GDPR: Practical steps for Scottish law firms to prepare

From 25 May 2018, while Brexit negotiations are still ongoing, the EU General Data Protection Regulation (GDPR) will apply to every organisation that processes EU residents’ personally identifiable information, with fines of up to 4% of annual worldwide turnover for non-compliance. Since Scottish law firms deal with plenty of personally identifiable information, they’ll need to ensure they’re following the GDPR by this date.

This requirement isn’t likely to go away after the UK leaves the EU either. To trade with EU member states after Brexit, GDPR standards are likely to be a prerequisite. Therefore, it is unlikely that the UK will transpose this regulation any less rigorously.

How can your firm ensure compliance without losing time to administrative – and non-billable – work? Here are a few tips:

1. Know the rules

Make sure you’re familiar with the rules outlined in the GDPR. This overview of the regulation from the Information Commissioner's Office is a good place to start.

The Information Commissioner’s Office also has a what’s new page that constantly gets updated with the latest guidance on the regulations from the article 29 working party. Keep an eye on this page. There’s currently guidance on data portability, data protection officers, and lead supervisory authorities, but the working party is also expected to publish guidance on a number of other areas, including consent, transparency, and profiling.

2. Start early

May 2018 might still seem distant, but it’ll be here before you know it. If you don’t have measures in place to ensure transparency in how you use your clients’ personal data, you need to start planning now.

For example, can your clients access their personal data and confirm that it is being processed as agreed and with consent? Have you undertaken a data privacy impact assessment? Have you considered appointing a data protection officer? If not, start looking at systems and processes that will allow your firm to comply.

Which brings us to our final tip ...

3. Use tools

Ensuring compliance with the GDPR might seem daunting, but your firm doesn’t need to go it alone. There are plenty of tools available that can help your firm stay compliant without adding extra effort on your end.

Amiqus ID (recently added to the Law Society of Scotland’s members' benefits scheme), is a fast, secure, and reliable tool that helps you to complete anti-money laundering, identity and ongoing compliance checks. Better yet, the company has recently launched an integration with Clio, the world’s leading cloud-based legal practice management provider. Clio’s integration with Amiqus ID provides you with a compliance dashboard that already addresses the key areas that firms need to consider in preparation for the implementation of GDPR, with more features to be added for guidance as implementation progresses.

Amiqus ID compliance features include:

• explicit consent captured from both existing clients and prospective clients;
• data portability ensured through the possibility to export all of your clients from Clio to Amiqus ID, or from Amiqus ID to Clio;
• subject access requests repeatable for clients who wish to review their data;
• the right to erasure (right to be forgotten) can be implemented on client request.

With guidance and support from the market regulators, ongoing collaboration between products and a focus on the Scottish legal market, it seems certain that Scottish firms are well placed to remain both compliant and competitive in the evolving regulatory environment.