*/
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
Orlagh Kelly, Barrister & CEO of Briefed, is a highly experienced barrister, accomplished legal technologist and internationally renowned authority on data protection. It is that unique blend of legal expertise and entrepreneurial spirit which inspired her to found Briefed in 2012.
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
Update from the Chair of the Bar
By Clement Cowley, Partner at The Penny Group
Modernising communication and collaboration at a leading Chancery set. A Zexi case study
How to build profile without compromising professional duties. By Naumaan Farooq, Co-Founder of Inked PR
Marie Law, Director of Toxicology at AlphaBiolabs, examines the role of cut-off levels, and the wider range of factors that must be considered when interpreting results for family court proceedings
Endometriosis Awareness North, a charity raising awareness of endometriosis and supporting those affected across the North of England, has received a £500 boost from AlphaBiolabs via the company’s Giving Back initiative
A decade of reviews and research has disrupted accepted thinking in the search for causality. Suicides following abuse have overtaken domestic homicides. Is the law keeping up? Professor Susan Edwards KC (Hon) examines recent cases and the obstacles to successful prosecution
The case against judge-only justice – and why efficiency is not enough. By Professor Leslie Thomas KC
Heritage as an anchor and a compass, finding our common humanity and embracing the power of the outsider – Melina Antoniadis’s lessons learnt
Seeing the full picture – Baljit Ubhey OBE outlines the CPS action plan to tackle violence against women and girls, offering insights directly relevant to courtroom practice
Lauren Fullerton examines the how, what and why of setting up a second chambers base
