Preparing your law firm for GDPR
Legal marketers and law firms need to prepare themselves for the EU’s General Data Protection Regulation (GDPR) which will come in to force on May 25th, 2018. This comprehensive regulation applies not only to organizations located within the EU but to any organization that collects personal data from an EU citizen regardless of their location. Whether your law firm is in Berlin, New York, Toronto, or Vancouver if you provide legal services to a global clientele you will need to ensure that your firm is compliant.
This article provides a survey of some of the more significant aspects of the GDRP for law firms. It also provides guidance for legal marketers (like us) who are looking to comply.
Contents of this guide include:
- Background on the new regulation
- What is the GDPR?
- 5 ways GDPR will impact law firms and legal marketers
- Penalties for failing to comply
- Reacting strategically to the new marketing landscape
- Additional Compliance Resources
As legal marketers and consultants headquartered in Canada, we are familiar with complex government regulations that have a direct impact on marketing legal services, aka the Canada Anti-Spam Law, aka CASL. We have drawn on our own experience navigating new data legislation to generate this guide. Canadian and American law firms should be aware that the GDPR will apply to their dealings with European clients and contacts.
We may not have a choice about complying with GDPR, but we can choose to approach these changes strategically, turning regulatory risk into an opportunity to streamline operations and refine our legal marketing.
Background: new protections for a data-driven world
In this digital world, every move we make, from using a GPS app to plan a trip, to clicking a link, to using a smartwatch to track swim times, has the potential to be tracked, measured, and converted into data. As marketers, we already know just how valuable actionable information about can be. Detailed information about customers, clients, and purchasing behaviour has long been used to tailor marketing campaigns to move a product or, in our case, promote a law firm. But increasingly, data is no longer a supplement to the buying and selling of products and services: it the main event.
Some of the most notable business success stories of the past decade, companies like Amazon, Google, and Uber, are stories about unlocking the value in user-produced data. Facebook is both a social network and a data-harnessing machine, gathering information on approximately 2 billion active users. The company has built its multi-billion-dollar empire on brokering access to a vast repository of market data.
In the legal sphere, innovative CRM companies have developed systems that allow law firms to manage and leverage extensive quantities of client information. Retail, transportation, legal— every industry is drawing the same conclusion: data is a valuable resource.
But while the price of oil rises with scarcity, the value of data rises as it proliferates and, unlike oil, there is always more.
Anything valuable is at risk of being hacked and stolen or simply sold. Concerns about information privacy are high. A Consumer Privacy 2016 study by TRUSTe/NCSA found that “45% [of respondents] are more worried about their online privacy than one year ago” and that “74% have limited their online activity in the last year due to privacy concerns”. High-profile data breaches, such as 500 million Yahoo accounts being hacked in September 2016, have eroded public trust in the abilities of even the largest and most technologically advanced corporations to effectively safeguard personal accounts.
With the amount of personal and behavioural data constantly growing, and corporations finding new ways to capture and harness it, unions like EU, with GDPR, and countries like Canada, with PIPEDA and CASL, have stepped forward with new regulations that aim to provide individuals with greater control over the information being gathered about them and the information being conveyed to them.
This will have extensive ramifications, not just for businesses, law firms, and legal marketers in the EU, but for organizations operating across the world.
What is the GDPR?
The General Data Protection Regulation is intended to safeguard EU citizens from privacy and data breaches. It will standardize privacy legislation across all 28 member states of the EU.
GDPR aims to give users and consumers greater control over their personal data. Law firms will need to build privacy settings into their firm websites and have them turned on by default while legal marketers will need to ensure that they are abiding by the anti-spam regulations and obtaining clear consent from clients. Without documented consent, legal marketers will be prohibited from marketing to an audience. Both law firms and legal marketers will need to assess their privacy policies, ensure that they have permission to use data, and maintain a record of data and data use, and communicate any data breaches within 72 hours of becoming aware of a breach.
Why is this happening now? The previous directive was not binding. And it was outdated, having been established in 1995, a simpler time before smartphones, Social Media, automated marketing, and advanced web tracking.
Unlike the previous directive, the GDPR will have real teeth, and the Information Commissioner’s Office (ICO) has demonstrated that it is willing to penalize companies and organizations that do not comply with the current regulations.
1. Permission Marketing
Even if you are sending high-quality marketing material, such as a law firm newsletter or invitation to a firm event, you can’t assume that people want to be contacted by you. Under GDPR, you will need to obtain consent before adding anyone to a database or email list: “There must be a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity”. Marketers should also aim to keep records to evidence consent: “who consented, when, how, and what they were told”.
The ICO has provided a helpful Consent Checklist (on page 38).
Newsletters and Email Marketing
Every legal marketer knows the value of a robust mailing list.
The GDPR is not about regulating the sending of emails, per se. But individuals’ email addresses, telephone numbers, addresses, etc. all fall under the category of personal data. And the GDPR is quite specific about how this data can be handled. As with all data processing, the initiatives you take to grow your email list should be fair, legal, and transparent. Basically, you should be able to answer this question clearly: “How did you get a hold of my email address?” The best answer is: “You gave it to us because you wanted us to keep sending you great content.”
If you’re looking to grow your mailing list with EU contacts, you will need to use a specific, prominent opt-in. Prospects and clients need to make a clear choice to be regularly contacted. Downloading a whitepaper or entering an email for billing does not mean that they wish to be placed on your monthly mailing list, as the ICO highlights that data-processors (e.g. marketers) need to give granular options to consent separately for different types of data processing (e.g. making use of email addresses).
So how do you grow your firm’s mailing list? You will need to ask prospects and clients to choose to opt-in, by ticking a clearly labeled sign up box. The GDPR clarifies that pre-ticked opt-in boxes are not indications of an individual’s consent.
To comply with GDPR, legal marketers will also need to give users the ability to unsubscribe or edit their personal data at any time. If they unsubscribe, you will not be able to contact them again to ask them why the left or to ask them to re-subscribe. You also cannot email non-subscribers to ask them if they would like to subscribe, as this is considered a form of marketing under the upcoming GDPR (see the cautionary tale of Honda below).
If the ICO decides to audit your firm, the burden will be on you to prove that every individual on your mailing list has opted in to receive marketing materials. Unless the firm is a small operation, even the most organized of legal marketers will undoubtedly struggle to keep track of all this information in spreadsheets. A CRM system could prove useful.
How the Guardian manages email subscriptions
Let’s look at an example of an organization that has taken steps to ensure GDPR-readiness. When it comes to e-newsletters, the Guardian is clear and transparent about what sort of information subscribers are consenting to receive.
The Guardian goes beyond this, allowing users to choose for themselves the topics they wish to be notified about. This is called an account or subscription preference centre and it is a great way to meet the regulatory challenges while still getting firm material into the hands of subscribers.
There is also a drop-down menu for each of these topics. Subscribers can read a brief description of the subtopics, see how often they will be emailed, and even view an example email. These features allow subscribers to remain in control of their subscription preferences.
The Guardian also makes it easy for users to cancel their subscription or to delete their account.
Legitimate Interest: can I directly contact a new prospect?
In some cases, the answer will be yes, but you will want to tread lightly. In brief, Article 6 of the GDPR sets out six conditions for achieving lawful bases for data processing (e.g. emailing a prospect). One of these, 6(f), is “Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.”
Permission-based marketing can be time-consuming and expensive, so it will be tempting for marketers to try and find refuge under the legitimate interests condition. But this is not some sanctuary where marketers can get away with anything. The ICO sets a high bar for demonstrating that data processing (e.g. emailing) is necessary. Even if it is necessary for the success of your marketing campaign, it would have to be weighed against the “the interests or fundamental rights and freedoms of the data subject”.
The ICO notes in this Lawful basis for processing article that “This can be broken down into a three-part test:
Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?”
In plain talk, if you are emailing a prospect or a contact, you should be sure that they are likely to benefit from receiving your industry-related offer. The purpose of your email should be directly connected with the industry, interests, or specific business concerns of your prospect.
So that if they ask “how did you get a hold of my email address?” You should be able to respond with something like: “You expressed interest in attending our firm’s seminar on developments mining law. While we didn’t get a chance to meet you, we thought you might be interested in receiving this mining law whitepaper.”
What about cold emails, are these allowed?
Again, the short answer is yes, direct marketing can qualify as legitimate interest. As the ICO notes: “You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.” But you’ll want to be careful, as the interests of the recipient will always supersede your interests as a marketer.
Basically, this means legal marketers can’t send thousands of cold emails to random inboxes in the hope that something sticks. (And hopefully, your marketing is already more targeted than this). You should aim to provide clear value in your emails so that prospects are not confused about why you are messaging them.
Here is an example of justifying a cold email so that it meets the legitimate interest requirement:
“I saw that you shared one of our articles on pharmacy regulation on LinkedIn. I checked your profile and confirmed that you are the owner-operator of an independent pharmacy. You accepted my connection request on LinkedIn and I downloaded your email address so that I could invite you to attend our upcoming pharmacy law seminar, which is designed to provide insights for owners like yourself.”
Now, you won’t have to type that sort of message into each email directly. But that is the sort of granular justification of consent you should be able to provide, should the ICO, or another associated regulator, audit your marketing approach. And again, proceed with care. Avoid sending more than one cold email to a prospect and certainly do not add them, without their express consent, to any regular mailing list.
It is worth noting, as well, that the UK has Privacy and Electronic Communications Regulations (PECR) that will enjoy a complex and intimate relationship with the GDPR. The effect of Brexit remains to be seen, but a new Data Protection Bill makes it appear that the UK remains committed to more rigorous data privacy protections.
As tech-savvy legal marketers ourselves, we know how powerful automation can be. Like this recent MailChimp ad quipped, automation is “like a second brain for your business”.
We’re going to need to be more careful watching what that “second brain” is doing and saying. If your marketing software sends out an email on behalf of your CRM to someone who has not opted-in (or even worse explicitly unsubscribed), your firm could be in for a headache-inducing fine from the ICO.
Marketing automation can make our lives as legal marketers a good deal easier. But with regulations like GDPR and CASL (in Canada) coming in to play, we need to be diligent about ensuring that everyone in the automation system has opted-in to receive our marketing communications.
If someone opts-out of a mailing list, we need to respect their choice and refrain from contacting them again, no matter how eye-catching our latest e-card or newsletter.
It is worth noting that the UK has Privacy and Electronic Communications Regulations (PECR) which will enjoy a complex and intimate relationship with the GDPR. While the full effect of Brexit remains unclear, a recent policy announcement seems to indicate that the UK remains committed to more rigorous data protection regulations.
A Note on Consent for Lawyers and Law Firms
Consent under GDPR requires clear, deliberate action and this has ramifications for legal marketers. But as Elizabeth Denham, Information Commissioner of the ICO, notes, “Consent is one way to comply with the GDPR, but it’s not the only way.”
While legal marketers will largely have to rely on consent for a lawful basis for data processing (and this would include mailing lists and the like), law firms and lawyers will find provisions for lawful data processing that are not based on obtaining client consent.
For example, these categories constitute a lawful basis for processing personal data:
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
2. Access to Data
Under GDPR, your law firm’s EU clients and contacts will have the right to know whether their personal data is being processed and for what purpose. If requested, you will have to provide them a copy of their personal data, in an electronic format, and free of charge.
Right to be Forgotten
This Right to be Forgotten is one of the most significant rulings in privacy law and it has a central role in the GDPR. When a Spanish man sued a Spanish newspaper’s website and Google Spain in 2014, the European Court of Justice ruled that there is a “right to be forgotten” and that people have the right to have inaccurate or outdated personal data removed. In some cases, companies like Google have been forced to scrub pages from their search results. The law here is complex. An individual’s right to be forgotten has to be balanced against “the public interest in the availability of the data”. Article 17 of the GDPR discusses the conditions for erasure in greater detail. Be aware that if your law firm is asked by an EU citizen to remove personal information from your website, this aspect could come into play.
Here too, the Guardian can serve as a useful example. Users wishing to delete their account are informed about what information this will remove and what will persist or require further action to delete. Deleting an online account, for example, removes personal information from the Guardian database and the same email cannot be used to re-subscribe. Posted comments, however, will remain under articles, as they are considered a part of the historical record.
Do you really need to know a prospect’s birthday and home phone number before they download that whitepaper? The GDPR will require legal marketers and law firms to be ready to justify the personal information they are collecting and to “hold and process only the data absolutely necessary for the completion of its duties (data minimisation)”.
As legal marketers, we want to know everything we possibly can about a prospect: where they work, who they work with, where their business interests lie and with whom, all so we can tailor our pitch and maximize on opportunities for cross-promotion. With GDPR coming in to force, we may have to let go of some of this information. But there are still opportunities to gain valuable insight into the preferences and needs of a target audience; you can provide them with the opportunity to opt-in to receiving updates on different subjects. Rather than forcing people to provide information on a form, or collecting data without their knowledge, legal marketers will need to offer individuals the choice to opt-in or not. Consider implementing a preference management system.
4. Notification of a Breach and Security
The world of big data has brought about a tsunami of big data breaches. According to the Guardian, the consulting firm Deloitte was recently the target of a hack that “compromised the confidential emails and plans of some of its blue-chip clients”. With their sensitive client data, law firms make a tempting target for cybercriminals. In 2016, Chinese hackers were charged with breaching the security systems of two top merger-advising firms in New York. The stolen data was promptly used for insider-training which earned the hacker trio profits of $4 million.
Under the GDPR, if a company’s (or a law firm’s) records are breached, the organization will need to notify those impacted if the data is of a personal nature.
Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.—eugdpr.org
The GDPR also makes it clear that data “controllers” (e.g. law firms) are responsible for implementing the appropriate measures and procedures “in order to meet the requirements of this Regulation and protect the rights of data subjects”.
5. Appointing a Data Protection Officer (DPO)
This new regulation comes with a new position, the Data Protection Officer. This role carries specific qualifications and responsibilities and a degree of independence. The position can be filled internally or by an external consultant (already there is a growing side industry of consultants and GDPR compliance experts).
Not all EU businesses and organizations will require a DOP. What about law firms operating in the EU? That may depend on the nature of the firm.
The GDPR requires that a DOP be appointed where:
The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
While is obvious that a law firm specializing in criminal law will need to appoint a DPO, it is not immediately clear whether a small firm focused on business law will be required to do so. As Owen O’Rorke, an associate at Farrer & Co, observes in a useful article on the subject of DPOs, “It is therefore by no means settled whether all law firms will need to appoint a DPO within the strict meaning of the GDPR. What is certain is that it will be basic good practice to task an appropriate and qualified person with leading compliance efforts, and they will need to be sufficiently senior or have management support”.
Penalties for failing to comply
While the previous regulation was not binding, once May 2018 comes around GDPR will be. Failing to comply may result in significant penalties for truant law firms.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).—eugdpr.org
With such significant penalties, and with the deadline fast approaching, many businesses and marketers are panicking and scrambling to comply. The rumours aren’t helping, especially when many are about these massive fines.
It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law. But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.—Elizabeth Denham, Information Commissioner of the ICO
Law firms and legal marketers shouldn’t panic, but they do need to move quickly to ensure that they have their procedures and records in order. While Denham claims that the Information Commissioner’s Office (ICO) has “always preferred the carrot to the stick”, a quick tour of the ICO’s Enforcement Action page will reveal quite a few instances of the stick being used on companies, individuals, and even non-profits (like the National Society for the Prevention of Cruelty to Children (NSPCC) which was fined £12,000 for failing to follow data protection rules).
It is true that the ICO rarely hits an offending party with the maximum fine. It is also true that GDPR has a wider scope and carries more serious penalties than the directive it replaces.
Honda Motor Europe seeks permission and gets a fine
Scrambling to comply, unfortunately, might be the very reason several high-profile companies have run afoul of the ICO. In the summer of 2016, Honda Motor Europe sent out an email to their customer mailing list to try to comply with data protection laws. The email asked customers the question: “Would you like to hear from Honda?”.
At first glance, this might seem like just the sort of permission-based marketing that GDPR aims to encourage. The company was asking for customer permission, right? Yes, but “this e-mail was sent to those individuals on the database where no “opt in” or “opt out” information was held.”
Without consent, a company is not permitted to email individuals…even if that email is a request for consent. Honda was fined £13,000 for their mistake.
Legal marketers need to pay careful attention to their marketing activities, especially once the far more stringent GDPR comes into full force May 2018. And remember, even if your law firm is in the US or in Canada, if you practice in the EU or represent EU citizens, you’ll want to reassess your data privacy policies.
Don’t Scramble. Strategize.
If you’ve read this far, you can be forgiven for feeling slightly overwhelmed, maybe even a little panicked about getting €20 million fine in the mail this spring. The good news is that you are aware of what lies ahead, (unlike 84% of small UK business owners who are unaware of what’s coming).
The second bit of good news is that complying with GDPR could be the jolt your law firm needs to begin improving its cybersecurity and data-handling practices.
It’s an opportunity for innovative legal marketers to move away from stale practices like sending out generic email blasts. Instead, we will have to implement truly permission-based marketing programs and foster client loyalty through conveying real value.
Here are 3 ways to transform what GDPR says you have to do into what’s best to do:
1. You will have to give clients what they want.
You will need clients to opt-in to receiving marketing communications and you need to present your request for consent in “clear and plain language”. So, to grow your contact lists, you will need to produce content that clients actively want to receive from your firm. Forget spamming a captive and disengaged audience, you will need to implement a great content marketing program. This is a golden opportunity to promote your lawyers’ as thought leaders and your firm’s capabilities.
The ICO has suggested using preference centres or privacy dashboards to give individuals more control than simply saying “yes” or “no”. This presents an interesting opportunity for forward-thinking law firms; why not allow clients to tell you themselves what they are interested in? Client A may be interested in receiving a newsletter about employment law but prefer not to receive updates from the firm’s IP lawyers, while Client B may be interested in being notified about upcoming seminars and events but prefer to be left off the firm’s newsletter list.
Using a preference centre, your firm could allow clients to self-select; not only does this give your clients greater control, it also allows you a valuable insight into their individual interests.
2. You will have to keep good client records.
GDPR strengthens the rights of individuals to withdraw consent, access and rectify the data that relates to them, and even the right to erasure (also known as the right to be forgotten). Under the “accountability principle”, law firms will need to be ready to demonstrate the policies and procedures they have put in place to comply with these data protection principles.
Your law firm will need to maintain accurate client records so that you are ready to respond to an access to information request or erase a contact from all firm accounts. Centralizing all this information in one database or CRM system will help with compliance so that if Client Bob decides he doesn’t want to receive any more updates from your firm, he isn’t messaged five months later from a different firm account.
There are many benefits to having a streamlined client management system beyond avoiding ICO fines: improved firm efficiency, an empowered marketing team, opportunities for cross-selling, the list goes on. GDPR may just be the incentive your firm needs to overhaul its record-keeping system and modernize its business operations.
3. You will have to be a trustworthy resource.
According to a 2017 survey by Gigya, “two-thirds — 68 percent — of consumers are concerned about how brands use their personal data.”
People are concerned about how companies are using their data, and they don’t have much faith in the ability of companies or the government to protect personal data from falling into the hands of hackers. According to a 2017 study by the Pew Research Center, “roughly half of Americans do not trust the federal government or social media to protect their data.”
With privacy concerns riding high, law firms that can demonstrate that they are taking these concerns seriously, treating personal data with respect, and taking every measure to improve cybersecurity will come out ahead of their competitors. Clients will choose to work with the law firms they can trust to protect their best interests. In this digital age, cybersecurity is a synonym for trustworthy.
Smarter marketing for a digital age
The spirit, if not the fine print of GDPR, is quite simple: respect your clients’ information, take steps to protect it, and give them control over how it is used and how they are contacted. Don’t assume that just because someone has done business with your firm they want to receive your newsletter in perpetuity. Send cold emails only when you can justify that doing so is necessary, does not infringe on the recipient’s rights, and when the content is in the recipient’s interests.
Allow individuals to chose what sort of information they will receive from your firm. Take the necessary steps to ensure the privacy of personal data, and consider whether you will need to appoint a Data Protection Officer (DPO) to oversee the handling of any sensitive data your firm may be collecting.
Complying with GDPR will take some work, but if you tackle this challenge strategically your law firm will come through with better client records, stronger data security measures, and a smarter, more targeted marketing program.
Additional Compliance Resources
The international law firm, Orrick, has put together a GDPR compliance assessment tool which can assist you in identifying, at a high-level, your organization’s readiness.
The ICO blog publishes articles on specific GDPR-related issues.
Note: While we work closely with lawyers, we don’t pretend to be experts on the law. Our guide is meant only as a resource. If you have further questions about how GDPR will affect you or your firm, we encourage you to contact a lawyer in your area specializing in data regulation.