When GDPR was first introduced back in 2018, it marked a significant overhaul for law firms, requiring substantial changes in how they manage data and inform their clients. Over the last few years, working with numerous firms, I’ve observed a lack of significant updates or work dedicated to maintaining these measures once implemented. Often, other regulations take precedence due to the lack of sustained focus on GDPR. Whilst this is not the best approach, it’s fair to say it’s not uncommon.
With this in mind, here’s a reminder of some of the upcoming changes and a few practical tips on how you can best prepare your law firm data for this upcoming change.
Data Protection and Digital Information Bill Overview
- Cross-referencing laws - The new legislation doesn’t replace UK GDPR and Data Protection bill (2018), it cross-references and amends some of the requirements. Therefore to read it, you will need to refer to the other 2 pieces of legislation at the same time.
- Changes to key phrases – the meaning of some phrases such as personal data, legitimate interests and purpose limitation have been amended. These are going to be particularly important to review once the bill is passed as these are two key elements firms need to consider.
- Refined Data Subject Access requests - this is to allow businesses more control over how they manage these requests. The definition is amended to allow for exemptions relating to the reasons the requests are made.
- Adequacy Decisions – this is rather a big change as the current legislation mirrors the existing EU requirements and is something all firms have been used to since GDPR was implemented. However, now this will be more focused on the UK Data Law and potentially raise issues with the EU over how the UK monitors and manage such decisions. This is a key focus and more guidance will be provided on this once the Bill has received royal assent.
- Alternative transfer mechanisms and proportionality of appropriate safeguards – this element of UK GDPR will be changing and will primarily focus around risk assessments when transferring data using an alternative mechanism.
- Rebranding of the DPO – you will no longer require a “Data Protection Officer” but they will be renamed a “Senior Responsible Individual (SRI). There is a requirement for these to now be in-house, which could pose issues for those firms who have engaged external DPOs.
- Appropriate records of processing of personal data – Now this element, Article 30, which is being amended may require firms to retain more detail than they currently do. This primarily will affect the firm's Information Asset Registers and Data records as the DPDI makes it much more prescriptive as to what details are required to retain.
- DPIA removal – the requirement to conduct DPIA’s has been removed and replaced with an assessment of high-risk processing, making it a voluntary requirement. One thing to consider as law firms is that there is a high volume of special category data retained and by voluntarily conducting such assessments this will be taken into consideration by the ICO and will be a mitigating factor should any investigation or enforcement action take place.
- PECR changes – the changes allow for specific exemptions relating to consent for cookies for certain activities. For firms to rely on these exemptions, an use must be offered a simple means of objecting. Again – we do not expect this to massively impact firms but you may need to discuss with your IT how in theory these exemptions would apply.
Whilst the above are not all of the changes, it is enough food for thought as to what changes the new legislation is going to bring to your firms.
Practical preparation tips
Below I share how best to maintain your measures ready for when the new bill is implemented in hopefully just a few short months.
- Information Asset Register (IAR) – review it. There is no easy way of maintaining an IAR but it should be reviewed at least annually or in line with any significant changes to your business. Should you understand what information is collected, how it is stored and where this goes, this will help significantly with the new requirements for appropriate records of processing personal data. This document captures all information that flows in and out of your business and shows where it goes to – this is incredibly important and should actively be maintained.
- Your Client Engagement Materials – ensure these are up to date with the current legislation (specifically now listing UK GDPR and DPA 18 rather than just GDPR), if you know this information is correct and up to date it makes it easier when the new bill is implemented to go in and slightly amend the documents. You need a section within your TOB which highlights the individual's rights and all relevant Data Protection Information you need to provide to the client.
- Retention Period review – make sure you’re reviewing when documents require destruction. If you’re not already compliant, then come the new bill being implemented there may be a bigger focus on checking how firms manage this. We would recommend conducting an exercise to check your retention periods and make sure files and documents are destroyed when required. This also includes electronic files, not just paper files.
- Policies and Procedures – Now these are most likely to change in the coming months with slight tweaks, therefore you may not want to review them now before the changes but we would certainly recommend planning in some time to have them reviewed and updated when the changes come into force. I am guessing no later than April for the bill to receive royal assent, therefore look at your resourcing and earmark some flexible time to make sure this task can be completed.
You may be thinking – this all seems like basic tips to me, but you’d be surprised at just how many firms haven’t thought about this in some time. Returning to basics and being well-prepared can help mitigate the impact of the upcoming bill.