HessConnect: GDPR Compliance for Law FIrms

What You Must Know About GDPR If Your Law Firm Does Business With EU/UK Residents

What is GDPR and Does It Apply to My Business? 

GDPR stands for “The General Data Protection Regulation” a privacy law from the European Union that goes into effect May 25, 2018. Even though it’s a European Union law, any business conducting online engagement with EU/UK residents need to be paying attention because the GDPR will mean major changes for the way you operate.

  • It will affect your law practice if you are engaged in any of the following activities either directly or indirectly (through your marketing point person, department, or agency)…
  • The GDPR applies to the processing of personal data.
  • Processing includes, “doing anything with data”. You should assume it covers everything you do with all of the data you collect from individuals from collection to deletion (and at every point in between).
  • Only applies to personal data which is anything that is associated with, or related to, someone who is identified or who you can identify.
  • Identified includes: names, email addresses, physical addresses, and most people agree it includes IP addresses and other info collected automatically (usually collected by Google Analytics).
  • Also includes any type of processing and information that you’re adding to your contact database. This could be information that you collect automatically, through an opt-in or any other collection method or through tagging or segmenting in your CRM database. These activities are included because you are effectively “monitoring” what people are doing.

 

The GDPR will apply to…

  • The GDPR will apply to any relationship or transaction (commercial or free) where one of more of the parties is in the EU. It is not based on citizenship, it’s based on where they are when you are interacting with them.
  • If you are a law firm conducting any online engagement, outreach based in the European Union, you must comply with the GDPR across your entire business. The means that if you are collecting data from someone in the US, you still have to comply.
  • If you are a law firm based outside of the EU, you must comply with the GDPR when we are interacting with or collecting online data from people in the EU.
  • A non-EU entrepreneur has to comply when processing of people in the EU. But ONLY if the processing is related to:
    Offering products or services to people in the EU (paid AND free) – that means an optin of any type counts.
  • Monitoring the behavior of people in the EU (as mentioned earlier)

 

What is Required Under GDPR? 

  • Strict Privacy by DefaultStrict privacy settings should be the default setting. A user shouldn’t have to go into their settings to make manual changes to opt into stricter settings.
  • More specifically, for consent to meet GDPR standards, it must:Contain a clear statement of consent, using plain language that’s easy to understand (no legalese).Require a positive opt-in (i.e., no pre-ticked boxes, silence, or inaction).
    Be separate from any other terms and conditions.

    Explain why the entity wants the data and what it will do with the data.
    Name any third-party controllers that will rely on the consent.

    Explain how the data subject may withdraw consent.

    Avoid making consent a precondition of service.

  • Explicit ConsentIf you’re collecting personal data from an EU resident, you must obtain explicit consent, which generally means that consent should be:Voluntary. Have the user take affirmative action.

    Specific and informed. Make sure people are aware of what you’re collecting, how it’s being used, and whom it may be shared with.

    Unambiguous. Don’t disguise with redirects to terms of service overflowing with legal jargon.

  • Rights to DataUnder GDPR, individuals have greater control over how their personal information is collected, stored, and used. Individuals have a right to access their data, which means the right to know where, why, and how their data is processed. This includes the right to request a report to access their data. Additionally, individuals have a right to be forgotten, which means their data can be deleted.
  • Breach NotificationOrganizations have a duty to report certain types of data breaches to the relevant supervisory authority within 72 hours, unless the breach is harmless and poses no risk to the individual. If a breach is concluded to be high risk, the company must also inform the individuals impacted.

    Still have questions, concerns, or want to discuss how to update your online outreach policies and strategies?

    Reach out to me directly: viveca@hessconnect.com  or GET YOUR GDPR LAW FIRM eGUIDE including the main points that will give you a clear overview and understanding so you can begin to make any necessary updates! 

HessConnect: GDPR Compliance for Law FIrms

 

Share:

Leave A Comment