GDPR and the Legal Sector: Practical Steps to Compliance


At the moment, everywhere I turn I am met with yet another article scaremongering about the latest General Data Protection Regulation (GDPR). I’ve heard stories of fines for non-compliance of anything between 4% and a whopping 10% of global turnover, as well as rumours that Brexit will provide some sort of respite from the new regulations.

As a managed IT provider operating within the legal sector, regulatory changes such as GDPR impact Nasstar’s client base heavily. As a result, we have put together the following practical guide to help separate the fact from the fiction when it comes to GDPR and ensure firms are equipped with all the knowledge they need to be compliant when the 25th May 2018 rolls around.


First of all, what is GDPR?

The GDPR regulation is set to become part of UK law (and EU law but which also applies outside the EU); on the 25th of May 2018 and your company is legally bound by it, there is simply no getting away from it. The new GDPR, put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in April 2016, is set to replace the Data Protection Directive. Although many companies have already adopted privacy processes and procedures consistent with the existing Data Protection Directive, the GDPR contains a number of new protections for data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018.

In less than 400 days’ time, the regulation will come into place and the fines for non-compliance are either Euro 20 million or 4% of global turnover. Those that think that Brexit will have any impact on GDPR need to think again as we now know that the UK is likely to leave the EU in 2019, whilst GDPR applies from 2018. Therefore, whilst the UK is still in the EU the new legislation will apply.

Solicitors are already subject to the Data Protection Act 1998 and a number of professional obligations surrounding data protection, and none of this changes with GDPR – it simply amplifies the need to take it seriously. Solicitors already understand the security obligations they are under, particularly when it comes to IT related data and many may already have further protection methods and guidance available to them via their managed IT provider as Nasstar clients do.

However, for those that need further guidance, the following steps cover all of the GDPR basics, how it will affect the legal sector specifically and offers some practical tips from a legal industry perspective.

  1. Have an action plan – break your plan down into manageable chunks and prioritise these accordingly
  2. Gather Consent – You need to immediately gather consent for all of the operational records that you have on file at the moment, go about contacting the parties concerned to ask for their explicit consent to hold their data
  3. Use the right technology – If you have a web portal that lets your customers, employees and candidates register with you, this needs to be updated so it explicitly asks for their consent when they register with your service. Having the right systems, integrating them and automating the process behind the scenes will remove some of the headache.
  4. Delete records – you need to delete the records of anybody who has not done this by May 25th 2018 in order to be compliant. A seriously inconvenient process by any measure, but a necessary one if you are to remain in compliance with GDPR.
  5. Ensure Data Can Be Deleted/Viewed/Transferred On Request – You need to make sure that all of your records are easy to view, delete and transfer upon request by any party, so that it’s as easy to withdraw consent as it is to give it. This means that your systems, your web portals and your CRM systems need to take this into account and make it easy for customers and your employees to view their records and manage their consent around those records.
  6. Ensure You Have Best Practice Security Measures In Place – If you do happen to suffer a breach, it’s going to already be bad, but you will make it even worse if you cannot demonstrate that you have taken steps at every level to ensure that adequate security measure have been put in place. If you get breached and you have taken all of the reasonable steps you can take as far as your security was concerned, you will not get fined.
  7. Get advice – make sure you sense check your action plan with specialist lawyers who can identify if anything is missing before you get embroiled in the process.
  8. Nasstar is currently helping a number of our customers get to grips with GDPR and our professional services team are experts on the details of the fine print. Nasstar’s professional services team offer a consultative approach offering solutions such as automation, data cleansing and integration of systems to streamline the process of gathering consent.


    About Nasstar plc

    Nasstar provides hosted managed and cloud computing services, integrating private and public clouds supplying a robust, secure and stable hosted Information Technology service to business customers. Nasstar provides a true end to end service for clients providing them with enhanced IT performance and greater cost control over their IT function. Nasstar owns its primary data centre, is head quartered in Telford with regional offices in Northampton, London and Bournemouth whilst 24 x 7 support is delivered from its Auckland office in New Zealand. Nasstar is an accredited Microsoft Gold Partner, is the 2016 Citrix Networking Partner of the Year and is certified to ISO 27001.

    Nasstar is an established and well-regarded IT services provider to the legal sector with more than a decade’s worth of experience supporting barristers, solicitors and legal professionals with their IT needs. Our legal team has worked with a large number of law firms and chambers to deliver cloud based IT solutions that are specifically tailored to the legal sector.


Any Questions?

To find out more about Products and Services, please complete the form below.