This guide is intended as a summary for our clients worldwide of the EU’s new GDPR legislation coming into effect on 25 May 2018 and aims to provide an outline of how the new rules may affect your law firm from a legal marketing and online business generation perspective. While we will be putting in place various relevant changes to all of our clients’ online assets and strategies as a result, it is recommended you seek a fuller outline and instruct expert advice where necessary to ensure you are compliant well in advance of the legislation's effective date. This information will help small to medium-sized law firms by highlighting some of the main changes in the legislation and will give some recommendations as to what you need to be doing now to prepare for GDPR.
What is GDPR?
GDPR is the General Data Protection Regulations (officially (EU) 2016/679). A reform of the 1995 Data Protection Directive was proposed in 2012 to address the significant changes we have seen in the two decades previous in how data is collected and used.
The GDPR was designed to harmonise data privacy laws in the EU, protecting and empowering EU citizens by taking a more stringent approach to data privacy rules and ensuring organisations are more cautious when it comes to handling personal data.
What are the Objectives of the GDPR?
The GDPR is designed to help and guide those with legitimate business interests as to how personal data should be handled and to penalise those who are deliberately ignoring compliance rules.
What is the Scope of GDPR?
The legislation regulates the use of ‘personal data’ and applies to organisations located within the EU as well as organisations outside the EU offering goods and services to EU citizens. It also applies to those organisations holding personal data of EU citizens, regardless of their location.
What are the Key Principles of GDPR?
Article 5 of the GDPR sets out the principles relating to the processing of personal data. The data controller is responsible for compliance with these principles, and should be able to demonstrate their understanding of their obligations under GDPR.
The six principles are:
- Personal data should be processed lawfully, fairly and in a transparent manner;
- Personal data should only be collected for a specified, explicit and legitimate purpose and must not be used for any other purpose;
- The personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Personal data must be accurate and kept up-to-date. Reasonable steps must be taken to ensure that inaccurate data is erased or rectified as soon as possible;
- Personal data should be held for no longer than is necessary for its purposes. The personal data may be stored for longer periods where it is being held for archiving or statistical purposes in the public interest, or scientific or historical research purposes and in such cases must be handled in accordance to the measures set out in Article 89(1);
- The personal data should be held appropriately with adequate security against theft, loss or damage.
What is ‘Personal Data’? Personal data is data that can identify an individual natural person, or relate to a natural person. Personal data includes items like name, email address, telephone number, as well as biometric and genetic identifying data. Data specific to a person's identity is included, such as the health, genetic history, economic or social data. Personal data also includes ‘online identifiers' such as IP addresses and location data. It also includes information about a person's public or professional life. It should be noted the GDPR does not apply to deceased individuals. HR records and customer contact lists, and form data will be subject to the GDPR as well as ‘anonymous' data which can identify a particular individual. ‘Personal data’ and ‘sensitive data’ are distinct terms and the legislation applies differently to both types of data. (Data controllers may not process sensitive data unless one of the justifications enumerated in the GDPR Article 9(2) applies.)
What is ‘Sensitive Data’?
Sensitive data is data revealing racial or ethnic origin, trade union membership, political opinions, religious or philosophical beliefs, as well health, sexual orientation or sexual history. It also covers genetic data and biometric data. Data relating to criminal offences and convictions is outside the scope of the GDPR.
What is a Data Controller?
The data controller is ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data'. Your law firm is, therefore, the data controller.
What is a Data Processor?
A data processor is ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.' External organisations who process data for law firms, such as Moore Legal Technology, are ‘data processors'.
Data processors and controllers are now jointly and severally liable.
Under GDPR, data processors under a direct obligation to comply with data protection requirements which previously only applied to data controllers.
These obligations include:
- The creation of Data Processing Agreements - a written contract must be in place before a processor can process or hold data for the controller;
- Processors may not use the services a sub-processor without prior written authorisation of the data controller;
- Processors may only process personal data in accordance with the instructions of the controller;
- Processors must maintain records of processing activities;
- Processors must co-operate with the supervisory authority;
- Processors must take appropriate security measures and inform controllers of any data breaches suffered;
- Processors must, where appropriate, designate a data protection officer (DPO);
- Processors must comply with restrictions regarding international transfers of data
The GDPR has clarified what constitutes consent and how it might be obtained and used. Consent to the processing of data must be given with a clear and affirmative opt-in action, with full knowledge of who the recipient is and the intended purpose of processing. Data controllers must be able to prove they have consent. Consent must not be implied, or assumed, and will only apply for a specifically identified purpose.
Implied consent arising from pre-ticked form boxes or inactivity will not constitute consent for these purposes. It can only be implied from the data subject's existing relationship with the organisation. A firm that was previously providing ongoing services will have implied consent that the data can be used for the purposes of carrying out those services. However, to be on the safe side, it is advisable to ask for consent to send your existing clients marketing emails.
Data subjects have the right to withdraw consent at any time. This means your firm must be sufficiently flexible to be able to delete data subject details where requested.
If your firm has previously obtained consent, you can only rely upon this consent if the standard of that consent meets the new requirements under the GDPR.
Data controllers must ensure that any data related activity is compliant with GDPR and that the processing has been reviewed and justified. An impact and risk assessment must be carried out to ensure you are compliant in all aspects of your business, and the controller must document and be able to demonstrate their assessment and compliance with GDPR.
Data processing is lawful where it is carried out for one or more of the following purposes:
- Compliance with a legal obligation
- Public interest
- Vital interest (protecting the interests of the data subject or another person)
- Contractual purposes
- Legitimate use of the controller or third party
- With consent from the data subject
It is important not only to determine the legal basis for the processing of personal data but also to document it.
When obtaining data, you must write a statement detailing the data subject's right to access, rectify or erase the personal data, the right to portability of the data and the right to withdraw consent or to lodge a complaint. You must also inform the data subject of:
- the identity and the contact details of who is collecting the data;
- the reason and uses for collecting the data;
- the legal basis of the processing and any legitimate interests being pursued by the firm or a third party;
- who will handle the personal data and whether or not the data controller intends to transfer the personal data internationally;
- the length of time the data will be stored, or a layout of criteria which will determine how long it will be stored;
Double Opt-In Process
GDPR rules state that you must have a proven record that before communicating with a data subject you must have permission to contact them, and you must have a proven record of the permission.
A double "opt-in" process in web forms is a way to both ensure and prove the person you are emailing has agreed to receive communications from you. The data subject will enter their details in a form, which, once sent, will generate an automatic email to the person to check their details and request they confirm their consent. A single opt-in process does not guarantee the recipient of the email has completed the form, which makes the double opt-in process necessary in order to comply with GDPR
As data processors, Moore Legal Technology will be setting up forms on our clients’ websites which will send an email once a person has filled out a form, asking the data subject to complete the opt-in process. Using a relevant form, we can capture the details of their opt-in statement. This way we have a provable account for each contact who has given consent.
Can I Contact my Clients Without Consent?
You may still contact customers where there is a clear ongoing relationship, a genuine mutual interest, a balance of interests, and where the processing is expected and appropriate and without infringement of individual rights and freedoms of the individual. Direct marketing could, therefore, be a legitimate use, provided these conditions are met.
Compelling clients to Opt-in
There are different opt-in approaches to compel prospective clients to opt-in. For example, online contact forms can include the opt-in process. For better opt-in rates, we would suggest also offering valuable content in exchange for the customer's consent. For your existing customers, you might simply send them an email series asking them to opt-in.
Can I still Communicate to my Existing Customers Without Consent?
You can communicate service, maintenance and transactional emails and telephone calls. To be on the safe side, we suggest you ask your customers to opt-in first.
Can we Contact Cold Purchased Data Lists?
Once the GDPR comes into force on 25th May, 2018, it is unlikely as you need explicit consent. It is probably best to buy lists now and try to opt-in as many data subjects as possible until May 2018.
Can I Email People who have given me their Business Card?
Unless you can prove and show a consent statement at the time of receipt, simply receiving a business card from a consumer will not be enough to show "provable consent".
A form on a tablet or phone may be a better way to capture opt-in data when networking.
It is worth noting, the GDPR only applies to personal data. Therefore, if you hold an info@ email address that isn't related to a person, technically you can process it.
Is it different for B2B marketing as opposed to B2C marketing?
When your firm is marketing to businesses as opposed to consumers, the rules are slightly different. As the DMA points out , the only difference between B2C and B2B marketers now is in connection with email and text marketing to employees of corporate organisations. When dealing with sole traders or partnerships, the rules governing B2C marketing will apply to B2B marketers so the general position for email and sms will be that you will need opt-in consent. For telephone and direct mail, you need to offer an opt-out.
When dealing with employees of corporates, that is limited companies, LLPs, partnerships in Scotland and government departments, the rules for telephone and direct mail are the same, opt-out.
However when emailing or texting, you do not need the prior consent/opt-in from the individual. You can therefore send them a marketing email/text as long as you provide an easy way to opt-out of future communications from you.
For any B2B marketing communications, regardless of channel, the content must be about products and/or services that are relevant to the recipients’ job role.
This situation will not change under GDPR. These rules for email and text messages come under the Privacy & Electronic Communications Regulations (PECR) and this will not be affected by the implementation of GDPR. There will be other obligations under GDPR when collecting personal data that will apply, for example enhanced information requirements, the clear recording of consent and improved privacy policies.
What is important to remember when emailing or texting corporate employees is that where personal data is used for marketing, for example a work email address, they have the right under the Data Protection Act to prevent their personal data being processed for direct marketing, which is why you must provide a way to opt-out of future communications.”
What Should I do to Ensure my Law Firm is GDPR Compliant?
The controller must review and document their entire process, recording how data is handled by both controller and processor.
The first step is to conduct an impact assessment to identify the data you hold and the type of data necessary to operate the business. You will need to look at how the data is stored, consent procedures with clients, and how you can give clients access to their own data. As data controller, you will identify external data processors, and it is your responsibility to ensure they are GDPR compliant, but note that both controller and processor are jointly and severally liable for any fines. It is important businesses can show at any time to a supervising authority that they have properly assessed how personal data is handled, are aware of their obligations under GDPR, and have taken the necessary steps to remain compliant.
There is also an obligation on controllers to ensure that their contracts with processors comply with the GDPR. A full audit should be undertaken to review policies and contracts in advance of GDPR to include data protection policies. You should consider GDPR in all new projects or product developments, and train staff at all levels to ensure they are aware of data protection issues.
The controller must allow data subjects the rights of access, rectification, erasure and the right to object, free of charge. A controller must, within one month, provide a data subject with any requested information they hold in relation to that data subjects. Information must be provided clearly and separate to other information. Where the controller has received large numbers of requests or the request is onerous or complex, the time limit can be extended by a maximum of two further months. The controller may charge a reasonable fee for repetitive or excessive requests or requests for further copies of data. However, charges are not allowable in most cases. There is a right to object to the processing of personal data to the data subject in certain circumstances, but the objection must be made at the time of the first response to the data subject.
The controller must also notify supervising authorities of data breaches within 72-hours of its detection. Where the data breached is high risk to the subject, notification should be made 'without undue delay.'
We recommend you instruct specialist advice well in advance to ensure you are on track, and instruct a Data Protection Officer, where necessary.
Do I need to Hire a Specialist?
Organisations processing data on a large scale or as a systematic course of their activity will be required to appoint a Data Protection Officer (DPO) under GDPR, or where the organisation's core activities involve the processing of sensitive data. Public Authorities and bodies must also appoint a DPO. The DPO is responsible for personal data compliance and will have an extensive knowledge of data privacy laws and standards, and will act as a liaison between the controller/processor and the supervisory authority.
Most law firms will not, therefore, be required to appoint a DPO. Nevertheless, it is good practice to appoint a person within your firm to take the lead on data protection compliance. The appointed person should: be aware of the compliance rules and keep abreast of any changes; hold responsibility for informing the relevant authorities of any breach or issues concerning personal data; be responsible for the renewal of any licenses as well as keep an audit of the internal use and handling of personal data; devise and enforce policies and procedures; and provide guidance to colleagues on data issues.
What is Moore Legal Technology Doing to Prepare for GDPR?
As well as a full audit and impact assessment, below are some of the steps we will be taking to ensure our clients are GDPR ready:
Our Agreement with our Clients
We are looking to modify the agreements we have with our clients to make explicit reference to GDPR and will use GDPR terminology when specifying roles and responsibility for our clients as data controller, and ourselves as data processor.
Infinity Call Tracking Service Agreement
We will endeavour to ensure our methods for processing personal data on behalf of our clients is GDPR compliant. Infinity Call Tracking, the call monitoring service currently used for the majority of our clients’ online strategies and platforms is currently preparing itself for GDPR readiness and are fully aware of their obligations as data processor under GDPR.
We use Google Analytics to track statistics of web traffic to and from your website. Within this, we do not collect any personal data such as IP Address or anything that can identify the data subject.
- Who is requesting the data;
- What the data will be used for;
- The legal basis of the processing and, where relevant, the legitimate interests for pursuing the data;
- Who will be receiving the personal data and whether or not the organisation intends to transfer the personal data internationally;
- How long the personal data will be stored;
- There will also be a statement explaining that the data subject has a right to access, rectify or erase the personal data, the right to portability of the data and the right to withdraw consent at any time; as well as the right to lodge a complaint.
In order to be GDPR compliant and at the same time being able to keep hold of form submission data for analytical purposes, the form data should be separated into two sections; form summary data (information about the form itself) and personal data (the contents entered by the data subject).
The contents of the form should be held for no longer than is reasonable and necessary. For example, for a client enquiry, it may be reasonable to hold the data for 60 days. The summary data should, therefore, be made anonymous after 60 days (i.e. email address should be removed). There is no defined period in the legislation itself, which states only that personal data should only be held for such time as is necessary for its purpose and reasonable. It is the data controller who is to decide what period of time is reasonable and necessary.
We will also be changing all relevant client web forms to include an opt-in function for email marketing.
We are making a full audit of all the personal data we hold for our clients, mapping what data should be deleted or anonymised, and are conducting an impact assessment on each area of our business to ensure we are fully compliant with GDPR.
We will be offering our clients a service whereby we will send emails to those we currently hold data on, requesting them to opt-in for future marketing emails. Those data subjects who do not opt-in will be deleted from our servers. We are conducting an impact assessment on our operations to ensure we are in every aspect fully GDPR ready as a data processor for our clients.
We will be appointing one of our team to take responsibility for data compliance so that in everything we do, we will be sure we are compliant with GDPR rules.
CRM & Demand Generation Software
For our clients for which we run CRM and demand generation software, there are various slightly more onerous obligations and we will be discussing those with our relevant clients separately.
Need more information?
If you are in doubt about any of your firm’s obligations under GDPR, it is advisable to seek advice from a specialist. There is also a GDPR helpline set up by the Information Commissioners Office (ICO) for businesses looking for guidance on the matter. You can contact the helpline on0303 123 1113 or +44 1625 545 745 for overseas enquiries.
The ICO website (https://ico.org.uk/) is also a great resource for information on GDPR and personal data compliance.
If you have any other queries on the above, how it will affect your firm or what we’ll be doing to help our clients, please do get in touch on 03333 442 722 and ask for Dawn Bell.