GDPR-EU General Data Protection Regulation

With the deadline for compliance just around the corner, everyone is discussing the data privacy requirements of the European Union's General Data Protection Regulation (GDPR). For legal professionals worldwide, understanding the difference between data security and data privacy is critical to protecting client information, complying with regulations such as the GDPR, and cultivating global trust.

What do you need to know, and what should you do to ensure that you're not inadvertently sharing sensitive information?

Differentiating Data Security and Data Privacy

Trust is essential to legal representation. Legal professionals therefore must protect their reputation and their trustworthiness from careless errors. Globally speaking, this demands a heightened appreciation for both data security and data privacy. Security and privacy are related, but not interchangeable, concepts.

Data security ensures that data is not accessed by unauthorized individuals; data security measures are generally designed to protect data from hacking. Security also encompasses minimizing collection of personal data in the first place and destroying data after its purpose has been satisfied. After all, data that a company no longer has or never had cannot be subject to security breaches.

Data privacy, on the other hand, refers to the acceptable uses of data. Data privacy means that data is used only within the scope of its original purpose. For instance, personal data collected by your doctor to monitor your personal health should not then be used to sell you prescriptions or fitness equipment without your agreement. Note that data that is not secure is necessarily not private, as its use cannot be controlled, but keeping data secure does not guarantee that its privacy is adequately protected.

A law firm could quite easily have excellent data security measures and still run seriously afoul of the GDPR. How? By failing to respect its data privacy provisions.

The GDPR's Data Privacy Mandates

The GDPR goes into effect on May 25, 2018, replacing the 1995 Data Protection Directive. The GDPR was designed to standardize the hodgepodge of European data privacy laws, protect individuals' data privacy rights, and “reshape the way organizations … approach data privacy.”

The GDPR protects not just residents of the 28 EU member nations but also residents of Iceland, Liechtenstein, and Norway, non-EU nations that are members of the European Economic Area (EEA). At least until Brexit is finalized, the United Kingdom is also subject to the GDPR. Even after Brexit, so long as the U.K. remains in the EEA, it will stay under the umbrella of the GDPR.

Under the GDPR, businesses worldwide must limit their possession and use of covered individuals' personal data, keep their data secure, and give full control and ownership of that data to the individual. Individuals have the right to correct their data, to be “forgotten” or have their data deleted from a company's records, and to access their data on demand. Additionally, businesses must justify their possession of personal data, generally by obtaining the individual's consent.

Who is subject to the regulation? Any business that collects, processes, or handles personal data from protected data subjects or that provides goods or services to those individuals must comply with the GDPR. Note that all of these terms are defined broadly. Processing encompasses not just using or disclosing data but also merely storing it, even securely. Personal data is also wide-ranging, covering obvious identifiers like name, birthdate, and address and extending to any information that could be used to identify an individual, such as computer IP addresses or demographic information.

Violations of the GDPR can result in staggering penalties: fines may be as high as 4 percent of annual global corporate turnover or 20 million euros, whichever is greater.

How to Protect Your Work

How can global law firms protect their clients, respect data privacy, and maintain trust?

First, they can recognize the need to approach data privacy as an individual right deserving of protection. As part of this, companies should rethink their definition of personal data to align with the GDPR's definition of any information that could be linked back to an individual. Companies can anticipate that the GDPR's standards are likely to spread, becoming the new accepted approach to data privacy and ownership, so making this adjustment now should pay off.

Law firms should be sure to obtain either a valid justification or active consent, using clear and plain language, before collecting any personal data. Organizations must establish mechanisms through which individuals can access their data, make corrections, request the deletion of data, or transfer data elsewhere. Additionally, firms must have clear protocols for detecting breaches and for notifying the authorities promptly in the event of any data breach.

One key component to protecting data privacy is rigorously monitoring and cleaning metadata. Metadata—data about data—can include document comments, tracked changes, and document properties and may reveal personal information such as an author's name. Metadata also establishes an information chain: where data came from, who captured it, and where it went. While it's relatively straightforward to remove metadata from Microsoft Word files, other file types can present greater challenges, necessitating the use of specialized software.

Documents and files should never be circulated or shared without considering what may be disclosed inadvertently in metadata, and of course email addresses should be carefully checked to ensure that information is sent only to authorized recipients.

Law firms that respond appropriately to today's data security and data privacy challenges, including the GDPR's mandates, will earn global trust and accompanying business. Firms that can't, or choose not to, stand to lose out in today's increasingly small world. It takes only a single slip to destroy a reputation.

Paul Domnick is President of Litera Microsystems, having been President of Litéra Corp from 2014 to 2017. He brings unique insight into the utility of the Litera Microsystems' risk management solutions having previously been CIO of Freshfields Bruckhaus Deringer for five years. There he was responsible for a global team of more than 300, covering all areas in IT & IS such as change management, information security, infrastructure operations and help-desk support, technical architecture, vendor management, application support, program and project delivery.