GDPR - Are you prepared?

Over the past number of months, Briefed has been engaged by many chambers and barristers to support and guide them through their GDPR compliance journey. One of the most common misconceptions is that the GDPR is yet another tick-boxing exercise, designed to frustrate an overworked profession. If this is your impression, you have been warned to think again!

The EU General Data Protection Regulation (GDPR) marks a wide reaching and significant shift in how all organisations must manage and protect personal data. In May 2017, Information Commissioner Elizabeth Denham advised that rather than just box-ticking, the focus must be on developing a “framework that can be used to build a culture of privacy that pervades an entire organisation”.

Article 5 of the GDPR states that “the controller shall be responsible for, and able to demonstrate compliance with” six privacy principles. The sixth principle (integrity and confidentiality) states that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

In March 2017, a senior barrister who failed to keep clients’ sensitive personal information secure was fined by the Information Commissioner’s Office (ICO). Steve Eckersley, Head of enforcement at the ICO said: “People put their trust in lawyers to look after their data - that trust is hard won and easily lost. This barrister, for no good reason, overlooked her responsibility to protect her clients’ confidential and highly sensitive information.”

Under GDPR, changes will be required in our policies and procedures but also in our working habits; it will require resources in terms of time, systems and finances but mostly, it requires the collective and individual commitment of chambers and barristers to the principles underpinning GDPR.  The ICO has repeatedly stated that evidence of such commitment will be the key to mitigating any sanction post 25th May 2018.

The days where the responsibility for privacy protection is left to someone else are over. From 25th May, both the barrister and the chambers can potentially be audited, investigated or fined. Barristers cannot simply rely on their chambers having the proper policies and procedures; they must be able to demonstrate compliance in their own individual practice. Chambers can no longer accept traditional individualised methods of working and will have no choice but to hold their members to account. Ultimately, the risks, sanctions and consequences that will result from even a simple data breach raise the importance of the GDPR from an issue of compliance to a critical business imperative.