Implementation of the GDPR at a legal office

This article covers the following topics:

• Which data processed by a law firm is covered by GDPR
• What are the duties of a legal office as a data controller
• Handling GDPR in a law firm with a workflow system

Since the General Data Protection Regulation (GDPA) entered into force in 2018, institutions that process private individuals’ data were obliged to implement new rules for documenting processes as well as handle additional rights of data subjects. The injunction has not bypassed law firms, which also must protect data of their clients and associates. Some of the companies initially kept the necessary documentation in spreadsheets. However, such solutions quickly turn out to be sub-optimal and non-scalable. Therefore, it is better to carry out the implementation of the GDPR in a law firm using an appropriate tool e.g. a workflow system.

What data is processed in a legal office?

There are many areas of law firm’s activities related to data processing, which are covered by the GDPR. These can be: legal assistance, HR services for the employees, recruitment of candidates for jobs and internships, handling office supplies, ordering services, bookkeeping or marketing activities (e. g. sending out newsletters).

Data processed by legal advisers and lawyers can be divided into two categories:

• Data processed for the purpose of providing legal aid
• Data processed in connection with the operations of a law firm

The data of law firm’s client typically are: name and surname, contact details, role in judicial or administrative proceedings, data related to property status, potentially also information about previous conflicts with the law. The data of the office’s employee include: name and surname, address of residence, id number, professional experience, education, salary, bank account number. Then the supplier’s details are: name and surname, type of business activity, contact details.

Other examples of data which can be processed by law firm are:

• Data of current clients kept to provide legal assistance
• Data of current customers for financial settlements, e.g. for invoicing
• Data of current and former clients necessary for identification
• Customer data for marketing purposes
• Potential customer data – to the extent necessary for business planning and market research
• Suppliers’ details
• Service providers’ data
• Trainees’ details
• Job candidates’ details
• Employee details
• Contractors’ details

Legal office employees need to be very careful while processing personal data concerning convictions and violations of law. According to Article 10:

Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.

In case of failure to maintain adequate protection of personal data or failure to fulfil the obligations imposed, the law firm may be subject to high penalties.

Duties of the law firm as a data controller

Article 24 of the GDPR states the need to implement appropriate technical and organizational measures to ensure that the processing of personal data protects the rights and freedoms of data subjects. At the same time the legal office has to be able to demonstrate compliance with all the provisions of the regulation. Those include:

1. Information obligation
2. Obligations related to the exercise of the rights of the data subjects
3. Obligations related to entrusting data processing
4. Obligations related to data processing at the request of the data controller
5. Registration of processing activities
6. Technical and organizational security of personal data
7. Obligations related to the detected breaches of data protection
8. Conducting data protection impact assessment

1. Information obligation

The data controller must provide information on the processing of personal data indicated by the controller to both:

• persons from whom it collects data directly (customers, customer representatives, employees or suppliers conducting sole proprietorship) and
• persons who came into possession of data indirectly (e. g. witnesses, suppliers’; employees).

2. Obligations related to the exercise of the rights of the data subjects

In accordance with Article 15 of the GDPR a law firm is obliged to provide data subjects with:

• the right of access to the data (here there are limitations resulting from the need to process the data not only of their clients, but also third parties’ data (e. g. the perpetrators of a crime or the opposing party; disclosure of this data would violate the right of customers to protect their interests),
• the right to rectification,
• the right to erasure (there are exceptions e.g. if the data is necessary to defend the controller’s claims, the controller may benefit from an exemption),
• the right to restrict the processing,
• the right to data portability
• the right to object [having one’s data processed] (there is a possibility of exemption when important public interest objectives are at stake or to protect the independence of the courts).

3. Obligations related to entrusting data processing

An example of entrusting the processing of personal data is outsourcing of human resources or accounting. In such a case, the controller must verify the processor and conclude a contract with them.

4. Obligations related to data processing at the request of the data controller

The law firm is obliged to grant appropriate authorizations to persons processing personal data, of which it is the administrator. It is also important to ensure control of access to data, both in paper and electronic form. Only the information necessary for the execution of work should be available to the requester.

5. Registration of processing activities

The controller is obliged to keep a register of data processing activities. The register shall contain information such as: contact details of the controller, co-controllers, the data protection officer, a list of processing activities e.g. purposes of the processing, a description of the categories of data subjects, the categories of recipients, a description of the technical data security measures. It is also necessary to keep a register of categories of processing activities if a law firm processes data entrusted to it by other administrators.

6. Technical and organizational security of personal data

The data controller in the office is obliged to implement and apply security measures (technical and organizational) to ensure personal data protection. The measures should be introduced according to ISO/EIC 29100 series standards.

7. Obligations related to the detected breaches of data protection

A law firm is obliged to have procedures for detecting personal data protection violations introduced as well as the procedures for reporting and handling breaches (including informing the data subjects).

8. Conducting data protection impact assessment

If the type of processing used in a law firm, due to its nature, scope, context and objectives, is likely to cause a high risk of infringing the rights or freedoms of natural persons (in particular in the case of using new technologies), the administrator shall assess the effects of planned processing operations before starting the processing e.g. in the case of large law firms dealing with large scale operations, serving a big number of clients.

Implementation of the GDPR in the law firm with the Neula workflow system

What is a workflow system?

The workflow system is a software that is used to organize processes in the company and to support group work in the organization. It allows to define the roles that individual people play in the process, e.g. in the document processing. It also structures the information in documents and how the communication flows between the people involved.

GDPR components

The implementation of the GDPR in a law firm requires a properly configured tool. There are 9 components in Neula solution that allow achieving compliance with GDPR in a legal office:

• Handling of requests
• Handling of consent register
• Handling of the register of personal data breach incidents
• Handling of the register of processing activities and the register of categories of processing activities
• Handling of the register of data transferred outside the organization
• DPIA
• Handling of authorizations to process personal data
• Management of entrustment agreements
• Risk analysis related to personal data protection

Each of the components is prepared based on knowledge of lawyers and consultants, who successfully implemented GDPR in many organizations themselves and can be adapted to the needs of a client. The standard set of tools can also be extended to include data retention module which is supported by SAS Institute – a leader in the global data processing market.

Adaptation to the requirements of the GDPR in a legal office may seem a difficult, but thanks to the use of an appropriate tool it can be done easily and without complications. Neula is a complex solution which gives savings in virtually every dimension of GDPR application, thanks to quick access to data, ready-made templates and shortened decision paths.

Additionally, it facilitates the generation of necessary reports and authorizations for employees. Also, it effectively minimizes the risk of penalties being imposed by the supervisory authority.