Free GDPR Guide for Law Cost Draftsmen Firms


The new General Data Protection Regulation (GDPR) applies from 25 May 2018 and brings with it significant changes for Law Cost Draftsmen firms. In this article we explore what those changes are and how you can prepare for them.

Under the Data Protection Act 1998 only data controllers could by sanctioned by the Information Commissioners Office or sued by a data subject. Law Cost Draftsmen firms are protected from sanctions as their role as a data processor does not attract such liability. That all changes with GDPR.

Under GDPR Law Cost Draftsmen are significantly more exposed as both the data controller and the data processor are liable to sanctions by the ICO.

Under GDPR Law Cost Draftsmen can be:-

GDPR   Fined up to €20 million or 4% of turnover, whichever is higher,

GDPR   Sued by a data subject

GDPR   Sued by their own client law firm

GDPR   Named and shamed by the ICO, damaging reputation

GDPR   Audited by the ICO

GDPR represent an enormous sea change in data protection laws bringing with it a multitude of new obligations such as reporting data breaches within a short period of time, record keeping and appointments of data protections officer etc.

The ICO are currently on a recruiting drive, recruiting 200 new staff in the run up to GDPR. In June 2017 the ICO appointed James Dipple-Johnstone as Deputy Commissioner Operations. His previous role was the Director of Investigation and Supervision at the Solicitors Regulatory Authority.

A simple mistake is all it takes

There is a myth that data breaches are hacking of computer systems. The vast majority of data breaches are due to human error, it need only be a simple mistake such as a sending an email to the wrong person, to bring catastrophic consequences.

GDPR   A solicitor sent an email to the wrong client. Result: a £120,000 fine under the Data Protection Act 1998. This fine is estimated to be around £4 million under GDPR.

GDPR   In May 2017 a senior barrister was fined £1,000 by the ICO after 725 unencrypted documents containing sensitive data were temporarily uploaded to an internet directory as a back-up during a software upgrade. This fine is estimated to be around £35,000 under GDPR.

Right to sue by the data subject

Data subject have a statutory right to sue for data breaches under GDPR. It has been suggested data breaches could well be the next PPI. With their large databases of thousands of customers, Claims Management Companies (CMCs), are already looking for the 'next big thing'.

When a data breach happens the following occurs:-

GDPR   Mandatory reporting of data breaches

GDPR   The ICO issue data breach press releases following enforcement

GDPR   Data subjects have the right to sue under GDPR

It does not take much for CMCs to monitor press releases and send a mailshot to their databases of thousands of customers. A single data breach has the potential of affecting every single person you hold data on resulting in potentially many claims being brought against you.

Damage to your reputation

With the ICO naming and shaming in press releases many companies have found their data breaches subject to considerable number of news stories which are then shared far and wide across social media at incredible speed.

Such a news story is not only likely to cause severe damage to relationships with your current clients but will also limit your ability to secure new clients.

A small error by any member of staff is all it takes for you to face huge fines, civil litigation, severe damage to your reputation and loss of clients ultimately putting you out of business.

What can you do to protect yourself

There are a number of key actions you can take which will not only minimise the risk of a data breach but will put you in a strong position should you come under investigation or be exposed to a civil action.

GDPR   Train all staff in Data Protection

GDPR   Review and Implement key documentation

GDPR   Carry out a Data Protection Audit

GDPR   Consider appointing a data protection officer.

Training, Training, Training

Adequately training your staff has been emphasised on numerous occasions by the ICO. In the run up to GDPR all staff must be be sufficiently trained in compliance and that training should occur at least annually.

In 2014 the ICO audited a Local Authority and recommended:-

'that mandatory data protection training should be given to all staff and that there is regular refresher training which is monitored'

A follow up audit in 2015 was carried out by the ICO followed by a further investigation which found that the Local Authority had failed to take adequate steps in its training. As a result, on 09 June 2017, the ICO issued an Enforcement Notice giving the Local Authority 6 months to implement a proper system of regular training. They were very lucky not to have received a fine at this stage, that will be the next steps if they fail to comply.

The right training will bring about staff awareness of the risks involved should they make even the simplest of mistakes. It will also help you and you staff understand the risks and obligation under GDPR.

In case of a breach, the ICO will wish to see records of data protection training for all staff. The ICO come down heavily on businesses who have failed to employ adequate data protection training. Providing training on an annual basis is excellent grounding to investigate any potential ICO investigation.

Review and implement all your internal and external policies and agreements

Review all of your internal and external agreements and policies to ensure they fully comply with GDPR. It is not sufficient just to have suitable policies in place, all staff must be fully aware and fully trained on what they are and what they ought to be doing to comply with them. This will significantly reduce your risk exposure to risk.

GDPR brings with it the notion of accountability. All businesses potentially could be audited by the ICO at any time. You will be obliged to keep a multitude of accurate written records.

By implementing all the right documentation coupled with the right training you will greatly limit your exposure to liability, reduce the risk of a data breach and aid a defence in an ICO investigation.

Carry out a Data Protection Audit

Law Cost Draftsmen who have concerns they are not fully compliant should consider a data protection audit. This will identify your weak points in advance of GDPR and allow you to plug the gaps thus minimising risk. This again will demonstrate to the ICO you have done everything in your power to meet your obligations.

Data Protection Officer (DPO)

Cost drafting very often involves the processing of special categories of data. You will likely need to appoint a DPO.

DPOs need not be a member of staff as the role can be outsourced to an external professional DPO who you can utilise as and when you need them.

With an estimated 75,000 DPOs required before May 2018 there is a mass shortage and businesses are struggling to recruit in this area, it makes sense to train one of your current members of staff or appoint an external professional data protection officer.

GDPR Training for Law Costs Draftsmen

We have had an overwhelming response to our initial article, particular asking about training. We are running a number of 1 hour webinars (plus questions afterwards) designed specifically for Law Cost Draftsmen. Let us help you through the GPDR minefield and make it applicable for you and your firm.

At GDPR Training Ltd we offer a full range of data protection training courses, data protection risk assessments/audits and professional data protection officer services.

About the authors

John Green is a practicing lawyer. John specialises in data protection and costs. John has also run his own law cost drafting business for over 6 years.

Emma Green is a vastly experienced senior IT trainer formerly of IBM and HP specialising in cyber security. Emma co-authored the IBM redbook on security.

CLICK HERE for details of our Law Costs Draftsmen Webinars