In May last year, to the backdrop of wall-to-wall media coverage, the most significant change to data protection legislation for a generation became enforceable in the shape of the General Data Protection Regulation (GDPR). Whether the regulation, and the related Data Protection Act 2018 which gave it effect here in Ireland, did represent such a seismic shift in the rights of data subjects and the corresponding obligations of those controlling personal data is debateable. On reflection, it appears to have represented more of an updating and extension of the rulebook which previously governed this space to acknowledge the advances of technology and data management practices.
Irrespective of the scale of the real change brought about by the GDPR, it has had an undeniable impact which no successful business can ignore – how their personal data will be safeguarded is now a key consideration for individuals when they choose any service provider including their legal advisors. This scenario has forced service organisations, across the EU and beyond, to establish projects to ensure they can robustly manage the personal data shared by their clients or customers and present themselves as reliable guardians of such data. Legal practices are not immune from this important development with respect to client expectations and many have instigated projects over the last year to ensure they comply with their data protection obligations with respect to the equally important constituencies of clients and staff.
Given the passage of time post the introduction of the new regulation and the emerging insights into the practical business implications arising from its
implementation, we are now seeing demand from our clients to review their approach to personal data management and the success of their delivered GPDR compliance projects. Such evaluations typically have three goals:
- to ensure the organisation is appropriately complying with its current data protection obligations;
- to identify opportunities to optimise the efficiency and effectiveness of the activities which underpin such ongoing compliance; and
- to ensure the level of resources applied to achieving compliance is appropriate.
It seems likely that the leaders of legal practices, regardless of their size and the focus of their services, will also have interest in such a health check review of their data protection approach.
Based on our project experience to date, the exact remit and scale of such reviews will require tailoring to reflect the nature of the data risks faced by each entity. Nonetheless, we would encourage those considering commissioning such a data protection health check review to ensure the four key elements set out below remain within scope:
1. Data protection policies
A series of concise data protection policies are necessary to serve as the foundation of the data protection regime of any legal practice. Key policies will include:
- data retention;
- Data Subject request management; and
- data breach management.
It is imperative that these policies have been properly communicated to all personnel and are underpinned by robust procedures. Ongoing adherence to these policies must be periodically monitored via either the appointed Data Protection Officer and/or other personnel with compliance responsibility. The data retention policy is generally regarded as the most critical of the data protection policy suite given that, in conjunction with an Information Asset Register, it seeks to address some important topics including the:
- key sets of personal data held by the practice;
- role of the practice and whether it acts as a Data Controller or Data Processor with regard to each dataset;
- legal basis on which the practice relies for processing the data; and
- current retention period for each dataset.
Thus, the review of the policy (and the related register) and adherence to same is a central aspect of the review.
2. Data Subject request management
Readers of recent annual reports from the Data Protection Commissioner (DPC) will be already aware that a significant portion of the complaints reported by Data Subjects centre around two scenarios – Data Controller responses to Data Subject requests and the management of personal data in the context of data breaches. Hence, a practice’s approach to both requires attention if interest from the recently established Office of the Data Protection Commission is to be avoided.
Data Subject requests may include applications for copies of personal data held regarding a Data Subject or subsequent requests for data to be corrected or erased. Many of our clients are currently experiencing a significant increase in the volume of the Data Subject requests received post GDPR. It is, therefore, vital that the internal processes to acknowledge a request and comply with same, within the specified timelines, are lean if the costs of such compliance activity are not to increase markedly.
Within the context of a legal practice, it is particularly important that those charged with managing Data Subject requests are equally aware of the data they must provide to Data Subjects and where applicable exemptions exist to allow such requests to be rejected (or partially complied with) so as to not compromise future legal proceedings.
A review of how such recent requests have been managed is likely to present opportunities for both learning and process improvement.
3. Potential data breach management
Data breaches occur in every organisation. Simple user errors such as sending an email to an unintended recipient being commonplace whilst cyber-attacks represent a growing risk to all professional services firms. It is, therefore, very important that such scenarios are managed with rigour.
Due to the short timeline (72 hours) within which an actual data breach must be reported to the DPC, it is necessary to have effective internal processes in place to support the reporting of potential breaches and the subsequent documentation, evaluation and recording of same within the required registers by the DPO or other capable personnel. If reporting to the DPC or affected Data Subjects is required, such communications will require careful drafting and may require input or agreement from third parties including insurers or public relations advisors.
A review of the management of such potential breaches is likely to yield possibilities to further hone the process whilst sharing summaries of real-life breaches is useful in terms of boosting staff awareness of the risks around data practices.
4. Documents which govern data processing or sharing
Normally, the sharing of personal data between a legal practice and its client will be governed by a Letter of Engagement which will include content setting out the obligations of the practice with respect to the data concerned and whether it will be acting as a Data Controller or Data Processor within the business relationship.
Given the increased interest from Data Subjects in how their data is managed and the larger penalties which can be imposed by the DPC on organisations which do not meet their data protection obligations, our clients are very focused on properly governing circumstances where they proceed to share such personal data with other organisations. Typically, such scenarios are governed by either Data Sharing or Data Processing Agreements. The latter usually overseeing scenarios where data is being shared with a contracted provider to allow the delivery of services to the legal practice in line with agreed specifications or instructions. Data Sharing Agreements, whilst similar in nature, relate to the sharing of data with a party which will act as a Data Controller in parallel with the legal practice, for instance, another legal firm or a professional expert.
A review of samples of each document will build confidence within the organisation that Letters of Engagement, Data Sharing Agreements and Data Processing Agreements are being used appropriately (based on the nature of the business relationships) and that their content is robust and properly governs the risks associated with such data sharing. Meanwhile, a review of the registers being maintained for each document type will provide some insight into the extent of the use of such agreements to manage data sharing arrangements. In the post-GDPR era, the process of agreeing the content of such documents can require considerable resilience as both clients and suppliers can be cautious about signing up to agreements which can include onerous or complex data protection terms.
In addition to the priority matters set out above, a data protection health check could also explore other relevant topics such as the quality of the Technical and Organisational Measures underpinning the data protection regime, the level of staff awareness of both data protection risks and procedures and the progress of the organisation in complying with its stated retention periods via the conduct of data purging.
Ultimately, the value of such a review will be twofold in nature. It will identify shortcomings in the current approach which need to be addressed to boost compliance with the current legislation and best practice whilst also identifying those areas where current practices could be adjusted to improve how compliance is achieved. The outcome of such a review is likely to inform the scope and conduct of a further GDPR compliance project to enhance your data protection approach. Is it time you checked the health of data compliance in your legal firm?
*As published in the Law Society Gazette, Jan/Feb 2019 issue