With the General Data Protection Regulation (GDPR) deadline looming this week, Wolters Kluwer’s ELM Solutions recently conducted a survey of law firms to understand their readiness for this historic regulatory change. The results show some work still needs to be done. GDPR is designed to protect the personally identifiable information (PII) of all citizens and residents of the European Union, putting control of that data directly in the hands of the individuals it pertains to, no matter where in the world they reside. While the law firms that responded to our survey are very focused on data security, that doesn’t necessarily translate to high readiness for meeting the new GDPR standards.
More than 90% of respondent law firms characterized data security as a high priority. As a reflection of that, 67% provide data security training annually or have provided it in the last three years. Despite that emphasis on security, however, fewer than half of firms – only 43% – have appointed a Data Protection Officer (DPO) to oversee GDPR compliance and 40% say they do not have a specific process or plan in place for GDPR compliance at all.
Even more concerning is our finding that only 39% feel their firm is very prepared to meet the regulation by May 25, 2018. This is perhaps a reflection of the stringent nature of the legislation, which necessitates a major undertaking for law firms and other organizations. GDPR is composed of 99 articles that dictate how and why PII can be collected, along with the methods for processing, securing and accessing PII.
However, there are signs that many firms are working toward compliance. Half of our survey respondents are making new investments in technology to support GDPR preparation efforts. Most – 72% – are investing in cybersecurity technology. In total, 78% are budgeting $100,000 or less, with 20% budgeting $101,000 to $250,000. These significant outlays reflect the importance of the projects and the severity of potential penalties. Organizations can be fined up to €20 million or four percent of their annual revenue, whichever is greater, if they do not meet the standard by May 25. In addition, corporate legal departments are responsible for ensuring that their outside counsel firms are in compliance with GDPR, so a lack of readiness by firms could have a negative impact on the law firm-client relationship.
We recommend the following steps for law firms working toward compliance:
- Assess your current capabilities. Take stock of your data to be sure that it is current, accurate, and protected. Also, examine your processes to ensure you can respond to data subjects’ requests to access their PII or to be “forgotten.”
- Assign a DPO. The Data Protection Officer, who acts as a central point of accountability, ensures that PII-related requests from EU residents are handled promptly and within GDPR requirements.
- Perform a data protection impact assessment. If any of your clients have asked you to respond to a data privacy risk assessment questionnaire, it may also help you to pinpoint areas that you have not yet addressed.
- Review data monitoring processes. GDPR requires you to deploy any processes and tools necessary to continuously monitor and control the integrity of PII data.
- Implement high data encryption standards. It is vitally important that you encrypt PII data whenever and wherever possible – certainly within databases and email communications but also in any applications employees use.
- Practice proper data management hygiene. GDPR states that PII shall not be kept for longer than necessary for the purposes for which it was collected. Therefore, you must discard old data when it is no longer relevant.
- Update vendor contracts and other agreements. Carefully review your contracts to ensure that they include privacy language specific to GDPR and addressing Cross-Border Data Transfer limitations if the PII leaves the EU.
At ELM Solutions, we have undergone our own massive internal readiness project and have helped guide many of our clients through the process as well. We always welcome hearing from your firm as you navigate the complexities of this important regulatory change.