New Eu Data Protection legislation: what does it mean for businesses?
New EU Data Protection legislation: what does it mean for businesses?
What with law firms being far from alone in adopting tech innovations as part of their daily practice, the EU has stepped forward to being in new data protection regulations that will see companies – including law firms and chambers – examining their business practice.
The new EU General Data Protection Regulation (GDPR) will be adopted by the end of 2015 – once a certain amount of wrangling over detail has been completed – and will likely come into force by 2017. Plenty of time for firms to check their use of legal tech innovations and the way they manage client data doesn’t lead them into difficulty – but it’s worth taking an early look at the Regulations and their implications.
Current data protection law is based on the EU Data Protection Directive 95/46/EC, and the GDPR has been developed after long-running discussions dating back to January 2012. There are implications for businesses – including law firms – and for authorities such as police and other legal bodies.
Important changes set out in the GDPR are as follows:
An increase to the number of businesses which will have compliance obligations under the new laws;
Greater rights for individuals regarding the use of their personal data, including ‘the right to be forgotten’;
Significantly higher penalties for breaches of the legislation, of up to €100 million or up to 5% of annual worldwide turnover;
Restrictions on targeted advertising;
Tougher requirements on securing consent to process personal data; and
Legal compliance obligations for those functioning as ‘data processors’.
Of course, law firms and chambers sit well within the scope of firms handling sensitive and personal data, not least when using tech innovations such as eDisclosure and eDiscovery in which data is handled, shared and stored across numerous platforms.
It’s important then to note the implications of non-compliance. Failure to check your firm is up to speed with the new regulations by the time they come into force could have catastrophic consequences: significant fines of up to €100 million could be levied. There are also some stringent requirements on reporting breaches – they must be reported to the relevant authorities within 72 hours, and indeed ‘if feasible’ (something rather up for debate, and one imagines future wrangling in court over the definition of feasibility) within 24 hours. Companies (including law firms) will be required to employ a data protection officer.
At Legastat, our expert litigation support professionals not only remain ahead of the curve on the latest in legal tech, but understand the broader legislative and regulatory framework. If you need advice on how to ensure your firm or chambers thrives in the twenty-first century legal marketplace, we can advise on all aspects of your legal tech practice – including your duties under data protection regulations.