GDPR and solicitors

IsaacWunder

How/what are you doing to get your firm ready?

Are updated T&Cs enough?

4ensic15

IsaacWunder wrote: »

Are updated T&Cs enough?

No. Security of manual and computer files must comply with the requirements of the Regulation. A written policy must be in place. data processors to whom data is sent, particularly barristers, and expert witnesses, must also undertake to process data in accordance with the Regulation.

hullaballoo

Retention is a big issue for lawyers. If you have any reason to keep files for longer than you need them, for example for the purposes of drafting precendents, they must be anonymised.

Tbh, the regulations are insurmountable for lawyers, particularly sole-traderships (especially barristers) or very small practices.

The DPC is aware of this so I would imagine there will be a lot of smaller practices that go out of business as an indirect but obvious result of the regulation.

Fred Swanson

This post has been deleted.

CardinalJ

Fred Swanson wrote:

Do you really think so? That is not good.

I work for a large insurer, we find it hard. Small firms/traders dont have a chance.

hullaballoo

I think that particularly for lawyers it's going to be problematic and the smaller the practice, the fewer resources there will be to ensure compliance. So, yes, I think it will kill a lot of small practices because there's an obvious incentive to go after lawyers from the DPC's point of view - fines on law practices will increase funding on a short-term basis and is a way for the DPC to finance its own necessary expansion to tackle bigger processors.

Considering the regulation was obviously drafted over a lengthy period of time and will have considered many outcomes, it is undoubtedly blind to small businesses. The requirement for every data processor to have a data protection officer, as an example, is testament to that. As a one-man-band, it would be impossible to afford the overhead of appointing a data protection officer to ensure compliance but there it is, an absolute requirement of the GDPR.

There are no derogations available, so each and every processor is treated exactly the same. There's no administration of justice clause to enable lawyers etc. to overcome the strict obligations on the basis that we're processing the data for a greater good.

I think overall that the GDPR misses the target in a big way and we'll see a lot of litigation about it. Even though the actual parameters of the regime are similar to the current one, the obligations and penalties are onerous enough that this is now a matter worth considering for action.

Dandelion6

hullaballoo wrote: »

The requirement for every data processor to have a data protection officer, as an example, is testament to that.

There is no such requirement.

liamo

hullaballoo wrote: »

I think that particularly for lawyers it's going to be problematic and the smaller the practice, the fewer resources there will be to ensure compliance.

This is the case for any organisation that processes personal data.

there's an obvious incentive to go after lawyers from the DPC's point of view - fines on law practices will increase funding on a short-term basis and is a way for the DPC to finance its own necessary expansion to tackle bigger processors

There is no obvious incentive to target lawyers. Nor is there any reason to believe that fines will not be applied in an objective manner to any organisation that breaches the GDPR.

However, there is a regulatory obligation on the government to provide sufficient funding to the DPC for their operations.

Article 52.4
4. Each Member State shall ensure that each supervisory authority is provided with the human, technical and financial resources, premises and infrastructure necessary for the effective performance of its tasks and exercise of its powers, including those to be carried out in the context of mutual assistance, cooperation and participation in the Board.

Indeed, their funding has increased by €4m for 2018 and is now at €11.7m

Also, administrative fines by the DPC are returned to the exchequer so there is no selfish incentive to impose fines.

The requirement for every data processor to have a data protection officer, as an example, is testament to that.
As a one-man-band, it would be impossible to afford the overhead of appointing a data protection officer to ensure compliance but there it is, an absolute requirement of the GDPR.

As already pointed out by a previous poster, there is no such requirement.

There's no administration of justice clause to enable lawyers etc. to overcome the strict obligations on the basis that we're processing the data for a greater good.

Nor should there be.

I think overall that the GDPR misses the target in a big way and we'll see a lot of litigation about it.

Frankly, I think GDPR has hit the target spot on.
I do, however, agree that we'll see a lot of litigation. There are a lot of questions that need to be answered and areas of vagueness that need clarity. These will be addressed by case law.

Even though the actual parameters of the regime are similar to the current one, the obligations and penalties are onerous enough that this is now a matter worth considering for action.

You are correct. The GDPR is not entirely dissimilar to existing DP law. That being the case, if you are compliant with current law the effort required to comply with the GDPR should not be overly burdensome. However, if you're starting from scratch that's a different matter.

As for "action", how about considering compliance? It's not like this has been foisted on organisations with no notice of any kind. It's been two years since it was adopted and it was being prepared for four years prior to that. No-one can say that they didn't see it coming or that they weren't given an opportunity to prepare for it.

Claw Hammer

Around courthouses every day, there are lawyers carrying papers. Even in the restaurants in the 4 courts there are papers sitting on tables as well as in corridors outside of court rooms. If a set of papers is lost, everyone named in the papers must be contacted. That includes every witness, provider of expert reports, barristers whose name appears on the papers and the parties to the case. It will be a major culture shock. Look into the Law Library in the 4 courts and see the mounds of papers piled up on tables, abandoned while their custodian is making a fortune settling a case in the round room. AHow can that carry on continue?

nuac

The Law Library is confined to barristers, bar-rooms at other courthouses are confined to solicitors and barristers.

Elsewhere there is a convention that lawyers do not look at other lawyers files

Claw Hammer

nuac wrote: »

The Law Library is confined to barristers, bar-rooms at other courthouses are confined to solicitors and barristers.

Elsewhere there is a convention that lawyers do not look at other lawyers files

That is not going to be sufficient for GDPR. The Regulation is hard law. gentlemany conventions are not going to cut it. What about lost papers? I saw a full lever arch folder left on a chair in the 4 courts, abandoned after a case was settled. Frequently there are papers left in courtrooms over lunch.

Vetch

hullaballoo wrote: »

I think that particularly for lawyers it's going to be problematic and the smaller the practice, the fewer resources there will be to ensure compliance. So, yes, I think it will kill a lot of small practices because there's an obvious incentive to go after lawyers from the DPC's point of view - fines on law practices will increase funding on a short-term basis and is a way for the DPC to finance its own necessary expansion to tackle bigger processors.

Considering the regulation was obviously drafted over a lengthy period of time and will have considered many outcomes, it is undoubtedly blind to small businesses. The requirement for every data processor to have a data protection officer, as an example, is testament to that. As a one-man-band, it would be impossible to afford the overhead of appointing a data protection officer to ensure compliance but there it is, an absolute requirement of the GDPR.

There are no derogations available, so each and every processor is treated exactly the same. There's no administration of justice clause to enable lawyers etc. to overcome the strict obligations on the basis that we're processing the data for a greater good.

I think overall that the GDPR misses the target in a big way and we'll see a lot of litigation about it. Even though the actual parameters of the regime are similar to the current one, the obligations and penalties are onerous enough that this is now a matter worth considering for action.

There are derogations. All organisations don't need a formally appointed DPO as another poster has mentioned. There are exemptions from record-keeping under Article 30 for organisations with fewer than 250 employees, depending on what records they keep.

Recital 13 also 'encourages' supervisory authorities to 'take account' of smaller organisations.

4ensic15

nuac wrote: »

The Law Library is confined to barristers, bar-rooms at other courthouses are confined to solicitors and barristers.

Elsewhere there is a convention that lawyers do not look at other lawyers files

There are many people other than barristers in the Law Library. There are receptionists, porters, cleaners, tradesmen and visitors.