As the GDPR compliance deadline looms, do you understand the legal basis on which your law firm uses personal data? The rules of when and how your law firm can process the personal data of your clients will change under GDPR, and it's important you're able to show your processing systems are lawful.
Under the new GDPR regulations, you may need to halt processing that is not compatible (like providing data to third parties) and limit the types of data you collect to those you specifically need. When the scope of a case in unknown this might be challenging, so firms may need to step up reviews of what is collected by staff to access if it relevant and necessary.
When and how can my firm process the personal data of clients?
Article 6 GDPR provides that processing shall be lawful only if and to the extent that at least one of the following applies:
- there is consent from the data subject,
- it is necessary for the performance of a contract with the data subject or so that a contract can be entered into,
- it is necessary for compliance with a legal obligation
- it is necessary to protect the vital interests of a data subject or another person
- it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- it is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
If you rely on consent you need to ensure it is requested, obtained, recorded, tracked, and amended as required under the GDPR. Consent must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. Individuals have the right to be informed of how how their personal data will be used, by whom, for what purposes, for how long, and more.
For special categories of personal data (ie. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs), consent must refer expressly to these data. There must be some form of clear affirmative action – or in other words, an opt in. This means that consent cannot be inferred from inactivity or pre ticked boxes.
Consent can only be implied to the extent that it can be implied from the data subject’s relationship with the company. For example, if a firm was providing services then it is assumed that the data can be used for the purposes of carrying out those services. However, to send the client marketing emails, the firm should have explicit consent.
Furthermore, where processing is based on consent, consent has to be verifiable, meaning the controller must be able to provide proof of consent. As such, law firms will need to review whether documents and consent forms are up to the job. Requests for consent must be clear and straightforward, separate from other terms and conditions. On top of that, individuals have the right to withdraw consent at any time, and your system for recording consent must be flexible enough to remove details upon requested.
Finally, relying upon consent from clients does not necessarily mean you can use data for other purposes without renewed consent. You may need to find an alternative legal basis or you must cease or not start the processing in question.
Is your law firm GDPR ready?
To help your law firm prepare for GDPR compliance, get your copy of our latest whitepaper where we dive into the five key things to understand about your new obligations, their practical implications, and how to keep client data protected:
- The legal basis on which you use personal data
- The rights of your clients
- Your firm’s accountability
- Your obligations in the event of a data breach
- How legal technology can help
GDPR compliance is too important to leave to the last minute – start 2018 on the right foot! Get your copy of our GDPR white paper for law firms.