The last piece of substantive legislation to address the issue of data protection dates back to 1998. Sixteen years on, data processing technology has advanced at a record pace and current legislation is no longer fit for purpose. The sheer volume of data held by organisations, coupled with the international nature of our individual online activities, means our data is everywhere and potentially accessible to anyone who has the right tools.
A data loss incident can happen at any time and is never convenient. Whether the cause is internal action or external attack, law firms need to ascertain what they can do proactively to mitigate the risk of data loss. If such an event does occur, proven and tested processes need to be in place for the firm to deal with the issue alongside its day-to-day operations.
If a law firm is unable to demonstrate that it has taken all reasonable steps to protect its systems, not only will it be breaching regulatory obligations, but reputations will also be at risk.
There is a clear challenge facing the implementation of any new piece of legislation relating to the protection and security of data, however. This must reflect the reality of the way we use technology to process and use data now, while also attempting to be rather more ‘future-proof’ than its predecessor, taking into account the potential for new technologies and new trends, both in data usage and also, significantly, in cyberthreats, which are an inevitability rather than a possibility.
The proposed General Data Protection Regulation (GDPR) currently being negotiated in the EU seeks to address this issue by providing harmonised and robust provisions across all 28 member states, including fines that are high enough to deter even the largest companies from non-compliance. It acknowledges that misuse or loss of personal data can have a devastating effect on individuals and, as such, the organisations who process such data should be held accountable.
The GDPR is currently in draft form and only part-way through the legislative process. It is hoped, however, that by the end of 2014 we will see an agreed form which can be implemented two years later.
The GDPR will bring some fundamental changes to the way that businesses must handle and protect the data they process. For law firms taking proactive steps in light of current and future cyberthreats, some of the most significant changes will be that:
- The regulation will apply not only to all organisations established in the EU, as under existing legislation, but also to those outside the EU offering goods or services to EU citizens, or monitoring their behaviour. This significantly widens the net as to who may be caught by the GDPR, and therefore who must comply with its provisions. This will clearly be significant if your firm has offices overseas.
- There will be increased administrative burdens in relation to the documenting of processing activities, and also the carrying out of thorough privacy impact assessments in relation to certain types of processing, to assess the associated risks and potential vulnerabilities posed by a cyberattack.
- The current draft includes fines of up to 5% of annual group-wide revenue, or €100m (£82m), whichever sum is greatest, for serious breaches of the legislation. This is in stark contrast to the current maximum fines in the UK, which stand at £500,000.
- The national supervisory authority must be notified of all data breaches (irrespective of severity) without undue delay. The suggested time frame for this in the latest draft of the regulation is 72 hours.
Organisations may also be required to inform individuals without undue delay about data breaches that could adversely affect them. The current draft of the regulation provides that, where measures such as encryption have been applied to the data in question, notifying individuals may be unnecessary.
While it is hard to quantify the damage to reputation stemming from a data loss, the new reporting requirements of the GDPR (not to mention the hugely increased fines) may act as a signifier to the markets regarding the general care and competence of a business.
This will vary depending on the industry in which a business operates. In the case of law firms, this will be of particular significance due to the highly sensitive nature of the data held, and also the importance of the maintenance of confidentiality and legal professional privilege.
While the implementation of the GDPR may seem a long way off, implementing the appropriate measures to ensure compliance will not be a straightforward task for the majority of law firms. It is likely to involve some significant investment, both in time and resources.
Understanding the way the data protection legislation landscape is developing is crucial and law firms must not underestimate the value of pre-emptive preparation, particularly in the context of cyberthreats and data loss.
Jennie Sumpster is a senior associate at Schillings