The regulation around personal data protection and privacy requirements is tightening and the penalties for businesses that fail to comply are higher than ever before.
The European Union’s General Data Protection Regulation (GDPR) is a buzzword among many in the sector. The enforcement deadline has passed and we’ve already seen the first complaints lodged, but what does it mean for Australian law firms?
The GDPR aims to give EU residents more control over their personal data and how it is used. Under the regulation, EU residents can request organisations with personal data about them to stop using it, transfer it or, ultimately, delete it.
The regulations, which came into effect 25 May 2018, require organisations to obtain explicit consent from owners when collecting personal data. They must demonstrate that they have proper controls over the processing and security of personal data, including how it is stored, kept up to date, accessed, transferred and deleted.
So why should these principles matter to an Australian law firm? If you represent clients with an EU presence or base, hold data relating to EU residents (whether clients or third parties) or process this data, you are bound by GDPR.
Law firms are considered controllers and processors of their client’s data and while you’ll already be familiar with stringent data protection protocol and client confidentiality, it is essential that you’re aware of and compliant with GDPR regulations — for the protection of your clients and your firm.
Email is especially prone to GDPR violations given its role as a medium for sharing and storing client personal data, as well as its vulnerability to cybercriminal exploits.
Many businesses have rushed through updates to their policies and processes to ensure GDPR compliance by the deadline; however, the reality is that the majority of companies, including law firms, are not ready. A recent Harvey Nash/KPMG CIO survey found that 38 per cent of the global organisations which responded are not compliant with the GDPR, despite undertaking measures to improve data privacy. Ironically, a number of companies that sent unsolicited emails to customers to inform them they were compliant demonstrated non-compliance!
Client data management is integral to the continuity of any practice and when it comes to preparing to manage and adhere to global data regulations, like GDPR, law firms need to think beyond traditional, defence-only security and instead implement a holistic plan. The plan should embody advanced security, business continuity, data protection and end-user empowerment.
A common misconception is that a world class security system constitutes robust data privacy, which just isn’t true. A security system is simply a fortress around the data, while privacy specifically relates to the legal collection, use, sharing, storage of and transfer of that data.
Law firms should take a step back and reassess all of their security and personal data collection policies, and update any systems they have in place to ensure the risk of a data breach is minimised.
Naturally, legislation will continue to reform and update to keep up with the changing technological landscape and the personal data and privacy policies at your practice should evolve in the same way.
It is a great opportunity to turn the privacy approach and legislative compliance of your firm into a competitive advantage.
This begs the question, “what does this mean for your clients and claimants?”
Under GDPR, it may be easier for clients who suffer “material or non-material damage” as a result of a data breach to bring claims for compensation. The penalties for businesses that fail to comply are higher than ever before. Google and Facebook have already been hit with complaints.
But it’s not just claims on behalf of your clients that you need to aware of; as lawyers, you may often come into contact with significant and highly confidential categories of personal data and you could be exposed to substantial fines if you fail to keep client data secure.
Businesses that do not follow data processing principles, such as having a legal basis for doing so, ignore individuals' rights over their data, or transfer data to another country can face penalties of up to €20 million (approximately AU$32 million) or 4 per cent of their global annual turnover, whichever is greater.
Furthermore, companies that fail to meet the 72-hour data breach notification deadline could face a penalty of up to 2 per cent of their annual worldwide revenue, or €10 million (approximately AU$16 million), again whichever is higher.
There is no doubt that GDPR has introduced complex challenges for businesses globally and the true impact of the legislation is unknown; however, the regulation also presents some important opportunities for your clients and your firm.
Nick Lennon is the Australian Country Manager for Mimecast.