Whether it’s a sensitive email sent to the wrong person, a suitcase of papers stolen from the train or an iPhone full of confidential emails lost on a night out, there’s no doubt that every day barristers and chambers are having data breaches.

With the new GDPR legislation now mandating that data breaches are reported by the barrister to the Information Commissioner’s Office (ICO) within 72 hours, it’s inevitable that many barristers, constantly on the move and handling all sorts of personal information, are going to find themselves with a data breach emergency on their hands.

At a recent training event for chambers I asked attendees, mostly CEOs and senior clerks, how many potential reportable data breaches they believed the average barrister has per month. The answers averaged out at about 10 per month. That’s correct. Those that work closely with the Bar estimated that the average barrister has 10 potential reportable data breaches per month.

The consequences of a data breach

Briefly, if a barrister has a data breach, they can face sanctions from the ICO such as a monetary fine and damage to their professional reputation if or when the ICO issues a press release detailing the barrister’s failings. Clients and law firms may well refuse to work with the barristers, and it is almost guaranteed that work from government bodies, banks, insurance companies will cease. A data breach can honestly spell the end of a successful barrister’s practice. And just to be clear, your professional indemnity insurance does not cover you for any ICO issued fine. Bar Mutual has confirmed this.

So how do you survive a data breach?

My team and I have been working with almost 100 sets of chambers helping them manage emergency data breach situations and there are a few key learning points that will assist barristers who want to keep their practices safe from scrutiny of the ICO and any consequent sanctions.

Have a plan

It sounds simple but imagine yourself in a panicked situation, with a ticking clock, trying to manage all your usual work (and life) commitments but facing the possible destruction of your practice and career. Do you know what to do? Do you know where to get help? How do you mitigate the breach? How do you manage any publicity? Do you have to report to the Bar Standards Board? How do you manage clients if they’re affected? How do you tell your instructing solicitor? Do you report it to the ICO or not? How do you even make that decision and make sure it’s the correct decision?

Once that 72-hour clock starts to tick, you need to be able to immediately implement a well thought out crisis management plan.

Access to expertise

Regardless of how you excel as an advocate and legal adviser, unless you actually practise data protection law, you are unlikely to be able to learn all you need to know in 72 hours to help you make the decisions you need to in this situation. Well-meaning colleagues in chambers who offer assistance could be helpful if they are data protection specialists. However, if they’re not, be wary of where you get your advice from. Some chambers have access to specialist emergency data breach advice for members; check if your chambers has set this up for you and how to access it when you need it.

Keep on training

One of the fastest and cheapest ways of proving to the ICO that you take protecting data seriously is to be able to demonstrate that you complete appropriate, annual GDPR training. Appropriate means that it is appropriate to the job you have: it should be barrister or ‘data controller’ specific (ie not something meant for an employee of a corporation); you should have a certificate as evidence of completion; and it should be refreshed annually. The ICO asks for evidence of training when you report a breach and this should demonstrate the importance they attach to it, therefore so should you. It may well be the very thing that gets you out of a fine.

Keep compliant

As you can imagine, it’s under the pressure of an ICO investigation or audit that gaps in your compliance will appear. Expired (or non-existent) data sharing agreements, an outdated privacy policy or a data retention policy you just never got around to implementing will all become glaringly obvious and you’ll wish you had taken an hour or two to make sure all was in order.

For a barrister as owner of a business, you need to be ICO audit ready. That way when facing an investigation, you will be confident that your GDPR compliance work is robust. Carry out an annual audit, update policies, and have evidence of your audit available. This will stand you in good stead with the ICO.

Watch out for conflicts of interest

Any data breach you may have could also involve others, eg your clerk loses a trial bundle belonging to one of your cases. This now means both you and chambers are implicated. The instructing solicitor is an influential law firm and the head of chambers does a lot of work for them. Dealing with a data breach isn’t just about the ICO, there are professional and commercial relationships to manage. You need to protect yourself.

Understand your responsibility

If you have a data breach, you pay the fine, not your chambers or Bar Mutual.

If you have a data breach, you have responsibility for managing it, not your senior clerk or head of chambers.

You have responsibility for your own GDPR compliance, not the chambers GDPR committee or management committee. Ensure you are making informed, autonomous decisions both before a breach and during it to protect yourself. A management committee inclined towards finding the cheapest training, for example, may be looking after your wallet, but not ultimately choosing what’s right for you in the long run.

A lot to think about but preparation and planning is essential. Investing time and resources up front is how you survive a data breach. There’s really not much you can do when the proverbial horse, or USB stick, has bolted.

A typical data breach scenario for a barrister

A law firm sends a brief to chambers with a USB of GP notes and records attached for the attention of John Smith QC. The brief is tracked through the clerk’s room and lands on John’s desk. When reading the papers on Friday afternoon, he sees a plastic USB holder attached, but no USB stick. He checks with his clerk; no-one in the clerk’s room has any record of the USB. He alerts the law firm, from whom he receives about 40% of his work, that it had forgotten to send it. The law firm insists it did send the USB and that he or his clerk have lost it. The law firm declares that he is responsible for a data breach and is adamant that John has to report this to the ICO. John has 72 hours to decide how to manage this situation and if he needs to report this to the ICO. However, he’s due to meet his wife at the airport in three hours for a weekend away. An hour later the law firm confirms the USB stick was not encrypted, even though all previous USBs in this case were encrypted before they were sent. John was in the middle of a large trial when GDPR came in, so he didn’t have much to do with it, and hasn’t done any compliance work or training, although he does remember being tortured with emails from his chambers administrator at the time. He does not have a data sharing agreement with the law firm. He alerts head of chambers, who is now himself worried about the personal liability he might suffer if the clerk’s room is at fault, as well as the commercial relationship with the law firm which is a key provider of work to several high earning members of chambers. A friendly member of the management committee had kindly offered to manage GDPR for chambers, but he’s in a six-week murder trial in Birmingham and doesn’t have time to research what to do next...

Bigger teeth: CPS fined 325k and IICSA fined 200k

Since the regulations came into force on 25 May 2018 the Information Commissioner has issued 127 enforcement notices and fines including (in the legal sector) to the Crown Prosecution Service, fined £325,000 after it lost unencrypted DVDs containing recordings of police interviews with 15 victims of child sex abuse and the Independent Inquiry into Child Sexual Abuse, fined £200,000 for revealing identities of abuse victims in a mass email.

Get GDPR certified: As of Spring 2019 the ICO states that ‘certification will be considered as a mitigating factor when we are considering imposing a fine’. If a barrister can achieve GDPR certification they are in the best position to ward off sanctions. 400 UK barristers are ahead of the curve and have already achieved certification for this reason.

Further reading

The Bar Council IT Panel’s GDPR blog, and its GDPR Guide for Barristers and Chambers.