GDPR you ready? by Janine Parker, Paragon LawSelect
This article was originally featured as an column in the March issue of LPM. To read the issue in full, download LPM.
The EU referendum result and subsequent focus on the entire Brexit situation has distracted us all from one very clear reality – the General Data Protection Regulation (GDPR) will soon to be upon us and affect us in numerous ways.
Ironically, the government has confirmed that whether the UK is in or out of the bloc, we will be following the EU’s GDPR from May 2018. There’s a great deal of resource online that addresses the details of the new regulation, but let’s focus on the potential impact for law firms.
Regardless of size, your firm will likely hold a significant amount of sensitive personal data – which is defined by the EU as: “Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.” Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU’s legislative competence).
The identity check you carry out on clients to protect your firm against fraud is suddenly an area of vulnerability when it comes to GDPR. Passport information, bank details, addresses, and for those firms carrying personal injury work, medical information – the list is endless, and it quickly amounts to records in the tens of thousands, even for a relatively modest practice.
Should you lose this data, whether through human error or cyberattack, there will be requirements under the new GDPR. Timescales to meet, monitoring of lost data, notification obligations and potential fines from the Information Commissioner’s Office are all on their way.
Anecdotal evidence suggests that one in three firms has already suffered a breach, hack or loss of data that would require a response under the new regulation. Many firms are blissfully unaware of how vulnerable their IT systems and infrastructure actually are. Outsourcing these services does not really afford you any additional comfort. You’re still responsible for the data, so always read your contract with these providers with the upmost attention and diligence.
You’d be amazed how many different hackers are interested in your systems and all the information you have to offer. They can find a way in through imaginative means – don’t forget, human error and social engineering are large causes of breaches. The ‘fox’ is constantly patrolling the perimeter fence and the posts are nowhere near as secure as you might think. Often the fox may already be in the pen and is trying to find a way out. Always think carefully before connecting your phone directly to your computer at work.
What can be done? Cyber is the most rapidly expanding class of insurance at the moment, and it is becoming more and more complex. There are existing products that not only offer a limit of indemnity but, perhaps more importantly, give you access to third-party expertise that can help avoid data breaches as well as help support you should one occur. It is a consultancy package that, if purchased separately, would cost significantly more. The real question is: can you afford not to explore these offerings?