IT Panel blog: GDPR? Never heard of it. What is it?

12 October 2017

Everything in this world is now defined by letters. The letters "GDPR" may have floated into your consciousness over the last few months. What thoughts went through your mind? A new device to improve my appalling broadband speed? A progressive gene snipping tool? An updated sat-nav that stops me driving into a river on my way to a wedding?

Well, quite honestly, it is far more interesting than any of these. Reason? It impacts on your professional life. Every day. And it impacts on your chambers. And the way they operate. Every day. So, what is it again?

A birth announcement.After years of huffing and puffing, the European Parliament has come up with a new data protection regime. Weighing in at an impressive 173 Recitals and 99 Articles, this baby is no lightweight. In fact, when it comes to the bureaucratic side of things, it is morbidly obese at birth but is a genuine attempt to protect the rights of European individuals as securely as possible. But….. did we just hear ten thousand sighs and witness a shrugging of shoulders and a finger moving rapidly towards the delete button? Stick with us……seriously, this matters. We will explain why later on.

A little background history.Originally, the Europeans introduced a Directive on the subject (95/46/EC for the inquisitive). In the UK, this became the Data Protection Act 1998, which we have all been following (well…). 20 years later, there is a new Regulation, the General Data Protection Regulation - GDPR. It will apply in the UK from 25 May 2018.

As European Law practitioners know, a Directive allows an EU Member State to implement such measures as it chooses so long as these are in line with (or better than) the Directive. A Regulation does not confer that freedom. Its provisions are implemented automatically into that State's law - except that the GDPR is the exception that proves the rule. This Regulation is odd. At certain points, it actually allows each Member State to implement its own provisions. A strange mixture. The rationale is that the Regulation was designed to overcome the inconsistency of implementation of the Directive across Member States. At the same time, it allows a limited flexibility to each State to add its own provisions where these do not impact the new, more robust regime as a whole.

Therefore, there is a whole new statute (and undoubtedly a goodly sprinkling of Statutory Instruments) in the making which implements the GDPR and tackles those areas where we are required to legislate for ourselves. Any hope you might have entertained that Brexit would have put paid to the need for a new regime is therefore misplaced. Those of you that have European clients will have to comply with GDPR if you want to retain those clients. The Government has confirmed that the UK's decision to leave the EU will not affect the commencement of the GDPR.

Data protection has been going for donkeys' years - why is it so important now?

Data protection law does what it says on the tin. It provides a legal regime for the protection of individuals' personal information. It is a privacy law.

However, there is massively increasing trend in this world for people (including Governments) to be contemptuous of people's privacy. Cyberattacks are now so common that there is a serious risk that you or your chambers will suffer an attack at any time. The big ones reach the press. Remember the hacking of the NHS a few months ago, where the hackers moved in via an unsupported operating system, Windows XP, and disrupted the NHS. A year ago, the telecoms company, TalkTalk, managed to "lose" millions of customer records to a hacker. In 2015 the Panamanian firm, Mossack Fonseca, suffered a leak of 11.5 million documents, some dating back to the 1970s, relating to the affairs of their clients. A week or so ago, Equifax (in the US) "lost" 143 million records. Worse still - it is alleged that the Equifax hack was a State-sponsored attack. And of course, Hillary Clinton had a spot of bother in her attempts to reach the White House, caused by, allegedly, Russian hackers.

At the other end of the scale, you, as a barrister, record personal information every day of the week; lay clients' identities, addresses, trade union activities, health status and the like. You can lose that information simply by leaving your laptop computer on the bus. Data not protected by a password? Password easy to guess? Anyone can take a look. If you are punctilious about keeping your laptop safe from theft or absent mindedness (or you have a desktop), have you ever opened a link in that seemingly innocent email only for it to shut down your system, scramble your data and then go off and infect the rest of the chambers' computers?

Or more likely it is "ransomware" - the hacker wants money so the unfortunate NHS doctors found their screens had been "padlocked" (encrypted - a giant padlock device appeared on screen) and a demand was made for $300 bitcoin (untraceable cryptocurrency) release fee (double if not paid within 6 days). If they did not pay, all the data would remain inaccessible and lost for good.

Ah, you say, but why would a hacker target me or my chambers? What's in a dusty old inheritance tax case for them? Let one chambers' IT manager answer that: "Most virus writers send out millions of copies via spam relays hoping to hook a few suckers. They have no idea who it's going to hit (even the big NHS encryption virus hit a couple of months ago was most likely just by chance rather than targeted at the NHS)". So you and/or your chambers can be a target anytime, anywhere.

And it does not end with technology meltdown. Do you seriously want to spend time apologising to your clients that all the information they have sent has disappeared at the hands of a hacker? And do you really want to entertain the Information Commissioner's representative to a cup of chambers' tea while you try to persuade him or her that you cannot afford a large fine just this week, as little Tarquin needs a new school uniform. Incidentally, the new GDPR has legislated for greatly increased fines - and clients can likewise sue you for greater amounts than before if their data has not been securely held. The Bar has a formidable and proud reputation which everyone works immensely hard to keep up. Do you want to lose yours?

Thanks for the doom and gloom - what now? The Bar Council's IT Panel can assist with matters like this. We have completed a Guidance document for you and your Chambers to consult. In the next few issues we will also devote a BarTalk item to an individual area of the GDPR - what was the old law and what is the new position. Since the new statute is under development, we will publish an update at the time it goes onto the statute book.

What issues will we cover? These will include:

(a)   Your (or chambers') individual obligations as the person controlling data (or "data controller" in data protection speak). A number of new concepts and responsibilities have been introduced;

(b)  Increased visibility and liability of those who might process your or chambers' data ("data processors"). These might be your own chambers (holding and processing your email or storing your files) or payroll providers (processing chambers' information);

(c)   Data protection vs client confidentiality;

(d)  The data protection principles - how have these changed;

(e)   The requirement to delete (or anonymise) personal data which you no longer need to retain, and the benefits of doing so;

(f)    Privacy Notices;

(g)  Client rights to access data held by you or chambers or to take it away or to amend it and the right to be forgotten;

(h)  Transfer of data to other countries;

(i)    Civil and criminal sanctions arising under GDPR;

We hope that dealing with this subject in bite-size chunks will assist in the digestion of a complex subject. Keep an eye out for the articles and please read and take on board what they say. Think: technical disruption; embarrassment; delays to completing work; ICO fines - not what you need. 

The Bar Council's IT Panel