What is GDPR?
GDPR (General Data Protection Regulation) was brought in to replace the Data Protection Act of 1998 and it came into force to protect the rights of EU citizens in 2018. GDPR is a series of strict obligations that organizations and businesses must adhere to when they are storing or processing the personal data of EU citizens, and it was drafted and passed by the European Union to strengthen the control and rights that an individual has over their personal data.
Essentially, if you process the personal data of an EU citizen (or the data of citizens in other countries that have adopted GDPR), then the regulations apply - even if your company or organization is not in the EU.
Other countries (outside of the EU) that have adopted GDPR include:
To simplify GDPR further and make it more easily applicable to businesses and organizations, the seven principles of GDPR are the spirit of the obligations and make it easier for people to understand the background of the regulations.
The seven principles of GDPR
Lawfulness, fairness and transparency
Data that is collected should be processed in a way that is lawful, fair, and transparent. Data should be processed under strict guidelines, and the way it is used should not be detrimental or unexpected. The reason why the company or organization is collecting the data should be clear and openly communicated to the individual before they agree to share their data.
Any data that is collected should be for a legitimate purpose that is specific and explicitly shared. Not only does the organization have to be clear about why they are collecting and processing personal data, but they also need to register the purposes as part of their record keeping and describe this in their privacy information.
All data collected needs to be adequate and relevant for the purposes described, but it should also be limited to those purposes - so only what is necessary.
It should also be reviewed periodically to ensure that it is up to date and anything that is no longer relevant and adequate is deleted.
Data collectors and processors should take all reasonable steps to ensure that data is maintained and kept up to date where necessary, and that the personal data that is kept is not misleading or wrong.
Personal data should not be kept for longer than is absolutely necessary - although this can vary depending on certain circumstances, such as for data that is in the public interest, or is being used for historical or scientific research purposes. There are specific measures in place for data that falls under these brackets to ensure that the rights of individuals are protected, however.
Integrity and confidentiality
Collecting and processing data gives further responsibility to the security of the data, and the organization must ensure that data is protected, both from unauthorized access and use, but also against unlawful processing.
The nominated data controller (and in some cases the data processors) for an organization are ultimately responsible for the data that they collect, process and store. To demonstrate their accountability, they need to be able to show that they have the appropriate protection measures in place.
Why is GDPR important for law firms?
GDPR is extremely important in law firms because personal data is collected in various forms for different reasons.
A law firm will need a data controller, who is the main decision maker when it comes to the collection, processing, and storage of data. The staff of a law firm will also be considered data processors, making the data collection and processing happen.
From the important information about clients when they are using legal services (which can include things like addresses and phone numbers as well as financial information), to the sheer volume of data that is collected and processed in preparation for a case, law firms will be making use of personal data which means that they will be obligated under GDPR to follow the regulations when it comes to EU citizens.
Whether they are receiving bulk data or smaller amounts, the law firm will have to carefully consider how they are collecting and using data, and how they are storing it after processing.
How to discuss GDPR in an interview
The background of GDPR
Understanding the background of GDPR and why it was launched is essential for any organization that deals with personal data, and if you are able to discuss this in the interview you will show the recruiters that you have an excellent commercial awareness and knowledge of the importance of data security, too.
The more you can talk about the history of things like the Data Protection Act and how it was replaced with GDPR - and the seven principles as well as their application, the more you will seem knowledgeable.
The rights of individuals
The whole point of GDPR is to protect the rights of the individual, and there are a couple of points that you should be bringing up when talking about GDPR.
Firstly, the right to be forgotten. Article 17 of GDPR allows an individual to ask for data that is held about them to be removed under certain circumstances. This includes:
Data that was unlawfully collected
The individual withdraws consent for processing
The data is no longer necessary to retain.
Secondly, the importance of the Data Subject Access Request. At any time, an individual can request that an organization discloses all the personal data that they hold about them, and these requests must be dealt with in a timely manner.
Have an opinion on GDPR
GDPR is a tricky subject to understand, so it is something that is worth spending a bit of time to get familiar with. One of the most important things to do when it comes to learning about GDPR is to develop an opinion on it, as being able to articulate the reasoning and the background of the legislation will be easier when you have something to say about it.
Practice talking about GDPR before the interview - you might want to try and tell someone about it who might not already have knowledge, for example - so that when you come to discuss it as part of your interview you are already prepared and can speak clearly and confidently.
How GDPR will impact your work as a lawyer
The impact of GDPR on data gathering for organizations has been a learning curve, and there are some businesses that are still light years behind when it comes to collecting and processing data lawfully.
However, the more you know about how your role as a lawyer will be impacted by GDPR - and what that means for your responsibilities to data protection - the better you will be able to ensure that you are using personal data in the right way.
Be prepared to describe your role as a data processor, and that you know about following the GDPR regulations as set out in the seven principles, and you will already be better than other candidates. Don’t forget that a law firm may have to deal with bulk data (for example, during discovery) and this can add a layer of complexity because of the sheer volume of information.
Discuss the latest GDPR news
The biggest news stories that come from the GDPR legislation tend to be about court cases and fines, but it is always worth keeping an eye on the news in case something big happens - like another company that has been fined for breaching data standards, or another country that has become part of the GDPR regulations.
It is also a good idea to watch for the results of the various legal challenges and appeals that are in progress to see whether the punitive actions are being upheld.
Challenges businesses face in implementing GDPR
In almost every case where there has been a challenge in implementing GDPR measures, a big hurdle has been appointong the data controller. Sometimes referred to as the Data Protection Officer, this is the person that is responsible for monitoring compliance and ensuring that the organization as a whole is following the relevant guidance. They are the person that advises the organization about GDPR matters, and acts as a point of contact for individuals to contact about their data when necessary.
Most larger businesses, especially those that handle sensitive data like a law firm, should have a specially appointed person as DPO, and finding the right person for that role is a challenge.
This is always an interesting subject to talk about, because it shows that even the biggest companies in the world can get it wrong when it comes to collecting and processing data in line with GDPR.
There are a few cases that have garnered international attention, and that is because of the huge financial penalties that have been levied against them. For example:
Amazon is facing a £636 million fine because a targeted advertising scheme did not use proper consent.
WhatsApp is facing a fine of £118.8 million because they did not disclose how user data would be shared with Meta, their parent company.
H&M is facing a £30m fine for breaching terms in handling the private information of their employees.
Examples of successful GDPR implementation strategies
In counterpoint to the violations, the more that you can describe about what successful GDPR implementation looks like the better.
Specific examples of this can be found online, or you might have a description from your own previous experiences that you can share too which will help.
GDPR and Brexit
The last thing to be conscious of is that the UK has now got GDPR, despite no longer being in the EU.
For Britain, GDPR is enshrined in law as it was adopted as part of the Data Protection Act, and then there was a statutory instrument called The Data Protection, Privacy, and Electronic Communications Regulations 2019 (which is now known as the UK GDPR).
In essence, this means that for the UK, there is no real difference in regulations that has come about since Brexit, and compliance has not changed at all.
If you want to be seen as commercially aware in your law interview, having a thorough knowledge of GDPR will come in useful. Be prepared to demonstrate that you understand the seven principles, recognize the importance of excellent implementation, and the possible penalties for getting it wrong - and you will be able to discuss the legislation in a way that is both relevant to the organization and to the wider legal industry.