on the data subject or otherwise similarly significantly affects the data subject that are based solely on automated decision-making, including profiling.
There are exemptions to this rule, where the decision is:
- necessary for the performance of a contract between data subject and controller
- authorised by European Union or Irish law which contain suitable safeguards
- based on the data subject’s consent.
For the first and third exemptions, the controller must still implement suitable safeguards (e.g. human review of decisions). There are extra provisions where the automated decision-making or profiling includes sensitive categories of data.
This is a new right under GDPR (Article 22 GDPR).
Return to top
Guidance 5: Subject Access Requests (“SARs”)
- Are your staff aware of the rules related to subject access requests?
- Are your procedures for subject access requests in line with the rules?
Subject access requests were updated by GDPR. The key changes are as follows:
- New timescale: SARs must be dealt with without undue delay and in any event within one month. An extension of a further two months may apply where necessary, e.g. where the requests are particularly numerous or complex, but this extension must be communicated to the data subject within the first month, together with the reasons for the delay.
- No fees: In most cases, you will be unable to charge a fee for SARs. Controllers may be able to charge a reasonable fee relating to the administrative costs of complying with the request where it is manifestly unfounded or excessive in nature, having regard to the number of requests (Article 12(5) GDPR).
- Refusals: Refusals to be carried out on the basis of clear policies and procedures. Reasons for refusals are where the data controller is not satisfied as to the identity of the data subject, or where the request is manifestly unfounded or excessive in nature (Article 12(2) and (5) GDPR).
- Better Communication: Reasons for refusals to be communicated clearly to data subject along with information on data subject rights such as the right to make a complaint to the Data Protection Commission or seek judicial remedy (Article 12(4)).
The GDPR does not stipulate that SARs must be made in writing, however, with respect to Part V processing under the Data Protection Act 2018 (e.g. for law enforcement purposes), s.91(1) of the Data Protection Act 2018 states that the right of access must be requested by notice in writing.
Responses to SARs must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing (or electronic means). When requested by the data subject, the information may be provided orally, provided the identity of the data subject has been proven by other means.
The controller may request the provision of additional information necessary to confirm the identity of the data subject.
If a controller refuses to act upon a request on the grounds that it is unreasonable or excessive, it has the burden of proving that the request is manifestly unfounded or excessive in nature (Article 12(5) GDPR).
Note that the above applies to responses to most cases where data subjects exercise their data protection rights and is not solely limited to SARs.
For SARs, the data subject has the right to the following information from the controller:
- Whether or not personal data regarding the data subject is (or was) being processed
- The purpose of the processing
- The categories of personal data concerned
- The recipients or categories of recipient to whom the personal data has been or will be disclosed, including recipients in third countries and international organisations
- The retention period or the criteria used to identify the retention period
- The existence of the right to rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- The right to lodge a complaint with the supervisory authority
- Where the personal data is not collected from the data subject, any available information as to its source
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject
- The safeguards in place relating to transfers to third countries or international organisations, if applicable, and
- A copy of the personal data undergoing processing.
The controller may charge a reasonable fee based on administrative costs for further copies requested by the data subject but not the first copy. Where the request is made by electronic means, and unless otherwise requested by the data subject the information must be provided in a commonly-used electronic format.
The right to obtain a copy of the data must not adversely affect the rights and freedoms of others. This means, for example, that the personal data of third parties must not be provided to the data subject in response to SARs.
Refusals to act upon a SAR must be communicated to a data subject together with the reasons for not taking action and the possibility of lodging a complaint with the Data Protection Commission or seeking judicial remedy (Article 12(4) GDPR).
Restrictions on data subject rights, including SARs
The Data Protection Act 2018 contains restrictions on the obligations of controllers and rights of data subjects relating to data subject rights, including SARs.
Section 162 of the Data Protection Act 2018 states that the rights of data subjects and the obligations of controllers relating to data subject rights, including SARs, ‘do not apply’:
- to personal data processed for the purpose of seeking, receiving or giving legal advice
- to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and his or her legal advisers or between those advisers, or
- where the exercise of such rights or performance of such obligations would constitute a contempt of court.
Further restrictions to these rights also arise under s.60 and apply to such matters as parliamentary privilege, defence etc. and, most pertinent to law firm, the establishment, exercise or defence of legal claim or prospective legal claim, legal proceedings or prospective legal proceedings. (Although, others may also be relevant to law firms depending on their area of practice) but only where the restrictions are necessary and proportionate. Those restrictions are described in Guidance 4.
Helpful SARs Documents
- Guidance note on dealing with SARs
- Checklist for dealing with a SAR
Guidance 6: Lawful basis for processing personal data
- Review your processing activities to identify the lawful bases for the firm’s processing of personal data.
- If you are relying on consent for any processing activities, please read Guidance 7 for further information.
- Ensure your privacy notice includes the lawful bases for processing.
- In the case where balancing tests or consideration of various aspects are required, make sure that these are documented.
Under the GDPR regime, the processing of personal data is required to be on the basis of consent or one of the other legitimate bases laid down by law. The legitimate bases for processing personal data are still broadly the same under GDPR as in the prior regime, but the import and impact of the analysis of lawful basis has changed. It affects the following basic matters in GDPR compliance:
- The lawful basis for processing categories of personal data is required to be mentioned in the firm’s privacy notice and when responding to a subject access request;
- Decision-making regarding the identification of lawful basis is required to be documented under the accountability principle; and
- Data subject rights can differ depending on the lawful basis of processing (e.g. if relying on consent as the lawful basis for processing, the data subject can request deletion of the data).
What are the lawful bases for processing of personal data?
- performance of a contract (or steps taken prior to entering into a contract);
- compliance with a legal obligation;
- to protect the vital interests of a person;
- performance of a task in the public interest; and
- the legitimate interests of the controller except where overridden by the data subject’s rights and freedoms.
Have these legal bases changed?
As mentioned above, these are broadly the same as under the pre-GDPR regime. Consent (please read Guidance 7 for further information) and the legitimate interests ground has some important differences in application.
How has ‘legitimate interests’ changed?
- Public authorities are no longer permitted to rely on the legitimate interests ground as a lawful basis for processing of personal data.
- Where a firm relies on legitimate interests as its lawful basis for processing, it is required to mention this interest in the firm’s privacy notice. In addition, it must document the balancing test between the firm’s legitimate interest and the rights and freedoms of the data subject under the accountability requirements.
How to carry out the balancing test with respect to ‘legitimate interests’
The following is a non-exhaustive list of items for consideration in a ‘legitimate interests’ balancing test.
- Is the processing necessary for the data controller’s intended purpose?
- Would the data subject reasonably expect the processing to occur?
- Is the processing to prevent fraud, for security purposes or direct marketing (each of these are mentioned in recitals 48-50 of the GDPR as being processing that may be carried out for a legitimate interest)?
- Does the processing envisaged cause any disadvantage to the data subject?
- Is the personal data relating to a child?
The balancing test analysis should be documented by the firm and reviewed periodically.
Special Categories of Personal Data
Special categories of personal data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) may not be processed, and therefore there is no legitimate basis for processing such data, unless one of the exceptions in Article 9(2) of the GDPR applies.
The lawful bases most likely to apply to law firms (there are others which may apply) are:
- explicit consent;
- for compliance with employment, social security or social protection law requirements;
- to protect the vital interests of a person where the data subject cannot give consent; and
- for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
S.47 of the Data Protection Act 2018 expands upon the GDPR ‘legal claims’ exception, which under the GDPR relates to contentious business only. Under Irish law, processing of special categories of personal data is also possible where necessary for the purposes of obtaining legal advice, or in connection with prospective legal claims and prospective legal proceedings or otherwise necessary for establishing, exercising or defending legal rights.
Remember: The lawful basis for processing personal data must be referenced in your firm’s privacy notice. Once the lawful basis has been identified and documented, update your privacy notice to include this information.
Return to top
Guidance 7: Consent
- Consider the requirements of consent.
- Ensure your firm can respond to data subject rights relating to processing based on consent.
- Update procedures to review and refresh consents.
Key definition: ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Firms are not likely to rely on consent as the lawful basis for processing most of the personal data processed in the context of the practice. Exemptions to this general rule may occur relating to the firm’s marketing activities rather than the services of the firm.
How to obtain valid consent.
The standard for valid consent under GDPR is significantly higher than under the pre-GDPR regime and is described at Article 7 of the GDPR. In order for consent to be valid it must be:
- presented in a manner which is clearly distinguishable from other matters,
- in an intelligible and easily accessible form, and
- using clear and plain language.
In addition, the data subject has the right to withdraw his or her consent at any time. It is required that it is as easy to withdraw as to give consent. The extent to which the provision of a service is conditional on consent relating to other matters is an important factor to be considered in whether consent has been validly given or not.
It is important to note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
Recitals 32 and 42 of the GDPR give some further important context for valid consent. Pre-ticked boxes are not acceptable, nor is inactivity or silence. Each purpose for processing requires a separate consent (if consent is being relied upon). The data subject should be aware of the identity of the controller. Any request for consent must be clearly distinguishable from other matters. It would not be sufficient to obtain the consent through a terms and conditions document such as the firm’s letter of engagement where the consent issue is not clearly distinguished.
Records need to be kept to demonstrate valid consent has been obtained. This is not unlike the requirement to keep evidence of authorisation to send electronic commercial communications under the ePrivacy Regulations.
Parental consent will be required in order to process the personal data of children. The consent of children may require review and update as the child reaches majority and the firm should implement procedures to capture this, if required.
Guidance 8: Processing Children’s Data
- Identify if your firm offers any services to children
- If required, have you drafted privacy notices directed at children?
- If offering any online services to children and relying on consent as the lawful basis for processing, have you a process to verify that the children are of sufficient age to be able to consent to the processing. If under the age of competence, have you a process for securing parent/guardian consent?
- Do you regularly review how you protect children’s personal data?
Throughout the text of the GDPR the personal data rights of children are consistently referred. As the GDPR itself states, “children merit specific protection” therefore:
- any information and communication addressed to a child, should be in such a clear and plain language that the child can easily understand (Recital 58 GDPR); and
- specific protection should apply, in particular, to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child (Recital 38 GDPR).
The reasoning for this specific protection is clear, ‘[children] may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data’ (Recital 38 GDPR).
Does the firm offer any legal services to children?
It is important for the firm to identify if it provides any legal services directly to children. This could occur, for example, when the firm has a practice in the areas of family law, wards of court, entertainment law, etc.
What is a child?
The Data Protection Act 2018 states that where the GDPR refers to “child”, this shall be taken to be a reference to a person under 18 years of age (s.29 of the DPA 2018).
Is a specific privacy notice directed at children required?
If the firm offer any services directly to persons under the age of 18, privacy notices should be drafted to cater for children. Even where the firm does not offer services directly to children, where the personal data of children is processed by the firm, it may be appropriate to communicate to the children about how their data is processed. As mentioned above ‘any information and communication addressed to a child, should be in such a clear and plain language that the child can easily understand’.
Does the firm review how it protects the personal data of children?
Where the personal data of children is processed by the firm, the firm should be continuously considering items such as data protection by design to ensure that only necessary data is collected. The lawful basis for processing analysis (see Guidance 6 above) is critically important particularly given the increased complexities involved in processing children’s data on the basis of consent or the greater weight that may be given to the rights of the child in a ‘legitimate interests’ balancing test if the processing is based on that lawful basis.
The DPC has completed an initial public consultation on the rights of children under GDPR. Look out for the final report for further guidance on communicating with children. A preliminary report is available on the Data Protection Commission website.
Guidance 9: Data Breach Protocol
This Protocol is to assist your firm in handling data breaches.
As all data breaches are different, consideration will need to be given to particular scenario and the appropriate response. For the most up-to-date external guidance, please see:
Guidance 10: Data Protection Impact Assessment
Where the firm will be undertaking a new activity that involves a high risk to the rights and freedoms of a data subject, the firm is required to undertake a data protection impact assessment.
Some examples of high-risk activities are large-scale processing, large-scale systematic monitoring and so on.
More information on Data Protection Impact Assessments is available on the Data Protection Commission website.
Guidance 11: Data Protection Officer
An organisation is required to appoint a designated data protection officer where:
- the processing is carried out by a public authority or body;
- its core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- its core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
If the firm falls into one or more of the above categories, it should consider the qualifications required to fill the DPO role on the Data Protection Commission website and make a notification of the appointee to the DPC.
Please note that the template documents are sample documents, drafted on the basis of reasonable assumptions about the type of processing undertaken by a small general practice. There will be differences between firms, and each firm will have to reflect their own processing activities in the final documentation. The template documents are provided as an aid. They will not be sufficient for compliance without tailoring to the circumstances of each firm.
As data protection laws have been in place for many years, the guidance will not deal with explaining definitions such as personal data, processing, controller, processor and special categories of data as these concepts are broadly similar to those in the current regime. If your firm is not aware of these terms, please see guidance from the Irish Data Protection Commissioner and refer to the definitions in the GDPR. We would also recommend that data protection training be undertaken as a matter of priority.
Disclaimer: While care has been taken in the drafting of this guidance, no responsibility is taken by the Law Society of Ireland for any errors or omissions. Compliance with the legislation is a matter for each individual solicitor.
Do not hesitate to contact the Society for assistance when interpreting data protection duties affecting you. While we cannot provide you with legal advice, we will endeavour to help you navigate your way through best practice principles. Practitioners can contact the Intellectual Property and Data Protection Law Committee Secretary, Katherine Kane, at firstname.lastname@example.org.
Return to top