GDPR: New T&Cs Apply

What’s Going on Here?

All those emails you’ve been getting are because the General Data Protection Regulation (GDPR) comes into effect on May 25th in the European Union (EU). 


What Does This Mean?

The GDPR is a set of rules that implements a stricter and more uniform data privacy regime throughout the EU, replacing the 1995 Data Protection Directive. Although it doesn’t change the core principles of data protection law, it expands the existing protections by requiring companies to improve the way they store personal data and giving individuals greater control over their own information. Organisations will have to acquire “unambiguous” consent to collect and process data from individuals, and those who do give consent now have the right to demand a copy of the data held on them, to demand that information be corrected and to request that it be deleted. 


Why Should Firms Care?

Law firms both control and process a lot of sensitive client data therefore it is essential that they are ready to comply with the new rules. To do this they will need to re-affirm the consent of those they currently have data on as well as implementing new measures specified by the GDPR. One such measure is the appointment of a “data-protection officer” who must carry out data-protection impact assessments. The officer evaluates the firm’s data processes and requires authorities be notified within 72 hours if there is a breach. The data-protection officer reports directly to management and cannot be penalised for anything they do in the role, which really highlights the importance placed on data protection.

Th reason it’s being taken so seriously is because consistent failure to adhere to the new guidelines can result in huge fines! The maximum limit has been increased from £500,000 to €20 million (£17.5m). GDPR also makes it easier for clients to bring claims for compensation if their data has been mishandled in any way. Such significant penalties mean that firms cannot afford to ignore the new rules.

Although the GDPR champions the individual’s control over their own data, some have suggested that the new rules are too stringent. Hogan Lovells’ Eduardo Ustaran has said the “[new] legislation is four to five times more complicated than existing law” and they will likely spend “years figuring out what it means to be compliant”. It is possible that firms may outsource their data processes in the future to ensure compliance (to read our recent article on outsourcing click here). 

The balance between individuals’ rights and the interests of firms will be clarified by future interpretation of courts and regulators but given the current privacy concerns, which events like the Cambridge Analytica scandal have highlighted, it is likely that the courts will err on the side of caution and favour a strict approach.


Article written by Connor B.

If you're interested in writing for LittleLaw, click here for more information.