Opportunities Abound In Law Firm GDPR Compliance

Mar 17, 2020 12:00:00 AM | law firms Opportunities Abound In Law Firm GDPR Compliance

Twenty-one months have passed since the implementation of the GDPR.  The desperate flurry of data mapping, consent gaining, and compliance training is but a distant memory, obscured behind the day-to-day pressures of billings, client demands, and other regulatory procedures. Yet, there is no escape from the fourth industrial revolution. The speed at which technology is blurring the lines between the physical, digital, and biological spheres is without precedent.  Every single industry and the lives of all people are being impacted. 

Progressive law firms around the world are already investing in AI and machine learning to enhance efficiency and accuracy in areas such as eDiscovery (eDisclosure) and building platforms connecting case management, document management, and even libraries to allow multiple lawyers from several firms to collaborate on the same client matter. Risk and compliance, including GDPR, can benefit from technology in the same way. Clients are now highly educated in their data protection rights and other organisations will use DSAR’s as a litigation tactic or as a “‘fishing expedition’ to obtain either pre-action disclosure or disclosure whilst proceedings are ongoing”. 

However, GDPR compliance is more than risk management.  In a world where a company’s reputation can be shattered with a single tweet, investors and clients want assurance that any law firm they work with has robust compliance structures in place.  Rather than viewing compliance around data protection as a cost, law firms should recognise its potential for gaining a competitive advantage.

Keeping your reputation crisp

Reputation is everything in the legal market.  And there is no faster way to lose your firm’s good name than to find yourself subject to a GDPR breach. After all, commercial and charitable organisations rely on legal professionals to advise them on GDPR compliance.  

There were hundreds of data breaches reported from law firms around the world in the past five years.  Many of these breaches have resulted in the leaking of client information.  In 2019 alone, the Dutch Data Protection Authority (AP) received nearly 27,000 data breach reports, an increase of 29% on the previous year. 

One area of due diligence which is often missed by law firms is to ensure that requirements relating to data breach reporting obligations are recorded in all third-party contracts, should that third-party deal with personal data. 

An example would include an eDisclosure/eDiscovery supplier who retrieves, analyses, and produces disclosure documents.  To avoid such due diligence missteps, law-firms can use cloud-based software to record the compliance steps taken when drafting supplier contracts.  This ensures that the crucial step of providing for immediate data breach reporting is not missed in the terms of your law firm’s agreements.

Managing Data Subject Access Requests

Law firms hold vast amounts of sensitive and confidential information, both on a commercial and personal level. Practices specialising in personal injury claims, family law matters, large corporate transactions, and civil litigation, are particularly vulnerable to both data breaches and complex DSARs.

One of the biggest areas of data protection law overhauled by the GDPR is the right of a person, under Article 15 of the GDPR, to access their personal data held by a particular organisation. 

Furthermore, anyone is entitled to ‘Supplementary Information’ relating to:

  • the purpose of the processing relating to his or her personal data
  • the categories of data concerned
  • the recipients of the data
  • how long it will be held for, the right to have the data corrected
  • what limitations relate to the processing, rights of deletion and objection
  • the right to make a complaint
  • the source of the personal data
  • the existence of automated decision making (e.g. profiling)

Additionally, if data is being sent to a country outside the EU, for example in a trans-Atlantic M&A deal, a person can demand to know what protections your law firm has put in place to ensure a secure transfer.

Data controllers have 30 days in which to respond to the request and it is very unlikely you can charge a fee for any of this activity. 

It takes less time to do things right than to explain why you did it wrong

Most solicitors wish for an extra few hours in the day.  Demands from clients and regulators means many days fly by where nothing is achieved other than answering emails and phone calls.  It is no surprise that further regulatory demands in the form of the GDPR, DPA 2018 and the Dutch GDPR Implementation Act have stretched compliance capacity to breaking point in some organisations.

Law firms are not alone; most industries have a dismal GDPR compliance record.  Latest statistics show more than 160,000 data breaches have been reported across the EU, with the Netherlands having the most data breaches per country (40,647). Significant fines are now being logged.

Fortunately, following the coming into force of the GDPR, a wealth of support companies have sprung up to help organisations manage their compliance challenges.  From data mapping to record keeping, law firms can be confident that third parties are available to alleviate resource pressure and ensure continued compliance, even as regulatory guidance changes.

For example, cloud-based software can help law firms:

  • Gain insight into how personal data is processed and where it is held
  • Detect the vulnerable applications within the organisation
  • Register data breaches in a clear, concise, compliant way
  • Increase privacy awareness within your company

Such software can also help legal practices establish if a Data Protection Impact Assessment (DPIA) is required prior to beginning a specific project or client file (such as a multi-national M&A or civil litigation), and if so, provide a centralised system from where the information relating to the DPIA can be sourced and stored.

Firms should also consider whether a Data Protection Officer (DPO) should be appointed.  Although most legal practices will not be required to appoint a DPO under Article 37 of the GDPR, firms should consider appointing one on a voluntary basis and document their reasons for choosing to do so (or not to do so, as the case may be).  A DPO can be an internal appointment or services can be sought from an outside supplier.  However, they must comply with the rules set out in Articles 38-39 of the GDPR.

Gaining your competitive advantage

Data protection is an area which is constantly growing and developing.  Therefore, law firms that invest in monitoring risk, identifying opportunities, and ensuring compliance year in, year out, gain a significant competitive advantage.

Firms that tender for large corporate work now find their compliance practices and reputation under extreme scrutiny.  This provides further reason to see GDPR compliance as an investment and profit generator rather than an expense.  And as firms move towards becoming Alternative Business Structures and limited companies, superior practice management, compliance resources, and training are qualities investors greatly value.

Rather than put more duties onto already stretched staff, explore the compliance software offerings available and select one that helps you swiftly achieve your GDPR compliance objectives.  Only then can you explore the prospects contained in the data you have.


At PrivacyPerfect, our objective is to contribute to a world where people trust businesses through compliance. We strive to achieve this through offering a cloud-based, easy-to-use software for GDPR compliance, making organisational privacy efforts painless through simplicity and compatibility. Try our SaaS solution for yourself via our 14-Day Free Trial, and explore the possibilities. Or sign up to our weekly newsletter to make sure you stay up to date on data protection news and content related to law firms. If you have any questions, please do not hesitate to reach out to us via info@privacyperfect.com.