Data Controller or Processor – that is the question!
This month, I had the pleasure of delivering GDPR and Data Protection training for the Bar Council in London. Both sessions were fully subscribed and sold out quickly, perhaps indicating the level of interest or concern within the profession. Having conducted my fair share of cross-examinations, it was an interesting experience to be on the receiving end of questions! Despite the roles of data controller and data processor existing prior to GDPR, significant confusion remains about the roles in the context of barristers and chambers.
Under GDPR, a data controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Under this definition, we can clearly see that barristers are data controllers for their client information – they are directly responsible for, and must be able to demonstrate, compliance with the GDPR principles. Depending on the nature of instructions or the case, it is likely that most barristers and the instructing solicitor firm will operate under a joint controller relationship.
It should be noted that the definition of a controller is a person – for the majority of Chambers, this means that the Head(s) of Chambers is the recognised data controller for the personal information held about employees and members of Chambers. Head(s) of Chambers must be aware of their responsibilities and liabilities under GDPR. This is prompting much discussion at management committees. To this end, the Bar Council has asked BRIEFED to deliver a special training session for Heads of Chambers – details available here.
According to GDPR, a data processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”. This reflects the relationship between chambers and its members. Under the Head of Chambers, the Chambers provide a range of services to assist members in their practice. The GDPR places specific legal obligations on Chambers as data processors; for example, to maintain records of personal data and processing activities. Furthermore, it introduces legal liability if Chambers are responsible for a breach. Where a processor is involved, this does not relieve individual barristers of their obligations. The GDPR places further obligations on barristers as controllers to ensure contracts with processors comply with the GDPR. Defining the lines of liability is critical – which is why a data processing/sharing agreement must be in place between each individual barrister/controller and their Chambers. The agreement will definitively state the role, responsibilities and obligations on both parties
Given the many different administrative arrangements across Chambers and individual practices, it can be difficult to accurately interpret the legislation in the context of your particular circumstances. This is why BRIEFED has been instructed by over 45 chambers to help them navigate through their compliance journey. We also offer a range of online training and compliance tools available here. Members of the Bar of England and Wales enjoy a 10% discount.