A Guide to Implementing the General Data Protection Regulation (“GDPR”)

Step 1:
Set up a GDPR Implementation Team

Step 2:
Undertake a GDPR Gap Analysis

Step 3:
Identify and Record the Flow of Personal Data into and out of the firm

Step 4:
Update the Firm's Policies and Procedures

Step 5:
A Privacy by Design and Default

Introduction

Much has changed in the world of technology and the digital economy since the Data Protection Act 1998 was introduced into Law in the UK.  For example:

  • Social media platforms such as Facebook, Instagram, Twitter and LinkedIn did not exist.
  • Google was not the dominant search engine, in fact the Alphabet company had yet to form.
  • Online and Mobile Banking was not in use, in fact less than 20% of us had mobile phones (1997 statistic)
  • Most electronic data were stored in a structured format (e.g. database).Today, personal data is stored in a variety of unstructured formats (e.g. email, messages or photos).

What are the differences between DPA 1998 and GDPR?

Here are some key facts to bear in mind when comparing the General Data Protection Regulation with the existing Data Protection Act:

  • Core data protection principles remain unchanged
  • Enhanced definition of consent
  • Tightening on use of ‘Legitimate Interest’
  • Transparency is fundamental
  • New and expanded individual rights
  • Accountability is key
  • Data breach notification for Data Controllers and Data Processors
  • New responsibilities for Data Processors

The General Data Protection Regulation (“GDPR”) 2016/679 was approved by the European Parliament on 14thApril 2016, it was enforced on 25thMay 2018 following a 2-year transition period.  The GDPR replaced the EU Data Protection Directive 95/46/EC. The UK’s Data Protection Act 2018 received Royal Assent on 23rdMay 2018.

The guidelines provide a law firm with a practical 5 step approach to implementing the GDPR:

  1. Set up a GPDR Working Group / Implementation Team
  2. Undertake a GDPR Gap Analysis
  3. Identify and Map the Flow of Personal Data into and out of the firm
  4. Update the Firm’s Data Protection Policies and Procedures
  5. Training and On-going Compliance

Step 1: Set up a GDPR Implementation Team

Article 5 (2) stipulates that the controller shall be responsible for, and be able to activelydemonstrate compliance with the personal data processing principles set out within the GDPR.  The data controller (e.g. the law firm) must implement appropriate technical and organisational measures.

In order to demonstrate the accountability principle, the law firm should establish a GDPR implementation team who will be responsible for identifying the gaps in current data processing activities, mapping the flow of personal and/or special categories of data into and out of the firm, reviewing and updating technical and organisational policies and procedures, along with educating staff across the firm about the regulation and their responsibilities.

Who should be represented within the implementation team? 

Staff with responsibility for: HR, Marketing, Practice Manager, IT, Client Matters, Compliance Officer for Legal Practice (COLP) / Compliance Officer for Finance and Administration (COFA), and the appointed Data Protection Officer (if mandated) / GDPR Lead.

Questions for the Implementation Team to Answer

Question 1

Are the partners/senior management fully aware of the firm’s obligations set out in the GDPR?

  • In particular the impact on the firm’s reputation and trust amongst staff and clients of non-compliance.
  • Are senior staff fully aware of the rights and protections given to data subjects by the GDPR?

Raising awareness across the firm about the implications of GDPR is a key first step in a firm’s implementation plan.  The regulation should not be seen as a tick box exercise, but a process that will require on-going monitoring.

Question 2

Are meetings between senior staff held to discuss and assess data protection within the firm?

  • Are these meetings recorded?
  • How frequent are these meetings?
  • Are they separate meetings or are they held as part of meetings with a wider agenda?

The purpose of these meetings will be to review any personal data protection breaches that have been recorded in the breach register, review any data subject access requests that have been received, discuss any new systems/practices that are to be introduced that will have an impact on the processing of personal data within the firm.

Question 3

Does the firm need a Data Protection Officer under GDPR?

  • Has a DPO been appointed? Record details and update the ICO.
  • Are all staff aware of the DPO and their role?

Article 37 of the GDPR makes appointing a DPO mandatory if:

  • You are a public authority or body;
  • Your core activities require large scale, regular and systematic monitoring of activities (see definitions for examples).
  • Your core activities consist of large-scale processing of special categories of personal data (Article 9) or data relating to criminal convictions and offences (Article 10).

Where a law firm is mandated to appoint a DPO, they must take into consideration Article 38 of the Regulation, where it sets out the position of the DPO within an organisation, in that:

  • The law firm will ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
  • The law firm should provide the DPO with resources necessary to carry out his/her tasks and access to personal data and processing activities.
  • The law firm will not dismiss or penalise the DPO for performing his/her tasks.
  • The DPO will be bound by secrecy or confidentiality concerning the performance of his or her tasks.
  • The DPO can fulfil other tasks and duties within the law firm, however these duties must not result in a conflict of interest (e.g. Head of HR, IT Manager, Equity Partner). Where there is likely to be a conflict of interest, the law firm can decide to appoint an external DPO.

The Lexcel Standard v 6.1 (3.1a) states that practices should appoint a DPO voluntarily, if they are not required to do so based on the above definition.  If the firm chooses not to voluntarily appoint a DPO, the firm must document why they have not done so and the suitable alternative arrangements they have put in place.

Where the decision is made to not appoint a DPO, a GDPR Lead should be identified.  The GDPR lead will hold a suitably senior role within the firm, as they will be responsible raising awareness across all employees and raising data protection. This may be most appropriate for the COLP or the COFA to take on within their role.

Question 4

Has a budget been allocated to support the GDPR compliance programme?

  • What is the cost to the firm of allocating internal resources to this project (non-billable time)?
  • What is the cost of any potential external support (e.g. IT support provider, website provider, training provider, consultancy)?

Depending upon the size of the firm, the complexity of the systems and procedures in place, and the categories of personal and special categories of data will determine the level of resources required and the potential investment needed to update systems.

Step 2: Set up a GDPR Implementation Team

Prior to the GDPR coming into force, law firms were already bound by the previous Data Protection Act 1998 and the Solicitors Regulation Authority (SRA) rules around confidentiality, thus there should be a good grounding to start conducting an analysis of the gaps between the previous Act and the new Regulation.

The purpose of this step is to understand the breadth of changes that will need to be introduced across the firm in order to demonstrate its compliance with the Regulation.

The GDPR Implementation Team should answer the following questions, and note the requisite actions required.

Question 1

Is the firm currently registered with the ICO?

If you are uncertain as to whether you are registered with the ICO or do not know your renewal date, you can search the Register of Fee Payers here.

Where you are not registered with the ICO and are uncertain as to whether you should be registered, we recommend that you complete the ICO’s self-assessment (which should take no more than 5 minutes to complete).

Question 2

Do you keep records of the data collection and processing activities in an Information Asset Register?

Typically, the register would record (Article 30 (1)):

  • The purpose(s) for which personal data is collected and processed, for example as part of the recruitment procedure you will conduct ‘Right to Work’ checks.
  • Separate out personal data and special categories of personal data.
  • The types of data subjects, for example employees, clients, prospective clients and experts.
  • Where personal data is stored, in particular if it is stored outside of the European Economic Area (EEA).
  • Details of how long you retain electronic and paper records.
  • What technical and organisational security measures are in place? Technical measures could include examples such as an encrypted server, with restricted access that is backed up nightly. Organisational measures will include examples such as the firm’s policies and procedures, as well as regular staff training.

Article 30 ‘records of processing activities’ states that each controller and, where applicable, the controller’s representatives, shall maintain a record of processing activities under its responsibility.  The regulation does recognise the challenges that this may pose for micro, small and medium size companies, the GDPR introduces a record keeping derogation for organisations with fewer than 250 employees.

This exception does not apply to any law firm that processes:

  • Special categories of data or criminal convictions and offence data;
  • Personal data that could result in a risk to the rights and freedoms of individuals. 

Please also note Lexcel Standard 6.1

  • 1b - firms must keep appropriate records of processing activities;
  • 1g - firms must have a procedure for identifying and periodically reviewing data retention timescales.
  • 2a - states that firms must have a register of information assets. For firms who are not Lexcel accredited, best practice would require documentation of personal data processing activities.

Question 3

Have you identified all the Data Processors who process personal data on behalf of the firm, for example the firm uses an external payroll provider?

When a law firm engages the services of a data processor it is important to have a written contract between both parties, which sets out the responsibilities and liabilities of both parties.  The law firm is liable for their compliance with the Regulation and according to the ICO guidance should only appoint data processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.

The Lexcel Standard v6.1 (5.2) requires firms to have procedures in place to manage outsourced activities, including documenting providers and ensuring measures are in place to protect personal data.  The firm may wish to consider the following activities where personal data is shared or entrusted to third-parties:

  • External experts
  • IT companies / software providers (including cloud)
  • External HR support
  • External Finance services (e.g. payroll)
  • Photocopier services
  • Courier services
  • Shredding companies
  • Document storage companies
  • Cost draughting firms

Note: Barristers and Counsels should also be considered, but are regarded by the law society as joint data controllers (i.e. they can determine their own purpose for which the personal data is collected) and a data-sharing agreement should be in place.

Question 4

Do you have contracts with all your Data Processors?

  • Are your contracts with Data Processors GDPR compliant?

Article 28 (1) of the Regulation states that ‘where processing is to be carried out on behalf of a controller (e.g. law firm), the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements this Regulation and ensure the protection of the rights of the data subject’.  Additionally, the 2011 SRA Code of Conduct, Indicative Behaviour 4.3 requires “... you only outsource services when you are satisfied that the provider has taken all appropriate steps to ensure that your client’s confidential information will be protected…”.

For example, do the contracts with Data Processors include the following compulsory terms:

  • The processor must take appropriate measures to ensure the security of the processing;
  • The processor must only engage a sub-processor with the prior consent of the data controller and a written contract;
  • The processor must delete and return all personal data to the controller as requested and the end of the contract.
  • The processor must submit and contribute to audits and inspections that the data controller carries out, or another auditor appointed by the data controller carries out;

The above is not an exhaustive list, just an example of some of the terms that the Information Commissioner’s Office has stated should be included.

Question 5

Do you transfer data outside of the European Economic Area (EEA)?

  • If so, do you have appropriate procedures in place to ensure the security of the personal data when the data are transferred?

When a law firm transfers data outside of the EEA (EU member states plus Iceland, Norway and Liechtenstein) the law firm has to consider Articles 44-50, in particular has there been an adequacy agreement reached.  One example of an adequacy agreement is the USA and the EU-US Privacy Shield.  If a law firm uses systems such as MailChimp or Xero, and it is known that the servers are based within the USA, it is the data controller’s responsibility to determine if the company has signed up to the EU-US Privacy Shield and can demonstrate its compliance with GDPR.

Question 6

What is the current level of awareness amongst all staff on the core principles of GDPR?

  • Is there a data protection training programme for all employees (including partners) covering general principles?
  • Is there a procedure for recording when training has been completed?

The law firm is responsible for, and must demonstrate compliance with data protection rules.  Adherence to these rules should not only come into force after the rule(s) have been breached.  The law firm should be proactive in its implementation and on-going compliance with the firm’s data protection policies and procedures.

Article 32 “security of processing” states that the data controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks.  In addition, the Lexcel Standard v6.1 (5) requires law firms to identify and manage risk, with appropriate controls in place.  An example of an organisational measure (or control) is the provision of training on the fundamental principles of data protection to all staff, and more specialised data protection training for staff involved in processing personal data (e.g. HR teams provided with training on how to process a data subject access request from a member of staff).

A training register allows the firm confirm the members of staff who have attended training and a record on the date the training took place.  The records can form part of the employee’s training record within their personnel file.

Please note the following regulatory requirements for effective/appropriate training:

  • 2011 SRA Code of Conduct, Mandatory Outcome 7.6: You train individuals working in the firm to maintain a level of competence appropriate to their work and their level of responsibility.
  • Lexcel v6.1, 4.3a: Practices must have a learning and development policy, which must include: ‘ensuring that appropriate training is provided to personnel within the practice’.
  • Lexcel v6.1, 3.1e: Practices must have a policy to manage personal data which ensures compliance with data protection legislation, which must include: regular data protection training for all staff.

Question 7

List any policies currently in place that relate to data protection and information security?

  • For each policy, state when it was last reviewed and/or updated and how regularly this is done.
  • For each policy, state how that policy is made available to staff.

A non-exhaustive list of policies and documents which are usually affected by data protection requirements:

  • Retention Schedule
  • Data Disposal Policy
  • Privacy Notices (including website privacy, Employee and Candidate privacy notices)
  • Information Security Policy
  • Bring Your Own Device (where own devices are allowed for work use)
  • Remote/Home Working Policy
  • Data Breach procedure and log file
  • Client Care and Client Confidentiality (confidentiality policy)
  • Information and Security Policy
  • IT Plan / Email Policy / Social Media Policy
  • Compliance Plan
  • Training/Learning and Development Plan and Policy
  • Recruitment Policy / Outsourcing Policy
  • Risk Register (including any generic risks associated with data protection)
  • Information Asset Register
  • Internet Usage Policy
  • Marketing Policy / Procedures
  • Whistleblowing Policy
  • Undertakings policy
  • Policy for the use and evaluation of experts and counsel.

A Lexcel accredited firm will have a Compliance Plan in place, which should be the starting point to check which policies already exist.

Question 8

Is there a data subject access request (DSAR) procedure?

  • Are staff aware of what this procedure is?
  • Is there a register/log file to capture data subject access requests?
  • Are there template response letters?

Article 15 ‘Right of Access by the Data Subject’.  A data subject (e.g. current employee, prospective candidate, current and previous client) shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.  The right to access one’s own data is also set out as an element of the fundamental right to protection of personal data in Article 8 (2) of the EU Charter of Fundamental Rights.

Under the DPA 1998, a data subject already had the right of access, there are however a number of changes that a law firm needs to consider when implementing GDPR.  The data subject no longer has to pay a £10 fee, therefore any reference to this fee needs to be removed from the firm’s documentation.  The law firm now has 30 calendar days to respond, rather than 40 days, therefore reviewing the current procedure will enable to the firm to determine where efficiencies can be made in order to comply with the shorter timescales.

It is worth considering at this point how the firm distinguishes between a data subject access request from a client, and a request to access or have a copy of their entire client matter file.

If you already have a subject access request log file, does it record the information such as the date the request was received, the date it was completed, where the file with the relevant information is located, who within the firm was responsible for responding to the request.

Data subjects relevant to law firms include:

  • Prospective/current/past employees;
  • Prospective/current/past clients;
  • Experts and counsel;
  • Persons associated with progression of matters, such as estate agents and individuals within other bodies that refer matters to law firms;
  • Individuals within outsourced providers (e.g. shredding, costs draughting, locum secretarial, HR services etc.);
  • Individuals within external providers (non-outsourcing) such as courier companies, cleaning services and IT provision.

Question 9

What technical and organisational measures do you have in place to keep personal data secure?

  • Are these technical and organisational measures clearly documented through appropriate plans, policies and procedures?

Within Article 32 ‘Security of Processing’ where the data controller is assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.  The Article describes measures such as:

  • Pseudonymisation and encryption of personal data;
  • Ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services.
  • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • A procedure for regular testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Examples:

  • Are client matter files are stored on encrypted servers, within the EEA, with restricted access to a limited number of employees;
  • Your company firewall is regularly tested with the latest software updates and rules applied;
  • Your back up procedure includes an incremental nightly backup, with a full back up at the end of the week, then a monthly and annual backup. The backup is regularly tested to ensure you can restore individual files, as well as a full restore should you be subject to ransomware.
  • You have undertaken a network penetration test and have determined where the vulnerabilities are across the network, including where PCs have out of date anti-virus software or operating system updates.
  • Every 120 days you prompt users to change their network password.
  • You have a clear desk policy, you undertake random spot checks to see how much personal data, including client matter and employee files you can find on unattended staff desks after hours.

The Information Commissioner has issued a number of financial penalties on companies where insufficient technical and organisational measures have been in place.  In March 2017 a senior barrister was fined £1,000 for failing to keep client’s personal sensitive information secure.

More recently, In September 2018 the ICO has fined BUPA Insurance £175,000 for failing to have effective security measures in place to protect customer’s personal information.  In the same month, the ICO issued Equifax with a fine of £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyberattack in 2017.  These fines were issued for breaches under the previous DPA1998.

Question 10

What are the data protection risks (likelihood and severity)?

A practical task for the implementation team to undertake is to identify all the potential areas where a breach in data protection could occur.  For example:

  • How often are emails sent to the wrong individual(s)?
  • How often do employees receive phishing emails? For instance, an email from a supplier to pay an invoice using the new bank details provided.
  • How often are work mobile phones/laptops misplaced or lost? In this instance, was personal data relating to employees or clients stored on these devices and were you able to remote wipe them.

Once you know where all the potential risks areas are across the firm, you should be able to determine the likelihood of these happening and more importantly the impact that it would have on the data subjects affected.  For example, if your practice management system was to be hacked and the personal data of all your clients stolen, this couldlead to both emotional and financial distress to your clients.

Lexcel accredited firms are required to have risk management procedures in place (v6.1 (5)); it is likely that the assessment of risk for data protection issues will need to be more detailed than the firm has previously done.

Question 11

Do you have a records management programme which has been adapted so that there are minimum and maximum retention periods for personal data categories (i.e. recruitment, employee records and client matters)?

  • Do you have a process for recording the need for continued retention of personal data beyond the maximum period identified in your retention policy?

Article 5(e) ‘principle relating to processing of personal data’ states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data was processed.  This principle is known as Storage Limitation. In the Data Protection Act 1998 it was referred to as Retention.

As a law firm you will be require to retain a variety of personal data for different legal purposes, some of which will have clear minimum and maximum periods of time for you to hold onto personal data.  For example, unsuccessful candidate data should be held for a minimum of 6-months and a maximum of 12-months.  Employee records for staff who have left the firm should be retained for up to 6 years after the end of the contract termination date.

Neither GDPR nor the DPA2018 provide specific timescales for retention, but the firm must be aware of other legislative requirements for continued storage of personal data.

Question 12

How do you currently evaluate personal data protection breaches?

  • Is there a personal data breach response and notification procedure in place?
  • Is there a personal data breach register, including at least the facts about the breach, the impact and the remedial actions?

Article 33 ‘Notification of a personal data breach to the supervisory authority’ states that in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority (ICO), unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

The Lexcel Standard v6.1 (3.1d) states that firms must have a procedure in place to manage and report data protection breaches.

A law firm must have a personal data breach procedure that enables them to assess the nature of the personal data breach and determine whether or not this needs to be reported to the ICO (and the SRA).  The firm must record any personal data breach in a log file.   All employees must also be trained and aware of the procedure.

Question 13

Are Data Protection Impact Assessments carried out for new uses of technology where the processing is likely to result in high risk to the rights and freedoms of data subjects?

  • Do you have a documented procedure for identifying when a DPIA should be carried out? (Lexcel v6.1, 3.1f)

Article 35 states that Data Protection Impact Assessments (DPIAs) are mandatory in certain situations, where data processing is likely to result in high risk to individuals (e.g. clients or employees), where:

  • Systematic and extensive processing activities, including profiling and where decisions have legal effects - or similar significant effects;
  • Large scale processing of sensitive data or criminal convictions or offense details; or
  • Large scale, systematic monitoring of public areas (CCTV).

A DPIA is an assessment to identify and minimise non-compliance risks. As a minimum the DPIA must include:

  • A description of the envisaged processing operations and the purposes of the processing;
  • An assessment of (1) the need and proportionality of the processing and (2) the risks to data subjects (as viewed from the perspective of the data subject) arising; and
  • A list of measures envisaged to (1) mitigate those risks and (2) ensure compliance with the Regulation.

Where the law firm has appointed a Data Protection Officer, they must seek his/her advice on carrying out the DPIA.

Step 3: Identify and Record the Flow of Personal Data into and out of the firm

As a Data Controller, the law firm has a number of responsibilities that are set out in Article 24 of the Regulation.  The Data Controller must take into consideration the nature, scope, context and purpose of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons.   The controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.

Article 30 ‘records of processing activities’ states that a controller shall maintain a record of processing activities under its responsibility.  The records will be in writing, including electronic form.  The record shall be made available to the supervisory authority (i.e. the UK’s Information Commissioner’s Office) upon request.  The Lexcel Standard v6.1 (3.1b) supports compliance with these GDPR requirements.

In order for a law firm to produce the records of processing activities (or what we like to refer to as the Information Asset Register) it needs to understand the flow of personal data and special categories of personal data into and out of the firm.

Whilst this is not an exhaustive list, we suggest that the GDPR Implementation Team review each business function within the firm where personal data is processed (e.g. HR, Business Development, Client Matters, Marketing, Finance and IT) and determine the different categories of individuals (e.g. HR department will have employees and candidates).

Question 1

Have you identified which categories of data subjects within the law firm process personal data?  For example (this is not an exhaustive list):

  • Current Employees
  • Previous Employee
  • Candidates
  • Newsletter Subscribers
  • Event Delegates
  • External Experts and Counsel
  • Third Parties (e.g. estate agents, other law firms)
  • Suppliers
  • Partners
  • Prospective clients
  • Clients - you may wish to split this out by the different services you can offer a client…
    • Accidents in the Workplace
    • Personal Injury Claims
    • Residential Property
    • Wills, Probate, Tax and Trusts
    • Family Law
    • Employment
  • Website Visitors
  • Visitors

Question 2

What personal data do you process for each category of data subject?

A law firm will hold a variety of personal data on data subjects, let’s take your employees as an example, you may hold:

  • Individual headshots for internal and external use
  • Work History
  • Employment History
  • Qualifications
  • Performance Report
  • Sickness / Absence Records
  • Bank Details
  • Emergency and Next of Kin Details
  • Passport and Driving Licence
  • Disciplinary information
  • Contact Details
  • CCTV recordings

For each category of data subject, record the types of personal data you process.  Some business functions within the law firm will process more personal data than others.

Question 3

What the special categories of personal data do you process for each category of data subject?

When a law firm represents an individual or organization on a legal matter, the firm may be required to collect and use sensitive information about ethnicity or race, political opinions, physical and/or mental health.  For example, where a firm represents an individual in a criminal case, the firm will collect information on alleged offences and any criminal history

As with the previous question, record the types of special categories of personal data you process. Note that not every business function will process special categories of personal data.

Question 4

Have you identified the lawful basis for each processing activity?

The Regulation requires personal data to be processed lawfully (Article 6). There are 6 bases for processing under the Regulation, these are:

Consent: Article 6.1(a)

  • To communicate with individuals to keep them up to date on the firm’s services and solutions (e.g. newsletters), events and client surveys;
  • To collect information about individual’s preferences to personalise and improve communications.

Performance of a Contract: Article 6.1(b)

  • Client registration/instruction procedure;
  • Processing applications for employment;
  • Processing payroll;
  • Processing payments and billing;

Compliance with a Legal Obligation: Article 6.1(c)

  • Anti-money laundering checks;
  • Financial and credit checks;
  • Fraud and crime prevention;

The Vital Interests of the Data Subject: Article 6.1(d)

Vital interests are intended to cover only interests that are essential for someone’s life. This lawful basis is very limited in its scope, and generally only applies to matters of life and death.  For example, an individual is admitted to the A & E department of a hospital with life-threatening injuries following a serious road accident. The disclosure to the hospital of the individual’s medical history is necessary in order to protect his/her vital interests.

Public Interest or Exercise of Official Authority: Article 6.1(e)

Processing is necessary to perform a public interest in an official function, and primarily applies to governmental agencies.  This lawful basis can be relied upon when processing personal data for the administration of justice, parliamentary functions, statutory functions or governmental functions.  Examples include public health, social care, election campaigns and taxation.

The Legitimate Interest of the Data Controller: Article 6.1(f).

  • To manage access to the firm’s premises and for security purposes;
  • To administer and manage business relationships (e.g. with Estate Agents and other bodies involved in progressing a matter);
  • To communicate with individuals to keep them up to date on the firm’s services and solutions (e.g. newsletters), events and client surveys;

When a law firm is assessing the lawful basis for processing personal data, it will first establish that the processing is necessary. This means the processing must be a targeted, appropriate way of achieving the stated purpose. A law firm cannot rely on a lawful basis if you can reasonably achieve the same purpose by some other means (e.g. a legal obligation overrides a legitimate interest).

When more than one lawful basis applies, the law firm will rely on what will best fit the purpose, not what is easiest for the firm.

It is important for a law firm to have identified the correct lawful basis for each processing activity because some individual rights have been modified under the Regulation.  A prime example is that a data subject has the right for his/her data to be deleted under the Right to Erasure where personal data is processed on the basis of consent.

Record the lawful bases for processing activities within the firm’s Information Asset Register in order to help the law firm comply with the GDPR’s Accountability principle.

Question 5

When relying on Consent, do you comply with the Regulation’s conditions for consent (Article 7)?

The Regulation states that ‘where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data’.

Can you demonstrate that:

  • Consent was freely given, and is specific, informed and unambiguous;
  • The procedure of requesting consent is prominent and separate from your terms and conditions?
  • You do not make consent a pre-condition of service?
  • You do not use pre-ticked boxes, or any other type of consent by default?
  • You regularly review consents to check that the relationship, the processing and the purpose(s) have not changed?
  • Consent can be withdrawn, without impact on the services the individual receives?

Consent will not be valid if there is a clear imbalance of power between the controller and the data subject; a typical imbalance is an employer’s processing of personal data, within the context of an employment relationship. The Article 29 Working Party have stated that “employees are almost never in a position to freely give, refuse or revoke consent, given the dependency that results from the employer/employee relationship.  Given the imbalance of power, employees can only freely give consent in exceptional circumstances, when no consequences at all are connected to acceptance or rejection of an offer”.

In line with the accountability principle of GDPR (Article 5), do you have a procedure and mechanism for recording and managing consent?

Question 6

Where relying of Legitimate Interest(s) have you completed a Legitimate Interest Assessment?

Article 6.1 (f) of the Regulation provides that personal data may lawfully be processed if it is “necessary for the purposes of legitimate interests pursued by the controller or by the third party or parties (except public authorities in the performance of their tasks) to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection”.

Once the law firm has identified its legitimate interests for processing activities, it must conduct a balancing exercise (e.g. Legitimate Interest Assessment (LIA)).  The data controller must assess whether their interests override the rights and freedoms of the data subject.  The assessment of impact on privacy and freedoms must be done from the perspective of the data subject.

The 3 parts that comprise the Legitimate Interest Assessment (LIA) are:

  • Identification of the legitimate interest;
  • Demonstration that the processing is necessary to achieve the LI;
  • Balancing it against the individual’s interests, rights and freedoms.

The Regulation recitals have cited “when processing is strictly necessary for the purpose of preventing fraud” as an example of legitimate interests. Similarly, monitoring employee IT usage is considered to be acceptable under legitimate interests in order to protect security and infrastructure of IT systems.

The Article 29 Working Party’s opinion on a data controller’s use of Legitimate Interests stressed the importance of accountability and transparency, and of the data subject’s rights to object to the processing of their data, or to it being accessed, modified or deleted or transferred, when balancing the legitimate interests of the controller and the interests of the data subject’s fundamental rights.

The law firm must include details of personal data processing under legitimate interests in its privacy information.

Note:  documentation, thoroughly and adequately.

Question 7

What is the most appropriate lawful basis for processing special categories of personal data?

Article 9 ‘processing of special categories (also known as Sensitive Data’) of personal data states that “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life of sexual orientation shall be prohibited”.   There is an extensive list of exemptions that a law firm could apply (See the definitions section).

An example of sensitive data that the law firm may process under the exemption of employment law of social security and social protection lawincludes staff health records and/or trade union membership.

It is important for a law firm to have identified and record the relevant exemptions that it can apply to the processing of special categories of personal data for each processing activity, in order to help demonstrate compliance with the GDPR’s Accountability principle.

The law firm must include details of the special categories of personal data in its privacy information.

Question 8

Does Privacy and Electronic Communications Regulations (PECR) 2003 apply?

The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act and the GDPR.  PECR gives individuals specific privacy rights in relation to electronic communications.  PECR applies to a law firm if it:

  • Conducts marketing by phone, email, fax or text;
  • Uses cookies on its website.

PECR will be applicable to the Law Firm where it conducts direct electronic marketing to individual subscribers (‘individual customers, including sole traders), also referred to as Business to Consumer.  This will impact on your decision-making around your legal basis for processing personal data in relation to marketing activities.

The ICO is responsible for enforcing PECR and they have several ways in which they can act to change the behaviour of anyone who breaches PECR, they include:

  • Criminal prosecution;
  • Non-criminal enforcement; and
  • Audit

The ICO can also issue fines up to £500,000.  In a recent (August 2018) report from the Commissioner’s office, nuisance calls and texts are the biggest concern.  During the month of August 2018, the ICO had 103 cases under investigation and had issued 14 third-party information notices to try and identify companies making nuisance calls.

PECR is currently under review, an updated ePrivacy Regulation is expected by 2020.  More information can be found on the ICO’s website, click the link here.

Question 9

Where are the personal data and/or special categories of personal data stored?

When mapping your law firm’s personal data and special categories of personal data, record where the data is physically located. Consider if it is stored:

  • within client matter files in an open plan office in unlocked cabinets;
  • on an encrypted server, with restricted access;
  • only stored in the practice management system on the server;
  • In a cloud-based system, with servers in the United States;
  • Within individual employee email accounts;
  • On individuals’ desktop PCs/Laptops that are not backed up;
  • On backup tapes stored remotely;
  • On unencrypted USB memory sticks.
  • On a data processor’s database / system.

The above list is not exhaustive; however, it should highlight that personal data can be stored in multiple locations.  There are a number of reasons that it is useful to understand the location of data:

  • if the law firm receives a data subject access request from a current employee, knowing where the data is stored will assist the firm in understanding the scope of the searches that will be needed and the time that will be involved in managing the request;
  • in order to be transparent and accountable, law firms need to present individuals with privacy notices that clearly indicate where data is stored (in particular if it is outside the EEA) and to reassure individuals that data is secure.

It is important for a law firm to have identified and record where the data is stored in relation to the processing activity.

Question 10

What is the volume (number of records) that you process (this is useful in the event of a breach of personal data)?

Question 11

Who has access to the personal data?

Consider what personal data is available to staff internally, where you may have to share data externally (e.g. HMRC) and where third-party data sharing takes place to deliver services (e.g. cloud providers, external payroll providers, external experts, other law firms etc).

Question 11

What are the retention periods for each of processing activity?

  • Is the law firm subject to any specific legal, regulatory, or other requirements that impose specific time limits on the retention of personal and special categories of data?
  • Where is the retention period documented?
  • What procedures are in place to review the retention of personal and special categories of personal data and its ongoing relevance?

Article 5.1e of the Regulation states that personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

Some relevant Law firm examples include:

  • Conveyancing is typically 15 years;
  • Wills and Deeds are the only things acceptable to keep forever (and supporting advice if determined appropriate);

Client matter files is typically 7 years minimum, and 12 years maximum. Review and document decision if necessary to keep longer (e.g. AML risks, risk of legal challenge).

Action: the output from the data mapping exercise should be recorded within the law firm’s information asset register.

An Information Asset Register is a good tool to record the processing activities of the firm.  It underpins the management of personal data within the firm.  The following components should be included:

  • Purpose (Payroll)
  • Categories of Personal Data (Contact Details, Bank Details, Salary, National Insurance)
  • Legal Basis for Processing Personal Data (Performance of a contract)
  • Provenance (direct from employee)
  • Volume (10,000 records)
  • System Location(s) (Xero Accounting System, Cloud, US Servers)
  • Accountability and Sharing (Finance Director, shared with HMRC and Accountants)
  • Retention Period (7 years up to the end of the current financial year)
  • Format of Information Asset (electronic, stored within a database)
  • Current Status (active in use)

Step 4: Update the Firm’s Policies and Procedures

This section will describe the updates that will need to be completed, as well as describe what should typically be included within these policies and procedures.

Layered Privacy Notice

Article 13 of the Regulation ‘Information to be provided where personal data are collected from the data subject’ describes what information a law firm should present to the data subject at the point of data collection, these are:

  • The identity and contact details of the controller and, where applicable, of the controller’s representative. A law firm can also include its ICO registration number within this section.
  • Data Protection Officer contact details (where applicable). A law firm may wish to set up a generic email account specifically for data protection issues such as mydata@lawfirmname.com or dpo@lawfirmname.com.
  • Purposes of processing personal data, along with the lawful basis.
  • Where the law firm is relying upon legitimate interest(s) for processing, these must be clearly stated.
  • The recipients or categories of recipients of the data.
  • Details of any transfer of personal data to third-countries or international company.Included within this section should be a description of the existence of any adequacy notice.
    • As of July 2018, the European Commission has made a full finding of adequacy on the following countries: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
    • Partial findings of adequacy have been found for the USA (personal data only, not special categories) and Canada (only covers data that is subject to Personal Information Protection and Electronic Documents Act (PIPEDA)).
    • Where no adequacy decision has been made, the law firm needs to reference any appropriate safeguards or binding corporate rules relied upon.
  • The length of time the law firm will retain the personal data/special categories of data.
  • Details of the individual rights of the data subject, including how to withdraw consent.
  • Provision on details on how to complain, where the data subject feels that the law firm is not processing their personal data in line with the Regulation.

The law firm should think about including simple privacy notices at the point of capture, for example completing an application form or completing an online form requesting information.  Below is a list of potential privacy notices that the law firm may wish to produce:

  • Employee privacy notice
  • Candidate privacy notice
  • Website privacy policy
  • Client engagement letters
  • Direct Marketing sign-up
  • Terms and Conditions
  • Prospective client script for telephone enquiries

The law firm should keep the language clear and simple, and should not bury messages amongst extensive terms and conditions.

 

Data Protection Policy

The law firm’s data protection policy should set out:

  • The firm’s expectations and obligations as to how it will treat personal data.
  • How the firm will comply with the principles of the data protection legislation and best practice, including privacy by design and default.
  • How it will uphold and respond to the rights of data subjects.
  • How it will protect the rights of staff, clients, experts and service providers/suppliers.
  • What staff can and cannot do in terms of accessing personal data relating to:
    • Storage
    • Access
    • Use
    • Deletion
    • Mobile / Remote Working

Best practice data protection policies will also clearly set out:

  • Roles and responsibilities of key staff members relating to data protection, including the role of the Data Protection Officer (if applicable).
  • Circumstances in which it may be required to disclose personal data, for example if requested as part of a court order.
  • How the firm will respond to a personal data breach.
  • Privacy information.

The data protection policy will refer to and link to other key policies and procedures that provide more detail about specific areas of the firm:

  • Information Technology and Security Policy;
  • Confidentiality Policy (including a section on Social Media);
  • Home-Working / Remote-Working Policy;
  • Bring Your Own Device Policy;
  • Privacy Policy;
  • Marketing Plan;

All business activities using personal data must assess the impact on individual’s rights and privacy as a priority, not an afterthought.

 

Retention Schedule / Records Management Policy

The purpose of the policy is to ensure that the law firm will only store personal and personal sensitive data for only as long as it is needed or in line with required statute. The policy is required to support the organised creation, retrieval, proper storage and preservation of the firm’s essential records.

The policy should set out who is accountable for ensuring the policy is adhered too (e.g. GDPR lead or DPO).  The policy should include:

  • A retention schedule for all types of personal data (ideally linked with the Information Asset Register); This should include headings
    • Type of personal data (e.g. prospective client data)
    • Description of the data (e.g. contact details and basic information about the enquiry);
    • Retention period (e.g. 12-months after the last contact with prospect)
  • A procedure for flagging when records are approaching the date when the data should no longer be retained.
  • An annual audit to ensure retention periods are being adhered too.
  • Typical legislative/regulatory retention periods that are valid for the law firm, examples
    • employee records, including training records (Limitations Act 1980) are to be retained for up to 6 years after employment ceases;
    • payroll (Taxes Management Act 1970) 6 years up to the end of the current financial year.

Best practice records management policy would provide guidance on how long emails should be retained for and where these should be stored.

 

Data Disposal Policy

The aim of the disposal policy is to enable the law firm to comply with the requirements of the Regulation.  Disposal of data and information assets is an essential part of information governance and data management. When properly undertaken, it will ensure that when personal data is no longer needed, it is destroyed in an appropriate manner.  The benefits of a managed disposal procedure include:

  • It avoids unnecessary storage costs incurred by using server space to maintain data no longer needed;
  • It supports compliance with the Storage Limitation Principle (Article 5(1)(e)) within GDPR, where personal information is contained within the Information Asset Register is securely disposed when there is no longer a justification to retain it.
  • Finding and retrieving information is quicker and easier because there are fewer information assets to search;

The policy should set out who is responsible for managing the disposal of personal data, in particular deciding whether:

  • To securely destroy the personal data; or
  • To retain the personal data for a further (justified) period.

Best practice data disposal policy will also clearly set out:

  • How to make the disposal decision;
  • How to record the disposal decision;
  • What assurances need to be in place before the data is destroyed;
  • Accepted approach to destroying paper records (e.g. All outsourced shredding contractors, will comply with BS 8470, the British Standard that specifies the disposal of confidential material, BS 7858);
  • Accepted approach to destroying digital records (g. overwriting with random digital code enough times to eliminate the data).

 

Procedure for Handling Personal Data Breaches

The Regulation introduces a personal data breach notification process. Non-compliance can attract a fine (€10m / 2% of turnover) in addition to the fine for personal data breach itself. The law firm must maintain appropriate data breach logs covering the information relating to the breach and decision-making procedures for handling the breach.

Each breach should be recorded within the law firm’s internal data breach register, which should have the following components:

  • The facts of the breach;
  • The effects of the breach on the data subjects;
  • Remedial action taken by the firm.

Where the personal data breach poses a high risk to the rights and freedoms of data subjects, the ICO will need to be notified.  A notification to the ICO should include:

  • The nature of the data breach;
  • The categories and approximate number of individuals concerned;
  • The categories and approximate number of personal data records concerned;
  • Contact details for the Data Protection Officer (if applicable);
  • A description of the likely consequences of the data breach; and
  • A description of the actions to be taken to deal with the personal data breach, and where necessary, the actions required to mitigate any risks of adverse effects to individuals concerned.

In order to understand what a breach occurred and prevent further breaches the law firm must have clear procedures in place to assess and document:

  • Determine how the breach happened;
  • Determine what, if anything, could have been done to prevent it;
  • Understand what can be done to prevent future breaches;
  • Determine how soon the changes can be implemented;
  • Update and cascade training for staff as soon as possible; and
  • Implement and comply with recommendations from the ICO (if relevant).

All employees will need to understand what constitutes a personal data breach and what to do in response to a breach.

 

Business Continuity Plans

Personal data breaches or data security breaches could have a minor or severe impact on the firm’s business continuity plans, including:

  • Loss of access to client or staff systems, e.g. through corruption of data;
  • Ransomware attack;
  • IT or Network failure;
  • Senior staff involved in addressing data breach unavailable to conduct their usual work.
  • Firm’s cashflow, liquidity, existence threatened due to a financial penalty issued by the ICO (please note that this is an extreme example).

In order to mitigate these risks, the firm must demonstrate through appropriate business continuity policies and procedures that:

  • Appropriate back-up procedures are in place, and that these are tested regularly.
  • An assessment of the data protection breach risk has been undertaken, providing a description of impact of losing different levels of personal data.
  • Clear policies and procedures relating to data protection and security are in place, with associated comprehensive staff training.
  • Regular audits are conducted to demonstrate the adherence to policies and procedures (particularly in relation to mobile working and access to systems).
  • Breaches are monitored and lessons are learned.

 

Procedure for Handling Individual Rights

Data Subject Access Requests (DSAR):An individual can make a data subject access request and has the right to confirm that their personal data is being processed, to have a copy of the data and to have supplemental information about processing. This can be made in writing or simply verbally.  The law firm’s data protection policy should set out:

  • How to recognise a data subject access request;
  • Where a subject access request has been received, who within the firm should it be sent on to;
  • How to verify the identity of the individual requesting the data (if the DSAR is from an existing employee it may be unnecessary to verify their identity);
  • The timescales to respond to the request (30 calendar days);
  • That no cost can be charged for the request;
  • How to record the information within the firm’s data subject access request log file; and
  • What information is to be provided back to the data subject:
    • Purpose of processing;
    • Categories of data;
    • Retention period;
    • Notice of any additional rights (rectification, restriction, object, erasure) and how to complain to the ICO;
    • Source of the data (direct from data subject or via third-party); and
    • Any automated decision-making

The firm may wish to consider developing template response letters to use for data subject access requests in order to make the process more efficient, given the 30-day timescale for response.

Right to Rectification: An individual has the right to have their personal data rectified. Accuracy of personal data is fundamental to ensure a high level of data protection.  The law firm must be able to:

  • Recognise requests for rectification;
  • Record requests that are received verbally;
  • Correct inaccurate personal data without undue delay or within one month;
  • Be confident in the decision to refuse requests;
  • Inform the data subject when the personal data has been rectified.

The Regulation does state that where such requests are linked to legally significant matters, such as the data subject’s legal identity, or the correct place of residence for the delivery of legal documents, requests for rectification may not be enough and the controller may be entitled to demand proof of the alleged inaccuracy. Such demands must not place an unreasonable burden of proof on the data subject and thereby preclude data subjects from having their data rectified.

 

Right to Erasure ‘Right to be Forgotten’: An individual has the right to have personal data erased in certain circumstances.The data protection policy should set out how it should handle the following situations: 

  • The personal data are no longer necessary regarding the purposes for which they were collected or otherwise processed;
  • The individual (‘data subject’) withdraws the consent on which the processing is based and there is no other legal ground for the processing;
  • The individual objects to the processing and there are no overriding legitimate grounds for the processing;
  • The personal data was unlawfully processed;
  • The personal data must be erased for compliance with a legal obligation;

The law firm must be able to:

  • Recognise requests for erasure;
  • Liaise with software venders where personal data is not directly under the control of the firm, to request deletion.
  • Record requests that are received verbally;
  • Erase personal data without undue delay or within one month;
  • Be confident in the decision to refuse requests, in particular where there is a lawful reason for continued processing, including ‘for the establishment, exercise or defence of legal claims’.
  • Inform other recipients where personal data has been disclosed of the erasure request.
  • Inform the data subject when the personal data has been erased.

 

Right to Object: An individual can invoke their right to object to personal data processing on grounds relating to their particular situation where the legal basis for the processing is the controller’s performance of a task carried out in the public interest, or where the processing is based on the controller’s legitimate interest(s); and to data processed for direct marketing purposes. The right to be object can be exercised by automatic means (e.g. unsubscribe functionality built into email campaigns).  The law firm must be able to:

  • Respond to the request within one month.
  • Stop processing the personal data immediately, unless the law firm is able to demonstrate that their legitimate interest override those of the individual, or that processing is necessary for establishing, exercising or defending legal claims.
  • Immediately stop processing personal data for direct marketing purposes (there are no grounds for refusal).

Step 5: Privacy by Design and Default

The firm should make data protection a priority, it is not a tick box exercise, rather it requires on-going management and adherence:

  • Board Level Engagement
    • Confirm the responsible nominated individual;
    • Routinely review the risk register;
    • Routinely review the data breach register;
    • Learn from minor breaches and implement change to mitigate the risk of greater breaches;
    • Demonstrate commitment to data protection.
  • Staff
    • Learn from errors (either from internal situations or by external businesses);
    • Provided with relevant examples in data protection training;
    • Conduct annual training for all staff on the basics of data protection;
    • Are updated within team meetings about changes to policies/procedures;
    • Understand their role in supporting the firm’s accountability to the Regulation.
  • Organisational
    • Disseminate privacy notices to individuals, including uploading the website privacy notice to firm’s website.
    • Disseminate the up to date Data Protection Policies to all staff across the law firm.
    • Ensure that Data Protection Impact Assessments are conducted where data processing is likely to result in high risk to individuals (e.g. when introducing a new case management system or considering using new technology to support marketing activities).
    • Ensure that data protection policies and processes are followed through with comprehensive training and regular (annual) review.
    • Conduct annual audits to determine compliance with firms’ policies and procedures.
    • Review relationship with Data Processors annually. Where appropriate conduct an onsite audit.
    • Data protection training forms part of any new employee’s induction procedures.

Action: Complete the GDPR Implementation Plan, assigning responsibility to different staff/teams.  The GDPR implementation team are responsible for monitoring the completion of tasks set out within the plan.

Definitions:

The definitions listed within these guidelines are those used within the Handbook on European Data Protection Law 2018 Edition, prepared by the EU Agency for Fundamental Rights, Council of Europe and the European Data Protection Supervisor, and those provided by the European Union’s Article 29 Working Party.

Personal Data

Information relating to an identified or identifiable natural person. It concerns information about a person whose identity is either manifestly clear or can be established from additional information. To determine whether a person is identifiable, a controller or another person must consider all reasonable means that are likely to be used to directly or indirectly identify the individual, such as, for example, singling out, which makes it possible to treat one person differently from another.

Examples: employee performance records, prospective candidate CV, interview notes, case notes that relate to the individual.  Contact details, Next of Kin/emergency contact details etc.

Special Categories of Personal Data

Special categories of personal data, by their nature, may pose a risk to the data subjects when processed and need enhanced protection. Such data are subject to a prohibition principle and there are a limited number of conditions under which such processing is lawful.

Within the framework of Modernised Convention 108 (Article 6) and the GDPR (Article 9), the following categories are considered sensitive data:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions, religious or other beliefs, including philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data and biometric data processed for the purpose of identifying a person;
  • personal data concerning health, sexual life or sexual orientation.

Personal data relating to the criminal convictions and offenses or related security measures is covered under Article 10 which stipulates that processing such data “may only be carried out under the control of official authority or when processing is authorised by the union or member state law providing for appropriate safeguards for rights and freedoms of data subjects”.

Data Subject

The data subject is the natural person to whom the personal data relates.

Data Controllers

Is the natural or legal person who determines the purpose and the means of processing.

The Article 29 Working Party has emphasised that to provide individuals with a more stable entity for the exercise of their rights, “preference should be given to consider as controller the company or body as such, rather than a specific person within the company or body”.

Data Processors

Is the natural or legal person who processes the data on behalf of the controller, following strict instructions.

Data Processing

Under both EU and the Council of Europe (CoE) law processing of personal data shall mean any operation such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise make available, alignment, or combination, restriction, erasure of destruction of personal data.  Modernised CoE 108 adds preservation of personal data to the definition.

Large-Scale Processing

The GDPR has not defined the term “large-scale”.  The European Union’s Article 29 Working Party (an independent advisory group) has recommended the following factors when determining whether or not ‘large scale’ processing is being carried out:

  • The number of data subjects concerned (either as a specific number or as a proportion of the relevant population);
  • The volume of data and/or the range of different data items being processed;
  • The duration, or permanence, of the data processing activity; and
  • The geographical extent of the processing activity.

The Working Party has provided examples of large-scale processing:

  • Processing of travel data of individuals using a city’s public transport system.
  • Processing of real time geo-location data of customers of an international fast food chain for statistical purposes by a processor specialised in these activities.
  • Processing of customer data in the regular course of business by an insurance company or a bank.
  • Processing of personal data for behavioural advertising by a search engine; and
  • Processing of data (content, traffic, location) by telephone and internet service providers.

Core Activities

The European Union’s Article 29 Working Party guidance states that “core activities” are an ‘inextricable part’ of the controller’s/processor’s pursuit of its goals are cites.

Examples include:

  • A security company’s surveillance where it is hired to safeguard a public space.
  • A hospital processing patient health data.
  • An outsourced provider of occupational health services’ processing of its customer’s employee data.

The law firm processing of employee information is ancillary to its activities, not core.

Regular and Systematic Monitoring

The European Union’s Article 29 Working Party guidance includes the following examples:

  • All forms of online tracking and profiling, including the purpose of behavioural advertising and email retargeting;
  • Profile and scoring, including credit scoring, fraud prevention or for the setting of insurance premiums;
  • Location tracking;
  • Fitness and health data tracking;
  • CCTV
  • Processing by connected devices (smart meters, smart cars etc); and
  • Data driven marketing activities (e.g. big data).

Article 9 exemptions to ‘Processing of special categories of personal data’

If one of the following exemptions apply, the law firm can process special categories of personal data:

  • The data subject has given explicit consent to the processing of those personal data for one or more purposes, except where Union or Member State law provide that the prohibition referred to in 9(1) may not be lifted by the data subject;
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  • processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in 9(3);
  • processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.