GDPR – transparency and honesty are key

Cases such as Dreamvar have made it clear that a lack of (1) attention to detail; (2) awareness of types of personal information; and (3) adherence to the requirements for data processing can lead to devastating consequences. It is therefore essential that firms fully understand their obligations.

Conveyancing practices turn over multiple transactions over a relatively short time span, which involves a large amount of incoming personal data every day. Any new clients need to be made expressly aware of what their data will be used for, which third parties will have access to it, and also the reasons for this. Although this seems onerous and tedious, it is easiest to avoid a breach by keeping clients informed simply through a fair processing notice. A notice of this nature will meet one of the key objectives of the GDPR – to keep individuals informed. It should clearly and comprehensively describe the purpose and legal basis for the use of your clients’ data, set out what each individual’s rights are in terms of their data, as well as the retention period for their data (having regard to Article 5(e) which states that “personal data shall be kept for no longer than is necessary for the purposes for which it is being processed”).

There is no doubt that the GDPR have significantly enhanced the rights of any individual whose data is being processed. Your clients and/or employees should be comfortable that they are in control of their data, and it is key to demonstrate an understanding of exactly what data you hold and what is being done with it. Individuals (both clients and employees) now have a right to be forgotten by requesting that you remove personal data you hold from your systems. Although it is not an entirely new principle or an unconditional right, it has proved to be one of the more difficult regulations to bring into operation, given data portability into the public domain. Nonetheless, data portability cannot be used as an excuse to delay or refuse any requested erasure.

Some practical tips on how to comply with the GDPR are as follows:

1. Check your firm’s consent practices – you cannot rely on the implied consent of individuals to process their data. Consent needs to be clear and unequivocal, i.e. ensure clients have an option to opt in, rather than having to take steps to opt out.
2. Train employees – serious breaches need to be reported within 72 hours. It is therefore of the utmost importance that employees can spot a red flag when it occurs and feel able to report a breach without fear of repercussions. Ensure therefore that your firm has robust procedures for detecting, reporting, and investigating any data breaches. Small firms are unlikely to require the appointment of a Data Protection Officer unless they are processing special categories of personal data (i.e. political beliefs, ethnic origin etc). However, it is still important to have someone in your organisation who has a detailed understanding of the GDPR and is responsible for data protection.
3. Update privacy and/or security policies – or put them in place if they are not already! Broad use of encryption is a good way to minimise your firm’s risk of a breach. Share the risk between different systems, evaluate what security measures are in place, and approach this analysis with individuals’ rights in mind.

This article first appeared in Pelican Underwriting’s, The Pelican Brief, August 2018.