Does GDPR mean you have to destroy your wills and conveyancing deeds?
Unless you’ve been living under a rock, you’ll know that, from May, you’re going to need to up your game when it comes to the information you hold on clients. But did you know that any existing consents you think you have might not be enough?
We’re hoping the answer is yes, because there are eye-watering fines for non-compliance. But, if you’re still not sure how the GDPR affects you, don’t panic. We’ve set out what you need to do with all those wills and conveyancing bundles gathering dust in your deed safe.
We’re nice like that.
Just what is the General Data Protection Regulation (GDPR)?
The GDPR has been a hot (and slightly terrifying) topic over recent months. And it’s not surprising to see why. Introduced in response to the rapid growth of technology, the GDPR will add a plethora of new restrictions to the way we all collect, store and use personal data. So, ensuring compliance is a minefield for even the most seasoned of lawyers.
But just like the over-hyped millennium bug, the GDPR isn’t as scary as you might think. And it doesn’t have to keep you awake at night.
Okay. So why are legal professionals so worried?
When it comes to the GDPR, it’s what you don’t know that you should be concerned about. And, even then, when it comes to complying with the new regulation, awareness is one thing, but application is another.
Keeping things simple, here are the essential requirements:
- Enhanced rights when it comes to how data can be stored and what data may be retained (more on those wills and deeds bundles to follow)
- More rigorous processes when it comes to data privacy
- Enhanced access rights to personal data for individuals
- The need to keep personal data accurate and up-to-date
- The provision of meaningful information explaining how an individual’s data will be used
- Robust procedures for detecting, reporting, and investigating any data breaches
- All consent must be “freely given” and can’t be inferred from silence, inactivity, or pre-ticked boxes
- Separate approvals required for different processing purposes
- Strict rules to ensure you are guarding against data breaches.
Obviously it’s a bit more complicated than that, and you’ll need to find out more to ensure compliance. But to protect your business, it is vital to act now. Because time is running out.
Right, but what about those wills and deeds?
Okay, so you’ve got a safe room full of wills and deeds, and you can’t get hold of everyone to get renewed consent. Do they need to be destroyed? Because that could cause real problems later on. Let’s face it, if someone dies and you have gotten rid of their Will, that’s not going to make anyone happy.
In a nutshell, no.
Under the GDPR, consent helps to put individuals in charge. But, while it sets a high standard, you don’t always need it. In fact, as long as you have a different lawful basis for holding client information, you won’t have to get the shredder out.
So, if you are holding wills or conveyancing deeds, there is already a legal obligation for you to store it for a certain amount of time. The GDPR doesn’t change this.
Are you legit?
Legitimate interest gives another reason for storing and using data without consent.
This just means that you are using people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. But if you can realistically achieve the same result in another, less intrusive way, legitimate interests will not apply.
Think about it like this “would your client be angry or annoyed if you told them about whey you were holding their data?” If the answer is “yes” you should consider obtaining consent. Don’t say we didn’t warn you.
So, document storage is sorted. But what about other data uses?
Okay, so you think you are prepared. But have you considered how you use personal data across all areas of your business? It is fine to keep those wills and deeds in a locked room with the spiders, but if you continue to hold data for marketing purposes without consent, you could be in trouble. And this goes for communications with existing clients too.
To keep on the right side of the regulations, contact your clients now asking for their consent for everything you want. And once received, keep a safe record of it. If you don’t get consent, don’t carry on regardless.
Furthermore, if a client asks for the ‘the right to be forgotten’, you might have to delete all the information you have on them. However, this right not absolute. For example, if you have legal or legitimate reasons for retaining the personal data, their right to be forgotten may not be valid.
Ultimately, the underlying purpose of the GDPR isn’t to be a massive burden on your firm; it’s to enhance the rights of the individual. But, if you’re still uncertain about how to comply with GDPR, check out the wealth of information available on the ICO website, or ensure that you seek advice from reliable sources.