Whether the regulation – and the related Data Protection Act 2018 that gave it effect in Ireland – did actually represent a seismic shift in the rights of data subjects and the corresponding obligations of those controlling personal data is debateable.
On reflection, it appears to have represented more of an updating and extension of the rulebook that previously governed this space in order to acknowledge the advances of technology and data-management practices.
Irrespective of the scale of the real change brought about by the GDPR, it has had an undeniable impact, which no successful business can ignore – how their personal data will be safeguarded is now a key consideration for individuals when they choose any service provider, including their legal advisors.
This scenario has forced service organisations, across the EU and beyond, to establish projects to ensure they can robustly manage the personal data shared by their clients or customers and present themselves as reliable guardians of such data.
Legal practices are not immune from this important development with respect to client expectations, and many have instigated projects over the last year to ensure they comply with their data protection obligations regarding the equally important constituencies of clients and staff.
Given the passage of time since the introduction of the new regulation and the emerging insights into the practical business implications arising from its implementation, we are now seeing demand from our clients to review their approach to personal data management and the success of their delivered GPDR compliance projects.
Such evaluations typically have three goals:
- To ensure the organisation is appropriately complying with its current data protection obligations,
- To identify opportunities to optimise the efficiency and effectiveness of the activities that underpin such ongoing compliance, and
- To ensure the level of resources applied to achieving compliance is appropriate.
It seems likely that the leaders of legal practices, regardless of their size and the focus of their services, will also have interest in such a health-check review of their data protection approach.
Based on our project-experience to date, the exact remit and scale of such reviews will require tailoring to reflect the nature of the data risks faced by each entity.
'Legal practices are not immune from this important development with respect to client expectations
Nonetheless, we would encourage those considering commissioning such a data-protection health-check review to ensure that the key elements set out below remain within scope.
Data protection policies
Concise data protection policies are necessary to serve as the foundation of the data protection regime of any legal practice.
Key policies will include:
- Data retention,
- Data subject-request management, and
- Data-breach management.
It is imperative that these policies have been properly communicated to all personnel and are underpinned by robust procedures. Ongoing adherence to these policies must be periodically monitored via either the appointed data protection officer and/or other personnel with compliance responsibility.
The data-retention policy is generally regarded as the most critical of the data-protection policy suite, given that, in conjunction with an information asset register, it seeks to address some important topics, including:
- The key sets of personal data held by the practice,
- The role of the practice and whether it acts as a data controller or data processor with regard to each dataset,
- The legal basis on which the practice relies for processing the data, and
- The current retention period for each dataset.
Thus, the review of the policy (and the related register) and adherence to these is a central aspect of the review.
Readers of recent annual reports from the Data Protection Commission (DPC) will be already aware that a significant portion of the complaints reported by data subjects centre around two scenarios – data-controller responses to data-subject requests; and the management of personal data in the context of data breaches.
Hence, a practice’s approach to both requires attention if interest from the commission is to be avoided.
Data-subject requests may include applications for copies of personal data held regarding a data subject, or subsequent requests for data to be corrected or erased.
Many of our clients are currently experiencing a significant increase in the volume of the data-subject requests received post GDPR. It is, therefore, vital that the internal processes to acknowledge a request and comply with same (within the specified timelines) are lean, if the costs of such compliance activity are not to increase markedly.
Within the context of a legal practice, it is particularly important that those charged with managing data-subject requests are equally aware of the data they must provide to data subjects and, where applicable exemptions exist, to allow such requests to be rejected (or partially complied with) so as to not compromise future legal proceedings.
A review of how such recent requests have been managed is likely to present opportunities for both learning and process improvement.
Data breaches occur in every organisation. Simple user errors such as sending an email to an unintended recipient are commonplace, while cyber-attacks represent a growing risk to all professional services firms. It is, therefore, very important that such scenarios are managed with rigour.
Due to the short timeline (72 hours) within which an actual data breach must be reported to the DPC, it is necessary to have effective internal processes in place to support the reporting of potential breaches and the subsequent documentation, evaluation, and recording of same within the required registers by the DPO or other capable personnel.
If reporting to the DPC or affected data subjects is required, such communications will require careful drafting and may require input or agreement from third parties, including insurers or public relations advisors.
A review of the management of such potential breaches is likely to yield possibilities to further hone the process, while sharing summaries of real-life breaches is useful in terms of boosting staff awareness of the risks around data practices.
Normally, the sharing of personal data between a legal practice and its client will be governed by a letter of engagement that will include content setting out the obligations of the practice with respect to the data concerned, and whether it will be acting as a data controller or data processor within the business relationship.
Given the increased interest from data subjects in how their data is managed, and the larger penalties that can be imposed by the DPC on organisations that do not meet their data-protection obligations, our clients are very focused on properly governing circumstances where they proceed to share such personal data with other organisations.
Typically, such scenarios are governed by either data-sharing or data-processing agreements.
The latter usually overseeing scenarios where data is being shared with a contracted provider to allow the delivery of services to the legal practice in line with agreed specifications or instructions.
Data-sharing agreements, while similar in nature, relate to the sharing of data with a party that will act as a data controller in parallel with the legal practice – for instance, another legal firm or a professional expert.
A review of samples of each document will build confidence within the organisation that letters of engagement, data-sharing agreements, and data-processing agreements are being used appropriately (based on the nature of the business relationships), and that their content is robust and properly governs the risks associated with such data sharing.
Meanwhile, a review of the registers being maintained for each document type will provide some insight into the extent of the use of such agreements to manage data-sharing arrangements.
In the post-GDPR era, the process of agreeing the content of such documents can require considerable resilience, as both clients and suppliers can be cautious about signing up to agreements that can include onerous or complex data-protection terms.
In addition to the priority matters set out above, a data-protection health-check could also explore other relevant topics, such as the quality of the technical and organisational measures underpinning the data-protection regime, the level of staff awareness of both data-protection risks and procedures, and the progress of the organisation in complying with its stated retention periods via the conduct of data purging.
Ultimately, the value of such a review will be twofold in nature.
It will identify shortcomings in the current approach that need to be addressed to boost compliance with the current legislation and best practice, while also identifying those areas where current practices could be adjusted to improve how compliance is achieved.
The outcome of such a review is likely to inform the scope and conduct of a further GDPR compliance project to enhance your data-protection approach. Is it time you checked the health of data compliance in your firm?