GDPR Action Plan for Lawyers – fill in the gaps and stay compliant

A year after the EU General Data Protection Regulations (GDPR) has come into force, the requirements have shaken things up for the way law firms treat their data and have forced lawyers to take a series of steps in order to remain compliant and prevent any costly breaches.

It’s as if lawyers aren’t already inundated enough managing the relentless flow of tasks and keeping up with clients’ demands. With the host of requirements under the GDPR and with all the risk attached to non-compliance, you might understandably be feeling a little uneasy.

This post explains what aspects of data management are affected by the GDPR and how practice management software can help. And because it doesn’t hurt to double-check where you are at in your GDPR compliance journey, we’ve mapped out a basic GDPR action plan to help you fill in the gaps. But remember, compliance is a continual effort so it’s important that you are taking these steps throughout.

When is GDPR applicable?

Just keeping a list of contacts makes your company subject to the GDPR regardless of size or industry. And all aspects of processing data are targeted, this includes exactly how it is collected, recorded, stored, structured, organised, modified, used, disseminated, restricted and deleted.

We recommend abiding by the following two pillars when it comes to your company’s treatment of data:

• Take responsibility for protecting personal data and be able to demonstrate it
• Keep the risks for EU citizens top of mind

Essentially, you are must take all the appropriate technical and organisational measures to fulfill your obligations, so the better positioned you are to substantiate this, the better off you’ll be in the long run.

GDPR action plan

While rules applied by the GDPR need to be converted into specific actions for all organisations because the legal sector is unique and one of a kind, some rules vary for law firms.

Thankfully, practice management software, Kleos, is ready to support law firms through the phases, dedicated to helping them fulfill their obligations in the most robust yet efficient way.

We are pleased to confirm that Kleos meets the requirements of the GDPR, providing you with the safest environment for storing and processing personal data. Additionally, we offer custom services to manage GDPR related documentation, correspondence and processes to save you time on your journey towards GDPR compliance.

Below is an example road map that your firm can follow to ensure GDPR compliance. It’s a great point of reference for keeping you in check:

1. GDPR Internal Policy Awareness – is everyone in your firm aware of the GDPR and its implications? Does everyone know what concrete actions need to happen on a day to day basis? It is vital that this is effectively communicated and documented.
2. Data Security – is your data is safely stored and backed up? Are you fully protected against cyber threats? An ISO 27001 certified cloud-based system like Kleos guarantees bank-grade security and disaster recovery. This will give you peace of mind as well as transfer this part of compliancy obligation to your cloud provider.
3. Data Process Registers – The Privacy Commission suggests using the data process registry as an accountability tool to demonstrate that someone assumes responsibility for the processing. Using Kleos you can open a ‘case’ in your legal software and keep an overview of;
   
   
   • Who’s data you are keeping
   • Why it is kept – i.e. “representing interests”, “representation in court”
   • What data is kept for this purpose – i.e. name, address, income, health information, cultural profile
   • Where it is kept – i.e. secure cloud, commercial-grade cloud, on-premise server, filing cabinets. Hint – secure cloud is best!
   • Until when it will be kept – set up rules for the time needed to achieve the purpose of the treatment. Kleos can help you set alerts to be adhered to.
   • How it is kept – technical and organisational security measures. Data stored in Kleos is encrypted, you can easily restrict access within your firm and anti-virus software is constantly updated – all these measures are advantageous for the GDPR.
4. Legal Terms & Conditions – inform your clients about the treatment of their personal data and obtain their explicit consent for commercial communication such as newsletters.
5. Data Breach Reports – a requirement is that you are able to detect a potential breach and report it in time. Using your Data Process Register you can stay one step ahead, or avoid a breach altogether.
6. Answer Client Demands – Data subjects have the explicit right to transparent information and clear communication about the treatment of their data. Among their many rights is the right to portability, erasure and restriction of the processing. Portability requires data to be in a structured, machine-readable format which you can do in Kleos – you will also be better positioned to swiftly respond to their demands or queries surrounding their data.

To find out more about what the GDPR means for law firms and how legal tech can help you become and stay compliant, download our free Whitepaper: GDPR & your law firm.