It is not too late for GDPR Paranoia. A time-saving Checklist for Data Security Protection Slackers among IP Practitioners
Public and private societies and other frightened parties around the world even blocked users and shut down their webpages, waiting for GDPR judgment day.
In a time span of only 3 days, I have received an additional amount of 250+ spam emails, requesting my consent to receive email newsletters, most of them never heard of before. To many other newsletter providers I have already given my consent before, so why do they ask me again now?
The following applies to you if you are an IP law firm in the EU or an IP law firm outside of the EU that works with clients inside the EU.
Some Common Misconceptions
No, the General Data Protection Regulation (GDPR) was not meant to criminalize large parts of the world´s economic players.
No, you will not go to jail and you will not receive a fine from the authorities if your data protection measures were not perfect by 25 May 2018. All that is expected of you is to put systems and processes in place to comply with the new regulations.
Yes, if you are a firm that is located in Germany – and only then – you must brush up your firm’s webpage asap.
Yes, in most of the cases of an IP law firm, you can achieve compliance with the new data protection regulations by producing one single written sheet of paper.
Yes, you will need to have some way of encrypting your emails if you deal with clients and customers. But you already had this in place, right?
Yes, you can continue to use the messengers on your smartphone for communicating with clients and customers.
Yes, you will still need to apply common sense when running a webpage or when communicating with clients and customers.
Yes, it makes sense to apply the GDPR rules for your firm, even if you are not working with EU clients. Please continue reading.
Orientate yourself before you go into battle.
We IP lawyers have now 4 (additional) potential enemies:
- the GDPR authorities who can punish us for not complying with the GDPR rules,
- unhappy clients with information about the way we communicate, who can report us to the GDPR authorities for not complying with the GDPR rules. Or they simply walk away because they think that poor data security does not reflect a high professional standard of an IP lawyer.
- unhappy former employees with full information about the way we handle data internally, who can report us to the GDPR authorities for not complying with the GDPR rules,
- what is a worldwide special for Germany is that competitors – in theory, other IP firms, but in practice mostly law firms and their affiliated charity organizations that specialize in the commercial warning letter business – can directly assert claims against culprits that infringe any legal regulation for the purpose of furthering and promoting their business.
GDPR Basic Principle
Keep the following basic principle of the GDPR in mind:
A regulator is not going to say you shouldn’t have had a [data security] breach. They are going to say you should have had the policies, procedures, and response structure in place to solve for that quickly.
I found this citation in a well-researched recent article about the new GDPR. Read it.
How to Comply with the Authorities
What any government official only is interested in is: whether or not you have a clearly defined path for any detected breach of information to get to the person in your organization that is responsible for reporting this breach to the authorities. Not more and not less.
Make sure that this also includes your freelancers and IT providers, by way of written agreements. Put all this information properly into a Word document so that you have it at hand if you are asked for it.
Make sure that your webpage is clean.
And never send out email campaigns to persons that you do not know from an earlier occasion.
That´s mostly it.
How to Repel Warning Letter Trolls
Although this is unlikely, it may still be that some German law firms and their affiliated charity organizations that specialize in the commercial warning letter business (“Warning Letter Trolls”) would check whether there is a Data Privacy Statement and a cookie warning. on your webpage. That is easy to comply with and this is cheap insurance against future threats.
If you don´t have one, copy/paste the Data Privacy Statement from our law firm´s webpage https://trademarks-patents.com/datenschutzerklarung/ (in German language) and alter it at will. If you want an English language version, then copy/paste it from some other English language webpage. Remember: a bad Data Privacy Statement is much better than no Data Privacy Statement at all.
Cookies. The European Union provides a free Cookie Consent Kit solution on its webpage. Show it to your website programmer. After some site‑specific configuration, it will add an automatic header banner to your webpage that will disappear once the user has accepted or refused the cookies used on your website.
Talking Website Gimmicks can be a killer. Such as Google Fonts or Adobe Typekit. Upon activation of Google Fonts by a visitor of the website, the Internet browser connects with Google for updating the fonts and for transmitting your very interesting browser history and other useful data to Google. A proper authorization by the respective user is required for that by law, and this makes sense. The same applies for these fancy moving Google Maps. You don’t want such nonsense on your website. Tell your website programmer to remove them or to replace them by an external link with a data privacy warning, see here https://trademarks-patents.com/contact-us/.
I think the odds against a threat by some Warning Letter Troll are huge. Warning Letter Trolls want easy victories. Those sites with no Data Privacy Statement or no cookie warnings at all or with talking website gimmicks will be their primary targets.
By doing all this, you have also complied with what the GDPR authorities want. It is also highly unlikely that any government agency would have the resources to investigate into an unknown number of commercial web pages.
Electronic Communication with Clients and Customers
Common misconception: there is no general duty for lawyers to encrypt all and every communication with clients, at least not in Germany.
But you better be careful to NOT send out un-encrypted electronic communication that contains any personal information, which means
- data that – if becoming known to a third party – can substantially impair the social position or the economic conditions” of a communication partner
- data that require higher security or protection needs because of their special sensitivity and/or their context of use.
You have not sent un-encrypted personal information over the Internet before the GDPR came into force, so just continue doing so onwards.
Encryption Methods for Emails
There are 3 commonly known ways of sending encrypted information via email:
- use an S/MIME certificate,
- use a PGP key,
- attach a password-protected pdf-file which contains the personal information.
Continue to use either one of them for sending any personal information to clients and customers.
You can continue using Internet Messengers but do not send any personal information over unencrypted messengers.
It is said that the Threema messenger provides encrypted communication but I don´t believe this.
Use common sense. Don’t send personal information over the Internet.
- Nominate a Data Protection Officer (DPO) in your firm and show him the relevant national legislation of the GDPR, for Germany it is here https://dsgvo-gesetz.de/
- Let your DPO print and read my present little article and also this article https://www.csoonline.com/article/3202771/data-protection/general-data-protection-regulation-gdpr-requirements-deadlines-and-facts.html
- Together with your DPO: create a simple protocol form for recording potential breaches of data protection and for deciding whether a breach of data protection has happened or not. Find out to which authority you have to report a breach of data protection once it has been identified. The official authority that is responsible for your firm depends very much on where your law firm is located. Put the coordinates of the respective official authority into the protocol form. The form will very likely never be used for reporting a Data Security Breach in your lifetime. Use my template protocol form if you want to save time.
- Highlight in the protocol form that your DPO has only 72 hours after identifying a data breach for reporting it to the authorities (for Germany: Art. 33 DSGVO).
- Highlight in the form that your DPO has, in certain circumstances, to notify your clients and customers directly if the data breach is likely to result in high risk to their personal data.
- Create a “process directory” (for Germany: Art. 30 DSGVO), of internal data processing units (company hardware and employees hardware), external data processing units (suppliers), and of communication channels for data exchange (email, messengers, etc.). Use my template protocol form if you want to save time.
- For each process in the process directory, write up “purpose of the process”, “the kind of persons of which data is processed”, “the kind of data that is processed”, “the potential recipients of the data”, “is the data transmitted towards outside of the EU”, “deadlines for deletion and how they are handled”, “data security measures: encryption, stability, backup” (for Germany: Art. 32 DSGVO),
- Mention in the protocol form that your DPO must update the process directory without delay if he gets knowledge of changes in the structure (for Germany: Art. 32 DSGVO).
- Create a recurring prompter in your law firm´s deadline book for verifying the “process directory” on a yearly basis (for Germany: Art. 32 DSGVO).
Call to Immediate Action
Chase your website programmer now to start updating your webpage and to start with step 1 to 3 of the above checklist for complying with all other GDPR requirements.
And don´t wait. Otherwise, you run the risk of becoming singled out.