*/
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
Orlagh Kelly, Barrister & CEO of Briefed, is a highly experienced barrister, accomplished legal technologist and internationally renowned authority on data protection. It is that unique blend of legal expertise and entrepreneurial spirit which inspired her to found Briefed in 2012.
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
National courts are now running the bulk of the world’s war crimes cases and corporate prosecutions are part of this growing trend, reports Chris Stephen
Let’s hear it for the assessors, says Dame Anne Rafferty of the KC Selection Panel. And to make silk assessors’ lives a little easier when applicants come calling in May, Dame Anne fields some commonly asked questions
