Blogs

GDPR: What is it and what am I supposed to do about it?

By Ben Weinberger posted 12-04-2017 10:52

  

In May 2018, the new European Union General Data Protection Regulation (GDPR) will come into effect. Data protection is not a new concept, but the GDPR is intended to bring together and standardize regulation with a distinct emphasis on protecting individuals. More importantly, it is intended to protect individuals and, as such, will apply to all firms and legal departments conducting business within the EU or with EU citizens – anywhere in the world. If your firm or legal department has clients operating within the EU or transacting business with EU citizens, or you hold data of an EU citizen in connection with your firm’s representation of a client, you will need to ensure compliance. Non-compliance can be costly, with fines up to 4% of a firm’s annual, global revenue or €20 million, whichever is higher. If you’re not familiar with the GDPR or your firm or company’s legal department is not prepared for it, the time to act is now.

Start with Education, Sponsorship, and an Audit

The first thing to understand is that GDPR is not simply an IT issue. In fact, it’s an HR issue, a Marketing and Business Development issue, and most certainly a service delivery issue which will affect everyone. Additionally, it’s going to require more than just buying a piece of hardware or software – it requires a complete rethink of policy and procedure, so the starting point is at the top. In reality, before you run to your firm’s managing partner or company’s GC, it’s best to start by educating yourself and ensuring you understand the basics.

There are numerous resources available online and in print that will help you educate yourself. This blog, of course, is a start. Beyond that, though, given that the GDPR will affect the entire firm or business, it’s crucial to obtain executive ‘buy-in’ and sponsorship. If you have a General Counsel or Head of Risk Management, that person is most likely best positioned to lead and sponsor an initiative; even then, though, because the scope of the legislation is so broad, it’s important that your management or executive committee – however you’re structured – is on board to ensure appropriate investment and to set the tone from the top.

The most sensible way to kick-off an initiative such as this is with an audit of the entire organization. Regardless of internal capabilities, engaging with an experienced auditor who knows what to look for and how best to navigate the challenges will be invaluable. An appropriate audit will identify key risks and gaps and make recommendations for how to go about addressing them. Further, an audit may provide just the impetus needed to ensure executive buy-in and sponsorship and therefore secure sufficient funding for a full program.

Know Your Data and Its Use

Something that firms and businesses already should have done yet very few seem to truly be on top of is map out their data. With the typical law firm operating dozens – sometimes hundreds – of applications, it’s a challenging task to know exactly what data is being recorded and where; nevertheless, it’s absolutely vital that firms be able to identify the personal information they hold about their employees, suppliers, clients, clients’ employees, and suppliers, and how all that data is being used. The only way to mitigate the risk is by first identifying it. Firms are bound to hold a significant volume of information on their own employees in HR, Experience, and KM systems, among others, while they also will hold personal data on their clients within CRM, email, or various other systems. The amount of data will vary depending on which system and who, and a thorough audit in which a complete data map is created is the first step to ensuring compliance. The data map needs to include what the data is, what system and location it sits in, and how it is being used (as the GDPR sets specific guidelines limiting what constitutes an appropriate use of personal data).

Once you’ve created a data map, it’s imperative that you review what data you're holding, for what period of time you intend to hold it, and what it’s being used for. If the data itself is not being held in accordance with a specifically designated purpose, it’s important to ensure that you then have consent to hold that data. This typically applies to data used for business development and marketing purposes, though it could also apply to other data as well. Either way, it’s important that the business have a justifiable, legal basis for its use of that data. Further, it’s important to note that in and amongst the GDPR’s various requirements, the principles of ‘minimization’ and data protection mean that you should not be holding anything beyond that information which is needed for the specified purpose that you’re holding it – and that only those who need access to that data for that purpose have such access. Interestingly, this particular requirement of limiting access appears to be a recurring concept that also is being driven by regulations from other jurisdictions such as the recent State of New York Department of Financial Services (DFS) Cybersecurity Regulation. Because that particular law took effect in early 2016, most businesses should already have implemented or begun implementing projects to lockdown and limit access to data which falls under the regulation; the law applies to all financial institutions (i.e. banks, insurance companies, etc.) with a presence in New York and directly applies to all of their vendors (including law firms).

General Considerations

When compiling a data map, those who might not otherwise have recognized a need for GDPR compliance should more readily have a better understanding of why they now do. Firms or legal departments with international offices within the EU will surely have to meet compliance; yet, those operating solely within the United States might not otherwise recognize where they process or hold personal data of EU citizens. For a small firm or legal department, this could be something as simple as having a client or an employee who is a citizen of an EU country (even if a dual citizen of the U.S. – GDPR still applies). For the bigger firms or legal departments, the likelihood typically is even greater.

For those that have EU employees (or partners of a firm) or customers, almost every system now needs to be reviewed – and it’s not always obvious why. For instance, with regard to having EU clients, a firm’s engagement letters offer the most appropriate method for specifying how data is being collected, stored, and processed while also providing a mechanism for securing consent. With regard to personnel records, similarly, the induction process should now incorporate some similar such element.

Another consideration regards policies: whereas it may be possible to apply different rules and requirements within the firm based on whether or not an individual is an EU citizen or whether or not a particular office interacts with EU data, it may not make sense for the firm to try and treat that data differently. You may find it simpler to enact the same rigorous standards across the board, regardless of whether the specific data would be subject to GDPR, as it may prove less costly from both an administrative standpoint and from a risk perspective.

What Next?

Given the breadth of the GDPR’s scope, the most important thing a firm can do is start now. Regardless of implementation timescales, it’s key to ensure that the business begins as soon as possible because the penalties for non-compliance are so steep. At a time when we are facing extremely competitive market conditions, a single fine imposed for GDPR non-compliance could be the difference between a profitable year and mass lay-offs.

Additional GDPR Content

If you'd like to learn more, ILTA and Michael Johnson will be hosting a webinar on December 14th, discussing GDPR and ISO Certifications. You can RSVP here!

ILTA staff has also compiled a list of all content related to GDPR that's already been published or posted. You can find it here.

0 comments
237 views

Permalink