The EUÂ General Data Protection Regulation went into effect on May 25, 2018, defining how personal data must be stored, used and processed. Meaning EU citizens have the possibility to influence who and in which way can manage their personal data. These rules affect all organizations working with EU citizens’ personal data.
Data controllers failing to comply with new regulations may face fines reaching up to 20MEUR or 4% annual turnover. Also depending on the local data protection legislation, there might be additional penalties or even personal responsibility.
Law firms working on civil and criminal cases store and process sensitive client information which is often related to persons’ rights and freedom. Loss of such information according to GDPR regulation must be immediately announced to the client which in addition to penalties might cause irrecoverable damage to law firms’ reputation. Therefore, centralized data management solutions and proper personal data protection become very important. In this article, we analyze how Amberlo helps law firms to comply with the main GDPR requirements.
Organization and system security
Requirement:
Organization must ensure that personal data is stored, processed and transferred securely. Data security must be integral part of the business processes which are constantly monitored and improved.
Amberlo stores all data in the Amazon AWS data center, corresponding highest security standards and providing active protection from security breaches. Data and backups stored on Amberlo servers are encrypted and protected from unauthorized use. Only the system’s administrator has partial access to client data. Most sensible data (like passwords) is encrypted additionally and is only accessible to the client. Amberlo is continuously developed and improved. Software development, testing, and deployment processes are highly automated and organized in a way that developers do not have any access to client data.
Personal data protection
Requirement:
GDPR requires that personal data must be accessible only to certain users and only to a necessary extent. Also, different requirements are set for the personal data based on its sensitivity.
Amberlo allows setting individual access rights to modules and data records for each user. This way we ensure that personal data is accessible only to certain users and to a needed extent only.
Data breaches
Requirement:
Under the GDPR, any business worldwide that has EU residents’ personal information compromised is required to notify supervisory authorities within 72 hours of uncovering the breach.
Amazon AWS tools and our Amberlo interactive system monitoring tools register any attempts to compromise or illegally access the Amberlo system and immediately notify system administrator. In the case of a data breach, we would immediately inform our clients – law firms about breach time, extent and affected data, so that they could promptly inform their clients thus complying with GDPR regulation.
Consent to process personal data
Requirement:
Organization must receive consent from a person to process his personal data. This consent must clearly state which personal data will be collected, where and how it will be stored and used for which purposes.
Amberlo allows to store and quickly retrieve all client agreements. Surely all client agreements must be adopted to comply with GDPR regulations. During the sign-up process, the client agrees with Amberlo Terms of Service and Privacy Policy, defining which personal data we store and process. Amberlo stores personal data of law firms’ employees using the system including name, surname and email address and uses it to an extent necessary to ensure the uninterruptible provision of Amberlo software as a service. We do not share any personal data with third parties.
Right of access
Requirement:
If requested by an individual, organization must provide information which personal data it manages, where it is stored, and for which purposes it is used.
If requested by an individual, a law firm can quickly find all personal data stored in Amberlo, export it to .xls format and provide it to this person.
Right to be forgotten
Requirement:
If requested by an individual, organization must destroy all personal data.
Amberlo allows to quickly find and delete personal data stored in the system. Our clients can terminate the Amberlo subscription at any time and request to destroy all data stored with the client account.
Data portability
Requirement:
If requested by an individual, organization must provide personal data in widespread electronic data format so that person could move the data to another data controller.
Amberlo allows exporting selected data into .xls format so that it can be moved to another data controller.
What does your law firm need to do to comply with GDPR regulations?
- Create an Amberlo account and start managing your client data securely and in one place. It will take less than 10 minutes.
- Assign data protection officer who will be responsible for implementing GDPR regulations in your law firm.
- Describe procedures for storing, processing and ensuring security for personal data. Store procedures in Amberlo for easy access.
- Adopt client contracts to comply with GDPR regulations. Store all contracts and any amendments in Amberlo.
If you did not try Amberlo yet, you can do it here.
For more information about Amberlo, please visit www.amberlo.io.
Your Amberlo team
