Are you worried about the impact that GDPR will have on your business?
We discussed the issue in our latest webinar, ‘Get Ready for GDPR’ on 9th November 2017.
A Bit of Background
The General Data Protection Regulations (GDPR) will be coming into place on 25th May 2018 and replaces the current Data Protection Act 1998. The new regulation imposes much stricter regulation than the DPA with regards to Data Protection.
What’s the point?
GDPR is being introduced to modernise the law to keep up to date with new technologies. The world has changed massively since the DPA 1998, with the largest threat to data now being cyber-crime and malicious software such as ransom-ware. This issue wouldn’t have been considered as strongly in the fledgling days of the internet back in the late nineties, and so, the time has come for change.
A 2015 Eurobarometer survey found that: 81% of people feel they don’t have complete control over their personal data; 89% believe they should have the same rights and protections over their personal information regardless of the country in which the organization offering the service is headquartered; and 69% believe that collecting their data should require their explicit approval.
GDPR brings in a standardised level of regulation across the EU and helps to ease those concerns stated in the survey above. You can find more on what is being brought in by GDPR here.
So how will GDPR affect law firms?
It’s clear that GDPR will affect all law firms and it is important that all firms start preparing now.
- You will likely need to appoint a Data Protection Officer (DPO). A DPO must be appointed if you carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
This can be someone currently within your firm so long as there is no conflict of interest with their current role.
There are no specific credentials that a DPO should have, but must have a professional working knowledge of Data Protection Regulations.
The role and duties of a DPO can be found in article 39 of GDPR.
- You must ensure that you have specific consent to be able to process and individual’s data.
Your client must give consent freely and it must be specific, informed and an unambiguous indication of consent.
In basic terms, this means that ‘opt-out consent’ is now a thing of the past. Those confusing messages filled with double-negatives to tie people in knots about whether they are agreeing to have their data processed and receive marketing emails are no more. You must now receive clear consent from the individual via some affirmative action.
In reality, this means simply having a tick box saying ‘I agree to the terms and conditions’. As long as the tick box isn’t pre-ticked, the terms and conditions are clearly laid out, and you only contact those that have ticked the box, you will be compliant.
Any current clients or contacts that you have will also have to opt-in, so it is important to run an opt-in campaign before May 2018 to ensure that you can still contact them.
- Make sure you do plenty of research into the new requirements and ensure that all of your staff are properly trained. After-all, the biggest threat to your data security and being affected by cyber-crime is your staff.
So what’s all the fuss about?
Most of the headlines have been around the punishments for a breach of the regulation.
Under GDPR, ICO now has the power to hand down fines of up to €20,000,000 or 4% of a company’s worldwide turnover, whichever is higher. Pretty scary stuff and great for headlines. But the reality is that such punishments will likely be few and far between.
To put this into context, the largest fine handed down, pre-GDPR, was the £400,000 fine for TalkTalk following their loss of thousands of customers’ data in 2015.
But ICO isn’t in the business of handing down massive punitive fines and butting firms out of business. They are simply trying to improve data protection practices. So as long as you can show that you have processes in place, which are being followed, you will be compliant with GDPR and won’t see anywhere near the fines that have been mooted in the press.
So what are DPS Software doing to help their users be compliant?
We have made a number of software changes and enhanced the way our users communicate with their clients. In short we are using the necessary GDPR changes to enhance the software and make our clients experience of them far better and more professional. What’s more we have adapted all our hosting contracts to ensure that our clients are covered for the processor role that hosting companies are obliged to do.
We’ll be rolling out these changes early next year and will have a webinar to demonstrate those changes in February or March so be sure to look out for that.
There is a great benefit in being hosted by us as we are an informed data processor and can help you to remain compliant.
To find out more about our hosted IT services, click here or call us today on 020 8804 1022
If you would like to view the webinar, please email firstname.lastname@example.org