Data Protection and GDPR Compliance

Do you have appropriate systems and procedures to prevent security breaches?

Would your staff know what to do if data was lost or stolen?

What has your firm done to ensure compliance with the Data Protection Act?

The Data Protection Act 2018 (DPA), which brought into force the General Data Protection Regulation (GDPR), has introduced new responsibilities for law firms. When the United Kingdom leaves the European Union on 31st January, the GDPR will be replaced by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. Whilst this will lead to a number of amendments to the Data Protection Act, the UK will remain committed to maintaining high standards of data protection.

Given the vast amounts of highly sensitive personal data handled by law firms, they are under scrutiny. It is not just IT teams that have to ensure that data is held securely with a clear audit trail, data controllers (those who actually use and manage the data) need to be aware of their responsibilities and able to demonstrate that suitable systems are in place and being followed.

The ICO can now issue vastly increased penalties. The upper limit is 20 million Euros or 4% of a firm’s annual turnover, whichever is greater.

Our experts work with law firms to ensure they are in a position to comply with the requirements of the GDPR and DPA. Our services include:

  • a full data protection compliance assessment to analyse your firm’s current data protection measures, identify areas of deficiency and establish what measures will need to be taken to ensure compliance under the new regulations;
  • a review of existing systems, policies and procedures against new regulatory requirements and provision of any necessary new systems, policies and procedures tailored to your firm’s circumstances;
  • training of your firm’s Data Protection Officer (DPO) and staff at all levels of the firm to ensure they have sufficient awareness of how data protection relates to their particular roles.

Following the assessment, we can give you advice and support on all aspects of data protection compliance, in particular:

  • rights of clients and staff in relation to their data held by the firm;
  • client and staff consent;
  • Subject Access Requests (SARs);
  • changes to client care documentation/terms of business;
  • steps to take to safeguard data and monitoring of procedures to keep track of data;
  • physical security arrangements;
  • practical steps to avoid data security breaches;
  • changes to file opening, file management and file closing procedures, risk assessment procedures and file review procedures to ensure adequate consideration is given to data protection requirements;
  • remote/home working;
  • mobile devices;
  • removable media;
  • conflicts and confidentiality;
  • procedures regarding data sharing;
  • necessary steps to take when another company processes data on your behalf;
  • retention and destruction of data;
  • appropriate handling of data security breaches.

I wanted to let you know that we passed our Lexcel assessment with absolute flying colours! The assessor said that our GDPR obligations and Office Manual amendments were ‘head and shoulders’ above any other law firm he had seen since November when the new version came into force! So thank you, again, Jonathan. I really don’t know what we would do without you!

Nicola Singleton, Practice Manager, Francis Wilks & Jones

Learn more about our extensive training programme to help you ensure your staff understand their regulatory compliance responsibilities and are able to prevent fraud and money laundering.