Is your firm preparing for the new GDPR regulations?
The European GDPR applies to all law firms handling data of EU citizens.
The British government has advised that it will implement the European Union’s General Data Protection Regulation (GDPR) from 25th May 2018.
This means that any company handling data relating to EU citizens will be required to comply as the GDPR will affect organisations operating within the EU and those outside of the EU that provide products and services to customers within the EU.
The current Data Protection Act that was implemented in the 1990s, only large organisations had the means to collect and record large amounts of data. In today’s society however, many SMEs collect, store, move and access personal data. This has led to cyber criminals having the opportunity to take advantage of major data breaches and stealing personal information.
The new GDPR regulations will concern all companies which fall into two brackets: ‘controllers’ and ‘processors’. These definitions are similar to those defined in the current Data Protection Act 1998, which states that controllers say how and why personal data is processed and processors act on the controller’s behalf.
GDPR will place specific legal obligations and liabilities to processors, such as maintaining records of personal data and processing tasks.
Controllers will also be required to ensure all contracts with processors comply with GDPR.
Additionally, there are some other requirements that UK companies will now have consider, such as accountability. The GDPR obligates you to demonstrate compliance by design; which includes the verification of adequate systems, contractual provisions, documented decisions about processing training being in place within your organisation.
Similarly to the Data Protection Act 1988, GDPR does apply to personal data recorded about employees. However, the GDPR’s definition is greater as it considers any data can be used to identify an individual as personal data, which will now include genetic, social, cultural, economic or mental information etc.
Sensitive personal, known as ‘special categories of personal data’ is comparable to the Data Protection Act 1988 but there are some changes that will need to be managed, such as genetic data and biometric data where handled to identify an individual. GDPR also gives an individual the right to request that personal information is erased at any time too.
Companies who do not comply with the new law will be in a position to incur large penalties that can increase substantially.
While these changes don’t come into effect until 2018, there is a lot to be done and to consider in the meantime.
With this in mind Searches UK recommend conveyancers and solicitors attend the Inside Conveyancing & Legal Update Conference, on Thursday 25th January at Birmingham Library, where Paul Saunders, Managing Director at Legal Eye will be providing all the details conveyancers and solicitors will need to know about GDPR.
For more details about this event or to book your place, please click here.