Miller Insurance Services: are you ready for GDPR?
The General Data Protection Regulation comes into effect across the European Union on May 25. It replaces the UK’s Data Protection Act 1998 (DPA) – and will bring data privacy up to date in the digital age. Brexit will not affect the new regulation as the government has confirmed it will fully incorporate it into UK law.
GDPR will give people stronger rights to access information that is held on them and requires organisations to manage that data better.
Will GDPR affect me?
Yes, it affects every organisation that either “controls” or “processes” data. If you’re subject to the Data Protection Act then you’ll be subject to GDPR, so it’s important to know what impact it will have.
What’s new with GDPR?
The Information Commissioner’s Office (ICO), the UK’s data privacy watchdog, is frustrated at the “scaremongering” about the new rules’ impact. GDPR is only a step change, it says, insisting it’s an evolution, not a revolution in data protection.
“It seems a much bigger task than it actually is,” says Duncan Finlyson, a director of Infolegal, which provides compliance advice and training for solicitors. “Most firms will already be in compliance with large parts of GDPR, otherwise they wouldn’t already be in compliance with the DPA or the SRA’s Code of Conduct.”
However, Julia Tutin, Client Adviser at Miller warns law firms against complacency. “The new regulation requires organisations to have better data privacy procedures or risk punishment.”
The biggest changes are:
Consent – a person must give their explicit consent for their information to be held, defined as being “freely given, specific, informed and [an] unambiguous indication of the data subject’s wishes.” Implied consent, such as from pre-ticked boxes, is no longer good enough. Consent must be verifiable, so a record of it must be kept. Also, information can only be used for the purposes for which consent has been given. So, a law firm cannot send clients marketing material unless they have agreed. People can also withdraw consent at any time.
Penalties – there are much tougher fines for those that fall foul of the new rules – up to £17 million, or 4% of overall income, compared to £500,000 under the DPA. However, the ICO has sought to soothe anxieties, saying it has “always preferred the carrot to the stick,” pointing out that only 16 out of 17,300 cases it dealt with in 2016/17 resulted in fines.
“Although the ICO says fines are “the sledgehammer in our toolbox”, GDPR gives it a range of sanctions – from warnings to reprimands and corrective orders – that could severely dent a law firm’s reputation,” says Tutin.
Find out what you need to do as a law firm here.
