GDPR Compliance for Law Firms

The GDPR

The General Data Protection Regulation (GDPR), adopted in April 2016, succeeded the erstwhile Data Protection Directive (DPD) of 1995 and became enforceable as of 25^th May 2018. This Regulation harmonizes the data privacy laws among its member nations. It aims to protect personal data, in the course of such activities that would fall within the purview of Union law.

Advancement in time breeds advancement in technology and with the progress of time, the world is becoming increasingly transcendental. Virtual reality is becoming increasingly life-like. This theoretically boundless plane is scarcely comprehensible by all. Yet, it is fast becoming integral for the dawn of the new age.

The internet and the online cloud have greatly revolutionized our approach to most things. The sheer online traffic that the world generates daily is phenomenal. The internet witnesses the dissemination of an immense amount of uncombed data or raw information continuously. Hence, it is imperative to provide robust data protection and data privacy measures.

Certain principles that should ideally govern the processing of personal data are enshrined in Article 5 of the GDPR, and they are:-

• ‘lawfulness, fairness and transparency’ in the processing of data;
• ‘purpose limitation’ by collecting the data for legitimate and specific purposes;
• ‘data minimization’ by processing the data to the extent of the requirement and not more;
• ‘accuracy’ of the data, by keeping it up-to-date;
• ‘storage limitation’ by storing the data in a form that allows identification of the data subjects according to necessity;
• ‘integrity and confidentiality’ of the data by ensuring the security of the processed data;
• ‘accountability’ of the Controller.

  Read Also – Why is data management important for lawyers?

Data processing should be in line with all the other tenets. The element of ‘Accountability’ is necessary to ensure that it is.

Data and Big Data

In fact, data is an indelible part of life. It does not matter whether it is reality or virtual reality—data pervades each and every boundary, and that is why it is extremely important to safeguard data, for if it were to slip into the wrong hands, it could compromise countries, economies— basically the world.

Today, big data has attained unprecedented significance. Big data or systematically analyzed data is worth an immense amount of money because there are people and organizations that are willing to pay almost anything for this wealth of knowledge. Having an intimate knowledge of the habits and behaviors of people; not to mention some of their most confidential information regarding birth, and education to name a few, would help anyone cater to extremely niche services, and that is what many organizations are looking for.

Read Also – How to Manage Your Client Data in 2021

Impact of GDPR Compliance on Law Firms

Law firms are essentially like any other organization, save they offer legal services; and just like any other organization, people are the be-all and end-all of such firms. Of course, with the involvement of people, there will be the incidence of data. This data can be carefully combed into big data, or even if it is not, data in itself is a treasure trove of information that must be protected at all costs. Due to the sheer volume of data that a law firm generates, it is a potential target for data thievery and other cyber-attacks, and being GDPR compliant could help insure against such threats. Anyway, if your law firm processes personal data of people falling within the scope of Union law, it is imperative for the firm to be GDPR compliant.

Read Also – Why Law Firms Should Care About Data Security

The Internet plays a major role in today’s world. In such a world, it is important to invest in cyber-security measures. There is no special reason as to why a law firm must conform with the GDPR compliance platforms, save that since law firms often advocate about what is and what is not the law, it is only but prudent that the so-called ‘Watchmen of the Law’ comply with such societal wellness-driven laws. Moreover, being GDPR compliant would ameliorate and accentuate the creditworthiness of the firm beyond borders and onto a more macro-scenario.

Being a GDPR complaint could also instill greater confidence in the people and/or organizations to approach the law firm to handle their legal affairs. Moreover, with the help of legal technology, law firms can be GDPR compliant by enforcing necessary measures. A watertight data protection measure would hold the consumer in greater stead.  Every consumer or customer feels reassured when his convenience is afforded the highest sort of importance.

Read Also – Security for Personal Data: Personal Data Protection Bill

Data Protection Measures in India

Legislature

Since it is not a part of the European Union, India is not a signatory to the GDPR. Yet, it can enact laws, along the lines of the GDPR. India, as a country is yet to promulgate a law that specifically caters to data protection, and while the Personal Data Protection Bill, 2019, is yet to be passed into an Act, the Government has, albeit many years earlier, had the intelligence to effect necessary amendments in the Information Technology Act, 2000, by way of Sections 43A and 72A.

Section 43A[1] commands a ‘body corporate’ to employ ‘reasonable security practices and procedures in order to ensure the safety and security of ‘sensitive personal data or information, and in the event of a failure to do so, to pay ‘compensation’. Section 72A[2] enshrines the punishment for disclosure of information in breach of a lawful contract, which may be imprisonment for a term extending up to 3 years, or maybe a fine extending up to 5 lakh rupees, or both.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, (Rules), issued by the Central Government, under the aegis of Section 43A, proceeds further on the ideals sought to be advocated by the amended Section. Additional requirements that are similar in length and breadth to the GDPR and the DPD have been imposed on commercial and business entities in India.

Read Also – Security for Personal Data: Personal Data Protection Bill, 2019

Judiciary

The Indian Judiciary too contributed significantly towards improving the elements of data privacy and data protection in the country. The landmark verdict in Justice K.S Puttaswamy (Retd.) & Anr. v. Union of India vindicated the belief that India was inching closer towards a specific data protection legislation. The Apex Court had observed that the right to privacy was an intrinsic part of the right to life and personal liberty as guaranteed under Article 21.  Thus, the right to privacy is protected as a part of the freedoms guaranteed by Part III of the Constitution.

This judgment has conjured newfound confidence in the sanctity of information in general and personal information in particular. This should put the country on the right path towards a more data-protective outlook, by ensuring GDPR compliance.

Read Also – Law firm cybersecurity in 2021

The Way Forward

Presently, the PDP Bill, 2019 is under consideration by a Joint Parliamentary Committee. 2020 was expected to be the dawn of the revised PDP Bill, but alas! Considering the current pandemic situation, however, it may take a while now.

Presently, India does not have a regulatory authority to implement the safeguard and protection of data. Prior to receiving assent, the PDP Bill is expected to envisage such a regulatory mechanism. Nonetheless, considering the worldwide importance of data and information, it is always prudent to be data compliant, and to function within the confines of not just the law, but also equity and morality; and no one reigns supreme over such requirements—not even law firms.

Read Also – Being a Fundamental Right, Right to Privacy is not an Absolute Right

[1] Inserted by Act No. 10 of 2009 (w.e.f. 27.10.2009), Sec.22.

[2] Inserted by Act No. 10 of 2009 (w.e.f. 27.10.2009), Sec.37.