Steve Kuncewicz discusses GDPR and law firms
Imagine data protection lawyers up and down the country in collective fear of the new data protection regime coming into force via the General Data Protection Regulation (“GDPR”). Notably, in the wake of Facebook and Cambridge Analytica’s harvesting of personal data of millions of Facebook users playing out across national media and even in the US Congress, the issue of personal data and how it’s used has taken on a whole new meaning and found itself jostling for media attention alongside Brexit, Ed Sheeran and certain politicians with a Twitter fetish.
If you’re wondering what the European Union’s (“EU”) GDPR means to you, you’re not alone. Data privacy is nothing new, given that the Data Protection Act 1998 came into force some eighteen years ago. However, awareness of it is generally low, sometimes even across a profession used to coping with obligations of enduring client confidentiality. What you can also look forward to is a new set of compliance demands on your time, potentially driven by a brand new authority figure to sit above in shadow alongside the Compliance Officer for Legal Practice, Compliance Officer for Finance and Administration, and the Data Protection Officer. Not all law firms necessarily need one, however many may appoint one to facilitate compliance with the GDPR.
And that’s the thing about GDPR; compliance is not, and has never been optional. One of the most important principles in the new legislation (to be replaced in due course by the UK’s Data Protection Bill, ensuring that its core provisions survive the end of the Article 50 process by transposing much of its detail into UK law) is accountability. Previously implicit under the 1998 Act’s regime, accountability will take on a new meaning post 25th May, as it forces any data controller (including law firms, although their status as a controller or processor has been a subject of some debate) to implement appropriate policies and procedures to ensure and, crucially, demonstrate, compliance with the GDPR. Many will see this as yet another administrative exercise, but the Information Commissioner’s Office (“ICO”) doesn’t agree – pointing out that a true commitment to privacy is more than a “tick box” exercise and requires ongoing training alongside engendering a real awareness of the importance of data protection in every member of your practice. We’re used to compliance and regulation, and in time we will get as used to this as we should have been all along.
There will be breaches, and yes – there will be fines. However, the mythical four per cent of global turnover fine isn’t going to be used as a response to every breach from 26th May. The ICO has made it very clear that they prefer the carrot to the stick and are primarily concerned with protecting data subjects (any individual to which personal data relates). Their aim is to help prevent breaches rather than simply to punish when they happen, and will follow a careful process when considering how to deal with them. Certainly how far along your “GDPR Journey” you may be, the state of your information governance and your engagement with them (as with any other regulator) will all be taken into account. After all, transparency is also at the heart of the GDPR.
And about that “GDPR journey”, often compared to the seven stages of grief. Your first step after shock and denial towards acceptance is awareness. Recently a barrister was on the wrong end of a £1,000 monetary penalty notice issued by the ICO after client information relating to up to 250 people (including vulnerable adults and children) was accidentally uploaded to the internet when her husband backed up a suite of documents using an online file directory service during a software update on their home computer. 725 unencrypted documents were available online, albeit temporarily, and were visible to search engines. Not only is confidentiality a core duty of counsel, security is an essential principle of the GDPR and public trust in the Bar is hard won and easily lost, even if the worst never happened – civil data protection and misuse of private information claims turn, after all, on damages being awarded to compensate for a loss of control of personal data.
We’re used to regulatory change, GDPR being only one example, and if you can’t cope with the idea of respecting data privacy then it’s time to start learning how. The reputational, regulatory and potential financial impact of failing to do so could be every bit as significant in real terms as the grilling Mark Zuckerberg has just sat through. On a cushion.