The EU General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC) or “GDPR” updates data protection rules across the European Union.
It was joined by Irish implementing legislation: the Data Protection Act 2018.
Why is GDPR important to law firms?
The information that law firms process can be among the most important and critical information that individuals will share with anyone. Clients trust that solicitors will handle information correctly.
Solicitors are familiar with professional obligations to keep our client information confidential and understand that client communications and documents may be privileged, be that through legal advice or litigation privilege. Solicitors are, therefore, already aware that information handled on behalf of clients is subject to special safeguards.
Data protection is another framework to consider when dealing with client information. Data protection laws have existed in Ireland since 1988. The GDPR builds on existing rules and, amongst other requirements, requires law firms to document activities relating to personal data and to clearly inform individuals about how their data will be treated by the firm.
Events such as inappropriate disclosure of data, loss of data, deletion of data or inaccurate data can have a significant impact on your clients. Complying with GDPR obligations will help solicitors to better serve your clients.
It is important to note that the GDPR does not apply solely to a firm’s client data but relates to all personal data processed by the firm. This may include personal data about your employees, contractors or suppliers. It may also include personal data that you process about third parties on behalf of your clients, such as relating to the opposing party in legal proceedings or your counterpart in a conveyancing transaction. Data protection issues permeate the operation of a law firm at many levels.
What happens if a firm fails to comply with GDPR?
The regulatory and enforcement regime relating to data protection rules were strengthened under GPDR. There has been much public commentary on the increased fines that can be levied under GDPR rules, up to €20 million or 4% of global turnover for certain failures to comply, but there are also increased powers for the Irish data protection supervisory authority (Data Protection Commission). These powers include the ability to:
- carry out audits,
- request information from relevant parties,
- issue warnings and
- ban certain processing activities.
In addition, individuals will have the ability to seek compensation through the courts for breaches of their data privacy rights, even where no material damage or financial loss has been suffered.
A firm may also be subject to GDPR-related contractual obligations. Contractual liability in this respect may be determined by reference to the relevant contract.
Who should be responsible for GDPR compliance in a firm?
As is apparent from the above, failure to comply with GDPR could lead to significant costs to the firm. Failure to comply could also lead to reputational damage to the firm and, not least, increases the risk of harm to individuals that interact with the law firm.
This is a matter to be taken seriously. The Law Society recommends that the person responsible for managing GDPR compliance be at partner or other senior level of the law firm. Their duties should include facilitating and driving GDPR compliance activities. As stated above, sole principals or sole practitioners are also subject to the GDPR and have to administer their own compliance.
The Law Society recognises that smaller firms have limited resources. The Society's GDPR guidance and template documents are drafted with the small firm or sole practitioner in mind, to assist with what can be a large compliance burden.
How does a firm comply with GDPR?
- The first port of call for any law firm is the Data Protection Commissioner’s ‘Responsibilities of Organisations under the General Data Protection Regulation’.
- The guidance provided by the Law Society tailors the advice to items that may be of particular importance to law firms. See Guidance and templates.
Note: As data protection laws have been in place for many years, the guidance does not deal with explaining definitions such as personal data, processing, controller, processor and special categories of data. If you are not aware of these terms, please see guidance from the Irish Data Protection Commissioner and refer to the definitions in the GDPR. We also recommend that data protection training be undertaken as a matter of priority.
Disclaimer: While care has been taken in the drafting of this guidance, no responsibility is taken by the Law Society of Ireland for any errors or omissions. Compliance with the legislation is a matter for each individual solicitor.