What does GDPR mean for your Law Practice/Firm Website?

What is GDPR?

The General Data Protection Regulation, “the toughest privacy and security law in the world, was drafted and passed by the Europe Union and was put into effect on May 25, 2018.” “GDPR obligates and organizations all over the world if they are targeting or collecting data related to people in EU. If someone violates its privacy and security, the GDPR will charge them heavy fines and it can be up to tens of millions of Euros.” 

Ways in which GDPR will impact Law firms and Lawyers 

• Permission Marketing- In case of permission marketing consent will play a major role. You will need to have consent before adding anyone to your database or email list. There must be a positive opt-in – “consent cannot be inferred from silence, pre-ticked boxes or inactivity.” 

• Newsletter and Email Marketing- Personal data in GDPR consists of an individual’s email address, phone numbers, etc. Clients will need to make a clear choice to be regularly contacted with email or any other source, law firms cannot put anyone monthly mailing list. The GDPR also clarifies that pre-ticked opt boxes cannot be considered as one’s consent. The burden will be on law firms or lawyers to prove that they have opted mailing or newsletter option.
• Marketing Automation- As we all know, marketing automation is called the second brain of your business. Law firms and Lawyers need to be more careful as if any kind of email has been sent to any customer or client who has not opted or has subscribed for the same, GDPR can charge a heavy fine. 

• Access to Data- Under GDPR guidelines, now the customers and clients will have the right to know all the processing and purpose of where the data is being used. It becomes mandatory for the law firms and lawyers to provide copy of all the information if requested and that too is free of charge. GDPR will strengthen individual’s rights that already lie under DPA. Now, law firms also need to ensure that they provide individual rights including the right to be forgotten, the right of data portability and right to access data. 

• Focused Data- The legal marketers and law firms or lawyers will now require to justify the personal data they have been collecting for ex., birthday date or phone number and every detail they are collecting in order to complete the transaction or login procedure. Most of the legal marketers ask for where the client works, who they work with, interests so that they can raise their pitch and maximize the opportunities for promotions.

GDPR can be tough on lawyers and law firms but one thing one can do is to minimize the personal data collection and provide them the offer to opt-in the subjects they want to receive updates on. As rightly said, giving choice always wins and a right management can help here. 

• Notification of Breach and other Security measures- If a law firm’s records are breached then the organization needs to inform or notify the clients impacted if the data is of a personal nature. 

As said in the guidelines of GDPR- “Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.” 

The law firms and lawyers therefore need to implement the special measures and procedures in order to ensure the safety of personal data of clients and meet all the requirements of GDPR. In coming days, GDPR will make law firms and lawyers with website to launch their own data security policies. In today’s business era, breaches are a fact of a life and therefore all the organizations need to boost their cyber security system from both GDPR and a risk management standpoint. 

In India, The Data Protection Bill, 2019 has been introduced in the Parliament. The Bill regulates and obligates organizations in India and foreign companies that are dealing with the personal data of citizens of India. 

According to the Bill, Personal data is data which pertains to characteristics, traits or attributes of identity, which can be used to identify an individual.  The Bill categorises certain personal data as sensitive personal data.  This includes financial data, biometric data, caste, religious or political beliefs, or any other category of data specified by the government, in consultation with the Authority and the concerned sectoral regulator. 

Under PDP Bill, even though the data can be transferred outside but appropriate safeguards need to be laid down by law firms and other organizations. The Bill also provides the launch of Data Protection Authority which shall work as a cross sector regulatory and shall be responsible for implementation of PDP Bill.  The penalties for convention of provisions in case of PDP Bill might reach up to INR 50 million to INR 150 million and can also have criminal penalties like imprisonment up to 3 years or fine up to INR 200,000. 

Conclusion

It’s safe to say that now with the GDPR and revised design of Indian PDP Bill 2019 can enable more specific framework and that the data protection is no longer the responsibility of IT. It has now become very important to have a pragmatic approach towards data protection in order to ensure one’s privacy even at societal end. These reforms will strengthen the states. Hence, the protection of personal data should now be embedded in one’s law firm processes. 

REFERENCES- 

1. http://www.eugdpr.org/gdpr-faqs.html 
2. https://www.privacysecurityacademy.com/wp-content/uploads/2020/05/Comparison-Chart-GDPR-vs.-India-PDPB-2019-Jan.-16-2020.pdf 
3. https://ec.europa.eu/info/law/law-topic/data-protection_en 
4. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/