What does a Barrister need to know about GDPR?
Recently published research from the Cyber Security Breaches Survey highlighted that fewer than half of all businesses and charities are aware of new data protection laws coming into force. Given that May 2018 is now only four months away, concern has prompted the UK Government to issue a warning over businesses' lack of preparation.
Regardless of your viewpoint on whether a barrister’s practice is a business, GDPR will apply just the same. From the perspective of the Information Commissioner, barristers are individually responsible as data controllers and must demonstrate compliance with their own practice.
Undoubtedly, you will have read countless articles, blogs or commentary on GDPR. The Bar Council has been proactive in raising this issue. Reputable chambers are taking action to ensure their compliance. So by now, your general awareness may be fairly good or is it?
What should a barrister be aware of?
First and foremost, barristers need to know about the legislation, the governing principles and the nine key changes GDPR will make to current data protection law. Training in GDPR is therefore essential and represents a key component in defending any potential action by the Information Commissioner.
Secondly, barristers must be aware of the information they hold. Practice at the Bar and access to personal and/or sensitive information are inextricably linked. As the data controller, the barrister is responsible for knowing what type of information they hold, the lawful bases to hold it, whether you can and with whom you can share it, how you should accurately maintain, store and responsibly dispose of such information. Furthermore, barristers must have this recorded in supporting documentation.
Thirdly, compliance is critical. Barristers must apply the GDPR principles to the daily operation of their practice. This includes risk assessing your home work environment, your office work environment, your transport, your IT security and practices, your digital and hard copy storage arrangements. Unfortunately, your chambers cannot do this on your behalf.
Lastly, barristers are more than familiar with mitigating on behalf of clients. Having undertaken no training, copying and pasting a generic policy, failing to adopt security measures, keeping records for fifteen years or holding no data sharing agreements are examples of unacceptable practices. Given that the outcome of any potential audit or investigation often rests on the strength of the mitigating evidence you can demonstrate to the Information Commissioner, such practices would place a barrister at significant risk.
How can Briefed help you become aware?
In conjunction with the Bar Council, the Briefed team will be in London next month, delivering training courses specifically for barristers (8 March) and for chambers staff (9 March). We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.
We are meeting with Chambers throughout the legal quarter, delivering gap analysis reports and action plans. We will also be celebrating with others who have completed their compliance journey. Please contact us if we can help you or your chambers.