Inevitably, we anticipate that some law firms will be subject to fines under the General Data Protection Regulation (GDPR). Where may the problems lie? We identify three areas –one for domestic firms, one for international firms, and one for all firms.
Data protection: domestic firms
On the home front, we believe personal injury firms are highly exposed through a combination of handling large volumes of medical records and, in many cases, a degree of complacency. We have already encountered a post-GDPR example of medical records in a file left in a cab, and a case where copies of two clients’ records were mistakenly sent to two other clients jointly instructing the same firm. But this is barely the tip of the iceberg: medical records and reports are routinely copied many times into instructions for counsel and experts, court bundles and file copies, exponentially increasing the risk of data breach. Can you account for what happens to each and every copy when the case is finished? The same principles apply to other areas of work.
Data protection: international firms
Many firms rely on the standard contractual clauses issued by the European Commission for transferring personal data outside the EEA. So far, so good, but when a data breach occurs, can you find a signed, complete copy? We have heard of a scanned copy from a leading law firm’s overseas office which comprised only alternate pages, and the Information Commissioner’s Office (ICO) monetary penalty notice in the Equifax case noted that no signed copy could be found. That case involved a fine on the UK company following a data breach at the US parent company.
Even if you have a signed, complete copy, did your compliance end with the signing of the agreement incorporating the model clauses? In the Equifax case, the ICO found that there were no audits or adequate checks. The data processing agreement failed to provide adequate safeguards and security requirements, and numerous technical breaches were identified.
Data protection: all firms
Many firms trained staff for the introduction of GDPR, but we suspect will fail to ensure that staff are reminded of it on a regular basis and new joiners trained which will be an issue in future regulatory investigations. Inadequate training was a factor in the ICO’s Heathrow Airport fine.
A link to the Equifax and Heathrow monetary penalty notices can be found with a large collection of other resources on data protection and GDPR on www.legalrisk.co.uk/data.
Data subject access requests are increasingly being used as a tactic in litigation, including partnership disputes and employment. It may be possible, in appropriate cases, to resist the request on the basis of legal professional privilege but it is critical to examine the basis on which privilege is claimed, particularly having regard to the Court of Appeal decision in Three Rivers District Council and others v The Governor and Company of the Bank of England (Three Rivers No 5)  EWCA Civ 474). We are frequently instructed to advise on complex privilege issues in relation to data protection and anti-money laundering.
GDPR: Brexit and the EU Withdrawal Agreement (even if it is in fact agreed) give rise to a host of issues on international data transfers. There is (perhaps unintended) doubt about the status of the UK during the transition period, despite the aim of securing an adequacy status in the longer term. The Information Commissioner’s Office will not be a supervisory authority once the UK leaves the EU. Data Transfer Agreements will need to be reviewed once the basis of the UK’s exit is known, but the position is at present unclear. We have advised several US and international firms on GDPR.
Despite GDPR’s aim at consistency, being a Regulation rather than a Directive, compliance issues in other European countries may tax the minds of compliance teams. We have seen a German court fine on a lawyer for an incomplete privacy notice, and the French supervisory authority, CNIL, has taken the point that if you rely on a third party to obtain consent, that does not relieve you of your obligation to verify that the consent is valid; auditing, by definition, cannot suffice, because it is only a spot check.‹ Back to Publications