Guest GDPR blog: Orlagh Kelly - Four changes from GDPR the Bar needs to know about

9 November 2017

Much attention is being given to the General Data Protection Regulation (GDPR) which is new data protection legislation which will be enforced in the UK from 25 May 2018. 

This blog series is designed to give barristers and chambers relevant, realistic and effective guidance.

Over the coming months we will cover many topics which will increase your understanding of how you can be compliant with the new legislation, and protect your practice. 

Four key changes GDPR brings for the Bar

The basic principles that underpinned the Data Protection Act 1998 remain within the GDPR. In my opinion, there is no great or wondrous change in how organisations and businesses are meant to protect data. However, there are significant changes to the sanctions that can be imposed on barristers and Chambers should you fail to protect a client's personal data. 

  1. Fines under the Data Protection Act 1998 were capped at £500,000.  This cap has been moved to up to £17 million or 4% of global world-wide turnover, whichever is higher.

  2. The Information Commissioner's Office (ICO) will now have the power to carry out a data protection audit on any business, and this will include individual barristers or chambers. Anyone who has ever experienced a HMRC audit will attest to the stress this can add to running a practice. GDPR essentially requires that all barristers and chambers are audit ready by May 2018.

  3. Under the old legislation, should you have had a breach (such as losing a brief) there was no legal requirement to report this breach to the ICO. Under GDPR there is a mandatory requirement to report breaches to the ICO within 72 hours. Failure to report the breach is, in and of itself, a breach of the legislation.

  4. Although barristers (as data controllers) could always be fined under the old legislation, Chambers itself (a data processor for barrister client information) could not be investigated or sanctioned by the ICO. GDPR has completely reversed this and now Chambers as an entity can also be investigated and fined, for example, if a clerk loses a brief. 

Real Life Data Breaches 

Barrister reported to Information Commissioner for Breach

A barrister breached the Data Protection Act after failing to encrypt a laptop, containing sensitive personal data, which was later stolen. The laptop was stolen from the home of the barrister in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the barrister had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. Whilst the barrister had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

Ken MacDonald, Assistant Information Commissioner said:

"The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

"As this incident took place before the 6 April 2010 the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 - it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court." 

Orlagh Kelly was called to the Bar in 2003. She is the CEO of Briefed GDPR, a specialist training and consultancy agency which offers bespoke compliance GDPR compliance training and products for barristers and chambers.