It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.

From Y2K attitude to deeply embedded

Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.

It’s your problem vs it’s our problem

In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.

One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.

Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.

That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.

What does the future hold?

Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.

The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.

I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.

Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.

On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction. 

© Mateusz Slodkowski/SOPA Images/Shutterstock
ChatGPT and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.