SECURING CLIENT-LAWYER COMMUNICATION IN THE NEW DATA PROTECTION ERA

Categories: 

SECURING CLIENT-LAWYER COMMUNICATION IN THE NEW DATA PROTECTION ERA

Blog post by Ioanna Zacharopoulou, Trainee at LexDellmeier IP Law Firm

In light of the new General Data Protection Regulation (95/46/EU), which will be enforceable from 25 May 2018, the Council of Bars and Law Societies in Europe (CCBE) and the Munich Bar Association both published rough guidelines regarding the steps every law office should take in order to comply with the new rules set by the EU. Aim of the Regulation is to further unify and simplify the legal status quo in the EU, this time by setting the lawyer-client relationship in the center of attention.

 

                                                                                                                                                                                                                                                     

                                                                                                                                                                                                                                                     Source: Pixabay

 

Protecting and ensuring the confidentiality between the lawyer and the client is the key in finding eligible solutions - both on technical and legal level – on the matter of data protection. What is critical is finding a balance between professional secrecy and governmental surveillance especially when the latter of which could lead to unwanted third-party interference. The bearers of such responsibility are first and foremost the law firms, who have to take measures to safeguard their professionalism, whilst providing a safer communication environment.

 

I. First Steps

First and foremost a minimum level of IT knowledge from the part of the lawyer is required. In that way, they will be able to have a clear overview of the procedure of protecting their firms and - most importantly – avoid personal responsibility for possible lack of IT security. Recruiting an IT specialist who would be able to directly apply security services is practically deemed mandatory. Furthermore, according to Article 17 of the new Regulation every state itself must provide the addressee (in this case the lawyer) with all means necessary to safeguard the circulation of data. A vocational training of the personnel is recommended to ensure the compliance to security standards and the clarification of important strategy points. Applying already tested and recognised security systems is always helpful in increasing the credibility of the firm, as well as the level of trust from the part of the client. It is also vital for the latter to be notified of the firm’s modus operandi with respect to his right of choosing a law firm that meets his criteria. Lastly, the identification of key assets, such as important client information and documents, which need to be secured, is deemed necessary as the starting point of the data protection procedure.

 

II. Suggested Measures

Below follows a list where the most important measures are displayed in a suggested chronological order:

  • Data protection: A thoughtful and organised data protection policy begins with the education of the lawyer on the matter. All lawyers must possess at least minimum knowledge of what data protection really means, what the new Regulation is about and most importantly, what penalty follows the complete and irretrievable loss of data.

 

  • Safe communication: At this point, the use of an encrypted password in all communications is of vital importance. A further measure could be the storing of client data in clouds.

 

  • Data-handling with the help of service contractors: Trustworthy service contractors who can process and safeguard important client information are perhaps the most important step a professional could take to protect his clients.  Nevertheless, a written declaration of consent to the processing of their data from the part of the client is also advisable as a means of complete protection of the lawyer and his associates from unwanted legal disputes.

 

  • Data-handling through employees: All the staff working at a legal firm should be thoroughly informed and strictly follow certain rules based on lawyer-client confidentiality. Disclosure of client information to third parties must be avoided at all costs.

 

  • Processing directory: Article 30 of the General Data Protection Regulation (GDPR) requires the writing of a directory for every involved supplier connected with data processing and data protection in general,  which can function as written evidence for the legitimacy of the procedure.

 

Plus 1

In Germany, the Federal Data Protection Act regulates the data protection policy and offers an additional safety net for legal practitioners.

 

  • Data protection officer: § 4f of the Federal Data Protection Act (BDSG) orders the employment of a data protection officer for firms that consist of a more than 9 people staff. Reliability and technical proficiency are crucial requirements.

 

III. Conclusion

Even with all these measures taken, absolute protection of information cannot be achieved, as there are still many technical obstacles. However, the importance of the new GDPR cannot be questioned, since it not only raises awareness on the matter, but also enforces  minimum protection standards for law firms and businesses in general. The most essential thing remains the updating of clients on the measures taken to protect their data and the procedures that are followed. Trust between the lawyer and the client is a major factor in safeguarding professional confidentiality and the lack of it can lead to criminal prosecution of the lawyer according to Art. 203 (1) 3 of the German penal code. Protection of privacy is after all a fundamental human right, a principal of the Rule of Law, solidified in Art. 8 of the Charter of Fundamental Rights of the European Union.

More information can be found here:

http://www.ccbe.eu/fileadmin/speciality_distribution/public/documents/SURVEILLANCE/SVL_Position_papers/EN_SVL_20160428_CCBE_recommendations_on_the_protection_of_client_confidentiality_within_the_context_of_surveillance_activities.pdf

https://rak-muenchen.de/rechtsanwaelte/mitgliederservice/datenschutz-in-anwaltskanzleien.html