Even if your law firm is based in the United States, you could be subject to the UK’s Data Protection Act (DPA) and the EU’s General Data Protection Regulation (GDPR).
Any organization that uses data capture solutions to log and store client data from the UK or the EU should comply with these regulations. Otherwise, they risk facing immense fines.
Unfortunately, not many U.S. organizations are taking these regulations as seriously as they should. For example, according to one survey, 84% of American businesses don’t understand how the GDPR affects them.
Here’s what you need to know about the DPA and the GDPR, and how they apply to you.
The General Data Protection Regulation
The GDPR was implemented on May 25th, 2018. It covers all individuals within the European Union (EU) and within the European Economic Area.
It also applies to the exportation of personal data outside the EU. In other words, if your law firm obtains the personal data of an EU citizen, you are subject to this regulation.
The GDPR provides specific rights to individuals regarding their data:
- The right to be informed
- The right of access
- The fight of rectification (to have inaccurate data corrected)
- The right to erasure (to have their personal data erased from an organization's data estate)
- The right to restrict data processing
- The right to data portability (obtaining and reusing one’s personal data across services)
- The right to object (to stop one’s data from being used for direct marketing)
- Rights regarding automated decision-making and profiling
You can find one of the most common forms of compliance with this regulation on many companies’ websites today. If you’ve done any browsing recently, you may have noticed banners popping up on websites asking you to accept their use of "cookies".
These organizations are complying with the GDPR by informing users of their data collection activities.
The Data Protection Act
The Data Protection Act is meant to protect the personal data of consumers wherever it is stored, such as on corporate computer systems or on other types of media, including paper documents. It was enacted in 1998 by the UK Parliament and superseded the Data Protection Act of 1984 and the Access to Personal Files Act of 1987.
The regulation was amended in 2003 and given an update in 2018 to give consumers more control over the electronic marketing messages they receive. It was also updated to synchronize UK data protection law with the EU’s GDPR.
Within this regulation and the GDPR, the term “personal data” refers to any information that relates to an identifiable living individual. This includes the individual’s name and location data, such as their physical address.
Generally, your best practice should be to treat any data inputted by a client as protected personal data under these and other regulations.
Organizations can be in violation of the DPA for a variety of reasons. Some of the most common include:
- Obtaining or disclosing personal data unlawfully
- Alteration of personal data to prevent disclosure to the data subject or to conceal the unlawful use of data
- Obstructing an official in their execution of a warrant
- Making a false statement to the Commissioner in response to an information notice
- Destruction or falsification of information and documents
U.S. Law Firms Should Comply with EU and UK Regulations
Violating either of these laws can result in serious fines. For example, under the GDPR, the EU can impose a fine of 4% of a company’s revenue for some violations.
It is in your best interest to assume that both regulations apply to your law firm. Even if you don’t currently have any overseas clients, U.S. lawmakers are eyeing them as a possible model for enacting similar regulations. Complying with these regulations now is a way of future-proofing your law firm.
The most sensible way to comply with these regulations is to rely on a professional back office provider (BPO) to bring your law firm up-to-date. With the help of BPO solutions, you can manage risk and adhere to these regulations quickly and easily.
One way to bring your law firm into compliance is by using DDC OS USA’s data security tool, RiskView. RiskView illuminates your data estate so you can identify at-risk resources, prevent breaches, and comply with data regulations. Request a RiskView demo today to get started.