Skip to the main content

CALL FOR MORE INFORMATION
0344 863 8000
info@arenagroup.net
Sign up for our Newsletter
Email Newsletter icon, E-mail Newsletter icon, Email List icon, E-mail List icon

Advice and Guidance for Legal Firms on the GDPR

Advice and Guidance for Legal Firms on the GDPR

Neil Maude, Arena’s General Manager recently conducted a CPD training session on the upcoming GDPR in partnership with Sheffield Law Society, attended by various law firms across the city. Neil provided an overview of the GDPR and how this will specifically have an impact on legal firms. 

With the wealth of information currently surrounding GDPR, it is important legal firms understand which elements of the new regulations are most relevant to them, how this can have an impact on their organisation, and what are the next steps or solutions required to act upon it.

To be compliant, firms need to understand that GDPR is about managing risk and being accountable for all actions, whilst understanding the benefits and potential costs of compliance. After all, adhering to the regulations isn’t all bad news. Neil recommends that firms take this as an opportunity to organise their data and use this to their advantage.  

Solely keeping data that is required not only makes general day to day working more efficient, but immediately minimises data protection risk by only managing the data you actually need. Firms should also be aware that under the GDPR, the definition of personal data has been extended to any sort of information that can be traced back to a person, and therefore keeping on top of the many forms of data you hold is vital.

In addition to this, the personal data you keep should only be used for the purpose for which it was collected.  If you’re relying on consent to process data, there are more stringent criteria around how consent can be given and in particular data can only be used for the specific reasons for which it had originally been given. Remember, when asking for consent from an individual, silence cannot be treated as consent. The purpose of what the consent is for needs to be specific, freely given, unambiguous and cannot be conditional. Data subjects also have the right to withdraw consent available at any time.

With a risk-based system such as the GDPR, there are no specific statements as to how a controller should fulfil their obligations. Rather, actions need to be taken in proportion to the type of data you hold, with the appropriate technical and organisational measures, and you should ensure your firm keeps a full record of how you are processing and protecting this data.

Law firms generate large amounts of information, with paper case files presenting huge issues for various reasons. This includes storage costs and space issues, general organisation problems and inefficiencies, speed of finding documents, disjointed working and security levels to name a few. Using case management systems and electronic document management software which integrate seamlessly will help firms to combat all of the above scenarios, and more. Documents become searchable and structured, with full audit trails and are highly secure.

In summary, the GDPR requires firms to be more responsible and accountable for all aspects of their data. There is a much higher standard required with regards to an individual’s consent, the rights of data subjects have been greatly enhanced, more stringent controller obligations are needed and breach notifications are required within strict time periods.  Significantly higher potential fines pose a threat to the firm, as does the risk of damage to your reputation in the event of a compliance failure.  

Our Recommendations:

No employee at Arena Group can provide legal advice, however, we can draw on our extensive knowledge and experience to advise our customers on what to do next.
Here are some top tips:

  • Do a trial run
    Randomly select a client and see if you can find all data relating to this individual. How long did this take? How easy was the process? Would changes in the way you store documents and data make this a much simpler exercise next time?
  • Educate your team
    All members of an organisation who handle any documents or data that contain an individual’s information need the awareness of the GDPR and what actions they need to take to comply. The Information Commissioner’s Office have a wealth of information and guidance to help towards compliance, including their ‘12 steps to take now’. It is essential for all organisations to be proactive to avoid any potential problems in the first place.
  • Conduct an audit
    A law firm can do this themselves or this is something one of our experts can come and assist you with. This includes all elements of document and data management, from how the daily post is managed, to what is being printed and how secure this is, to the storage of data and documents. We have a specialist team who conduct company audits to recommend ideas and solutions to ensure you are working more efficiently and securely.
  • Get in touch!
    We would love to hear from you to find out how you are adhering to the new GDPR. If you would like some advice or some new ideas, please get in touch and a member of our team will be happy to talk with you.


View all news

© 2017 Arena Group Ltd | Cookies & Privacy | Terms of use | Web design by eskimosoup | Accessibility

The Arena Group comprises: Arena Group Holdings Limited, a company registered in England and Wales (with registered company number 03735943 and VAT number 734562528) and its subsidiary company: Arena Group Limited a company registered in England and Wales (with registered company number 02168309 and VAT number 458238033). The Registered office of all Arena Group companies is Armitage House, Thorpe Lower Lane, Robin Hood, Wakefield, WF3 3BQ. Authorised and regulated by the Financial Conduct Authority for credit-related regulated activities.