There have been several developments since our January Risk Update.

The Society for Trusts and Estates Practitioners (STEP) published a Guidance Note on the effect of the General Data Protection Regulation (GDPR) on private, non-charitable, trusts and estates.

The Information Commissioner’s Office fined Cathay Pacific £500,000 for a data breach (the maximum under the provisions of the Data Protection Act 1998, pre-GDPR).  The monetary penalty notice identifies many system failures which form a useful reminder for law firms, including inadequate patch management, out of date software, user access privileges and failure to use multi-factor authentication.

The Advocate General’s opinion on the meaning of “consent” under GDPR and the previous Data Protection Directive (95/46/EC) was provided in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal, Case C-61/19.  The opinion makes clear that the burden of proof is on the controller to establish that consent is freely given, specific and informed.  It further stated that there was no informed consent because Orange had not made it crystal clear to customers that a refusal to the copying and storing of his or her ID card did not make the conclusion of a contract impossible: a customer does not choose in an informed manner if he or she is not aware of the consequences.

Links to the above documents can be found on and on our data protection resource page,


‹ Back to Publications