Are You on Track or About to Get Run Over by GDPR Compliance?

February 13, 2018 by Marco Maggio

With most law firms’ 2018 IT initiatives now under way, it is worth a reminder that the European Union’s General Data Protection Regulation, commonly known as GDPR, becomes law in just less than 4 months.  As Director of All Covered’s U.S. Legal Practice, I’ve been very surprised in my recent travels how many firms I’ve spoken with that are unaware of the core tenants of GDPR and that many still have questions regarding the applicability of the GDPR to their firm.  

For this post, I’m focusing on the GDPR definition of personal data, how this might apply to a U.S-based legal practice, and some important elements to keep in mind as you are assessing and prioritizing GDPR within your IT strategy.  If you have not yet started the compliance process, time is running short, so I’ll also talk about general steps to get started immediately.

The European Council views privacy of personal data as a fundamental right of the EU citizenry.  The regulation’s definition of personal data includes obvious items such as an individual’s name, mailing address, phone number, or email address.  It also contains online identifiers such as IP address, cookie strings, and mobile device IDs.  Also included are the concept of “sensitive personal information” which is subject to more enhanced protection requirements.  Such data includes information on an individual’s ethnicity, political and religious beliefs, health and sexuality, trade union membership, and biometric and genetic information such as fingerprints, facial recognition, and gene sequences.

As I stated above, we continue to receive questions from US-based clients about whether GDPR requirements apply to their practice.  Tim Coker, All Covered Security Practice Manager, shared; “Domestic firms who do not represent clients in the EU might assume they are exempt, but we have seen connections to EU personal data manifest in ways that might not be obvious. “ As an example, an estate law practice representing a U.S.-based client in the administration of a will or trust which includes beneficiaries or trustees residing in the EU.  Any data that identifies, or could be used to identify, these individuals is subject to protection under GDPR.

 

In understanding the GDPR requirements, here are a few other things to keep in mind:


  • Compliance requirements for many aspects of GDPR are more stringent than prior EU privacy advisory directives.  Don’t assume that you are compliant based on previous reviews and audits.
  • EU legislators felt organizations had not previously taken data protection seriously enough, so the maximum penalties in the GDPR have been increased significantly to ensure attention at the C and Partner level.  Penalties range from warnings and audits for initial infractions, to fines upwards of €20M or 4% of annual revenue in the most egregious cases. 
  • Compliance steps may seem onerous for firms whose practice only occasionally involves EU entities, but compliance is mandatory for any company worldwide which collects or processes personal data of residents in any of the 28 EU member states.
  • If your firm is ISO 27001 or 27002 compliant, you likely have a head start toward GDPR compliance.  However being ISO certified or following other leading frameworks does not fully meet GDPR benchmarks, so it’s important to understand those gaps.  An experienced ISO assessor like All Covered can help.

 

If you’ve fallen behind in your GDPR assessment and remediation, the best way to progress quickly is focus on the basics: 

1.      Understand the law.  I realize it’s a pretty obvious step for legal clients, but any compliance initiative starts with understanding your obligations under the statute.

2.      Locate and understand your data.  Assess what data is collected, processed and stored, and understand which data is regulated.  Don’t forget to include any third-party data collectors and processors in the review.  Document everything.

3.      Assess your risk.  Review privacy policies and procedures for all personal data. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.

4.      Review your practices for communicating data processing and documenting consent with your clients. Ensuring that individuals specifically consent to the collection and processing of their personal data is a major theme within GDPR.

My team and I have helped dozens of firms address compliance and other complex IT challenges specific to the legal industry.  If you need help assessing your GDPR, NIST, HIPAA or ISO 27001 readiness, or any other legal technology or compliance initiatives, contact us here.

About Marco Maggio: 

Marco is the U.S. Director of All Covered’s Legal Practice and is responsible for the strategy, marketing, and education of the national Legal Practice at Konica Minolta. Marco owns the legal vertical portfolio and holds key client relationships and vendor relationships for a myriad of best-in-class legal applications. Marco has held executive leadership positions at organizations such as Lanier, Mosaic, Ricoh and Hewlett Packard before joining Konica Minolta and is a regular speaker for industry associations and a regularly published author for technology relevant to the legal industry.

About All Covered: 

All Covered provides law firms and legal departments support across the entire IT spectrum, from optimizing resources to maintaining infrastructure and legal applications to migrating to the Cloud. With over 800 engineers in more than 35 locations nationwide, All Covered empowers Law Firms with enabling technology and industry specific solutions and services so that our clients can simply focus on the practice of law.