GDPR enforcement extends beyond the fine – think serious brand damage

ICO

European Commissioner Věra Jourová, who oversaw data protection reform.

By Ken MacDonald

You might not think so given the somewhat hysterical, scaremongering tone of much recent media coverage but whilst the General Data Protection Regulation, or GDPR, marks a step change in the importance of data protection, it also represents an evolution of the existing law rather than a total revolution.

The new regime, which applies from 25 May 2018, builds upon existing data protection legislation and many of the fundamentals remain the same. These include the following:

  • Being transparent and fair about what personal data you are collecting and how you intend to use it.
  • Ensuring it is accurate and up to date.
  • Only processing personal data for specified purposes and not keeping it for longer than is necessary.
  • Keeping it safe and secure.
  • Respecting individuals’ rights.

So what does this mean for the legal profession, especially with regard to the particular data protection challenges it can face, such as the sensitive nature of much of the data lawyers handle, and the fact that paper documents are often carried out of the offices to courts, tribunals, and client meetings?

Processing personal data always carries its own risks and it’s a fact that the legal sector faces some of the biggest risks of data breaches due to the nature of the information it processes and the type of work undertaken. Where sensitive information is involved, for example data relating to criminal convictions, family circumstances or medical conditions, the stakes will always be higher than in many other sectors.

There are real life consequences for individuals if their personal data is not collected and used appropriately in accordance with data protection requirements.

So the volume and the often sensitive nature of the data that legal professionals will process are both risk factors in terms of GDPR compliance and the consequences of a breach. How can these risks be minimised?

The answer is surprisingly simple and differs little from the current regime:

  • identifying risks and building in privacy and security to your systems, policies and processes;
  • strictly following the principle of data minimisation (don’t collect what you don’t need);
  • having robust retention policies in place; and
  • managing data well.

All the above will help to reduce the chances of things going wrong further down the line.

A significant aspect of GDPR is putting onto a statutory footing much of the existing best practice and guidance from the Information Commissioner’s Office (ICO). So GDPR, and the prospect of a strengthened enforcement regime, should bring an increased focus on the importance of data protection across all areas of the business.

Across the business there will be a need to ensure that staff are appropriately trained and that internal processes and policies reflect the changes, and that they work in practice. The legal profession already operates in a highly regulated environment and should be well placed to identify the gaps between what they are doing now and what they should be doing in future.

Essentially, data protection should be a primary consideration at the start of your product development, processes and procedures, not an afterthought at the end.

In terms of data security, what are the risks for the profession, and what practical steps can organisations take to mitigate these?

Again, we have to recognise that GDPR represents a development that builds on current legal requirements, and not a leap into the dark. The Data Protection Act 1998 already requires organisations to take appropriate organisational and technical measures to keep data secure.

Data security threats will not change overnight on 25 May 2018. What will change are the requirements to report security breaches to the ICO and to those affected, along with the strengthened enforcement regime.

Following the Government’s review of cybersecurity regulation and incentives, the GDPR is viewed as a key lever to improve data security in the UK.

The ICO’s guidance document Protecting Personal Data in Online Services: Learning from the Mistakes of Others is a good place to start.

And what are the consequences for the legal profession and their clients if organisations don’t meet the requirements of the new regulation?

While much of the media and online coverage and discussion around GDPR has focused on the increased financial penalties available to the ICO, we feel this is missing the point.

GDPR is essentially about trust. Failing to get data protection right will ultimately damage your brand reputation and your client relationships.

The impact of ICO enforcement action extends beyond the economic impact of the fine itself – think about serious brand and reputational damage, not to mention the potential personal impact on the individuals concerned.

This is probably more serious for the legal profession than almost any other – being found to be breaching the law would not only be embarrassing in the extreme, but also potentially damaging to reputation and trust on a significant scale.

The ICO’s annual track research on privacy and data protection consistently shows that levels of public trust are low and that people feel that there is a lack of transparency.

Conversely, it also shows that consumers would be more willing to give up their data if they felt they could trust businesses to handle it fairly, securely and responsibly. And that provides a major business opportunity for those organisations which can demonstrate they get data protection right.

The reputational benefits of treating data protection as a commercial positive and not a burden are clear. And that could translate into commercial benefits.

Where organisations fail to take data protection seriously, and are not being accountable and transparent, the Information Commissioner, Elizabeth Denham, will have a wide range of sanctions available to her which will be used to change behaviours and protect consumers.

In her recent series of GDPR myth-busting blogs, the Information Commissioner explains that heavy fines for serious breaches reflect just how important personal data is in a 21st century world, but that we intend to use those powers proportionately and judiciously.

Information management – knowing what data you have, why you have it, where it is and who can access it – is key to compliance. Without appropriate attention to good information management, legal professionals are failing to mitigate risks and will be more exposed.

For example, individuals will have strengthened rights to access the data organisations hold about them. Unlike the £10 charge you can make under the current Data Protection Act, subject access requests under the GDPR regime will be free of charge, the data will need to be provided within a month and the data may need to be provided in an electronic format.

This could well lead to an increase in demand and more requests being received. If an organisation doesn’t have a good grip on its information management systems, then the time and effort needed to comply could prove much more costly.

So will the legal profession be ready for the GDPR in time?

That is essentially down to them. Provisions relating to GDPR will be included in the Government’s recently announced Data Protection Bill, along with other measures relating to areas such as law enforcement and national security. Organisations need to remain focused on the fact that GDPR is coming next May, come what may.

There is lots of material already available on our website and elsewhere about the changes to help organisations travel a long way down the road to compliance and the ICO’s Scotland office is here to help. There is no grace period. The legal profession, like all businesses, have had two years to get their houses in order.

While the Data Protection Bill will add some detail and clarification about the new regime, the fundamentals have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the individual whose data you hold – these are all things you should already be doing with data and GDPR seeks only to build on those principles.

Ken MacDonald is the ICO’s Head of Regions.