z

Upcoming changes to the data protection regime in Europe, and the UK, will have a major impact on the legal sector, according to Phil Brining of Data Protection People - and firms would be well served to prepare now.

Whatever type of Brexit the UK is facing, the EU General Data Protection Regulation will have a significant impact on UK firms. 

 

Past Record

The legal sector has had its run-ins with the Information Commissioner in the past famously through the controversy surrounding ACS Law  and more recently the undertaking agreed with Martin and Company, and of course the Panama Papers leak. 

In 2014/15 ICO the reported that no less than 4.5% of all data breaches reported to the it related to solicitors and barristers.  While most of us tend to think of cyber attacks as the biggest risk, the statistics tell a different story - of people and process failures, with the two main causes of reported breach being loss and theft of paperwork, and information being posted or faxed to the wrong recipient. 

So how will the legal sector fare under the new regime, the General Data Protection Regulation which is due to take full effect on 25th May 2018?


Key Differences between DPA and GDPR

At first glance the GDPR seems very similar to the existing Data Protection Act (DPA) – it has similar data protection principles, restrictions around transferring data overseas, and obligations to maintain data securely.  The reality is that it is a far cry from the DPA.

There are a few new obligations and some shifts and redefinitions which are easy to spot:

GDPR Mandatory Requirements

  • breach reporting
  • privacy risk-assessments
  • disaster recovery and business continuity measures,
  • system and process testing, audit and compliance checking
  • maintaining DP policies and records which evidence Regulatory compliance.

GDPR Prohibitions & Major Changes

  • the definition and scope of personal data (different)
  • what constitutes consent (different)
  • legal rights for individuals (beefed up and extended)
  • the use of legitimate interests as a lawful ground for processing (different)
  • the processing personal data relating to criminal convictions and offences without “official authority” (prohibited)
  • the use of “legal professional privilege” as a SAR disclosure exemption (gone)
  • transferring data overseas to inappropriate places/people (prohibited).


You still have the ability to determine what is appropriate to your own circumstances but under the new regime you must document your decision-making process and be able to demonstrate that you have balanced the rights of individuals with your own legitimate interests, fairly and transparently. 

"Failure to retain records of your decision making process is a breach"

Failure to retain such records is a breach of the Regulation and that in essence is the major paradigm shift – the need to be able to demonstrate systematic management control over data processes: plan, do, check, act.

 

Implications for the legal sector

There are some specific challenges for the legal sector – the wide-spread use of paper for storing information has challenges regarding access control, security, and retention. 

Legal Privilege

The new 5th data protection principle requires data rendering anonymous early in its life-cycle – how do you do that with paper?  The removal of the specific 'subject access request' disclosure exemption for legal professional privilege is likely to make more information disclosable than at present. This is likely to affect firms' attitudes towards retention.  

The diverse composition of the profession with global firms and local independent solicitors means that there cannot be a one-size-fits-all approach.  The carve out for those employing fewer than 250 people to maintain such a detailed level of DP record keeping will provide some respite for the smaller firms – but Brining suggests that clients are likely to drive the standards that such smaller firms are likely to have to comply with.

More costly regulatory intervention

There are those who believe that the largely reactive policing of DP law will mean that GDPR will have little impact.  Yet the Information Commissioner has already taken a more rigorous approach to fines and censure of organisations.  And penalties are set to increase significantly - up to 4% of global annual turnover or €20 million, whichever is the greater.  

There are other changes which mean that the impact of the regulations will be felt by law firms:  individuals have greater access to compensation including class actions; and more organisations are subject to the fines' regime.  For instance, data processors such as cloud providers or payroll companies (or indeed law firms appointed by their clients) bear equal liability for penalties and compensation and will be pushing back on indemnities and the scope of their contracts.  This supply chain pressure will be a significant factor.

 

Brexit implications

There is enormous uncertaintly about how Brexit will affect the UK's legal framework.  The timetable for the triggering of Article 50 suggests that the UK will leave the EU on or around March 2019, which means that there will be a period of about a year when the GDPR will directly apply to UK controllers, processors, and data subjects. 

Lockton can advise you on your approach to managing information security and cyber risks.  

Data Protection People are Specialists in Data Protection. Their aim is to help organisations to reduce the risk of non-compliance, to get the best from their data, and ensure it is always processed legally.

For more information please visit  www.dataprotectionpeople.com, call on 0845 519 8705 or email info@dataprotectionpeople.com