10 steps in managing data and data protection in your firm
Guidance and ethics
The compliance requirements related to data protection have dramatically increased, and firms must have an in-depth understanding of their duties and responsibilities or risk potentially crippling financial penalties. The General Data Protection Regulation (EU) 2016/697, the Data Protection Act 2018, and other legislation govern the area of data protection in Ireland.
- Data protection policy. Have a data protection policy and staff protocols in your firm to show how your firm complies with the legal requirements for managing personal data. There is no standard content that a data protection policy must have. However, it should include high-level principles and rules for your firm, and should set out the procedures and practices employees should follow.
- Know what personal data you hold and the principles of processing personal data. Understand what constitutes personal data (article 4 GDPR) and the lawfulness of processing personal data (article 6 GDPR). Know what personal data you hold. Make an inventory of it, and update the inventory on an ongoing basis. When processing data, understand the principles of data protection (article 5 GDPR), namely:
- Lawfulness, fairness and transparency,
- Purpose limitation,
- Data minimisation,
- Storage limitation,
- Integrity and confidentiality, and
- Staff training. Ensure staff are adequately trained to recognise when they are working with personal data, and aware of the need to comply with the firm’s policies when working with personal data. It is also critical to ensure that staff are aware of the need, without fear of repercussion, to immediately communicate any potential data breach to management. There isn’t a ‘one size fits all’ approach for staff awareness training. It should be tailored to your firm and its requirements, and should be an ongoing process in which employees can be shown how risks arise and how the firm’s policies and processes can help in that process.
- Map data flows. Article 30 GDPR states that you must maintain a record of processing activities under your responsibility. To achieve this, your firm should create a data flow map. A data flow map shows you what data is collected and processed, and shows the flow of data from one location to another. When mapping data flows, identify the type of data collected and its source, determine the lawful basis for processing, identify who you share the data with and where the data is stored, and how long to retain the data for.
- Data security. Security is a risk-based approach – implementation of technical and organisational measures to provide security must be appropriate to the risk. Have systems in place to ensure the confidentiality and security of data. Exercise caution when sending emails. In particular, when email addresses automatically populate, it is critical to ensure the correct address is selected.
- Management of paper and electronic files. Well-maintained filing and document-management systems will help your firm to remain compliant with the GDPR regulations and avoid security risks. Electronic file management is the practice of importing, storing, and managing documents and images as computer files. Have an e-communications policy in place, and ensure IT systems are robust to ensure that electronic files are managed securely. Ensure you have an adequate data-recovery strategy in place. Have a policy in place regarding the storage and management of paper records.
- Data retention and destruction of paper and electronic files. Know the mandatory periods of retention, having regard to statutory and regulatory limitations – have a retention policy in place for retaining files for operational or regulatory compliance need. Inform clients that you operate a retention policy. It is good practice to categorise each file. Do not retain data for longer than necessary. Review data quality and remove duplicate data and obsolete data. Further information, including a table outlining statutory retention periods, can be found in the practice note on data retention and destruction of paper and electronic files. If keeping copy pleadings, advices, courts outcomes, etc, as precedents, ensure you delete all personal data from same. GDPR states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
- Legal privilege. Legal professional privilege confers on a client a privilege of exemption from disclosure of communication that may otherwise be required to be revealed. The statutory data protection regime and legal and professional confidentiality requirements are separate and complementary. Further guidance on legal professional privilege is available in the recent practice note published by the Guidance and Ethics Committee on the topic.
- Data breach. A firm must have in place procedures to deal with breaches (detect, report, record and investigate). In the event of a breach, carry out an immediate risk assessment, as time is of the essence: certain breaches must be reported to the Data Protection Commissioner within 72 hours (article 33 GDPR). Identify the source and extent of the breach and establish how to remedy it. Address the breach. The specific actions you may need to take may vary based on nature of the breach, and implement a short-term security fix to prevent further access to your data. Test the fix to ensure that the method of attack cannot be used again. Keep records of data breaches and what steps were taken to remedy the breach. Data subjects must be informed of high-risk data breaches without delay. Personal data breaches and failure to report same attract fines (article 34 GDPR). Investigate how the breach happened and learn from it, and put measures in place to ensure it does not happen again.
- Data subject access requests. Know the different aspects to the right of access under article 15 GDPR and what data can be requested. It is good practice to have in place a subject access requests (SAR) procedure. You have one month to answer a SAR. This time can be extended by a further two months depending on the complexity of the SAR (article 15 GDPR).
Further reading, guidance and templates can be found on the Law Society website under GDPR guidance and templates and practice notes.