Counting down to 25 May 2018
After years of huffing and puffing, the European Parliament came up with a new data protection regime. Weighing in at an impressive 173 Recitals and 99 Articles, this baby is no lightweight and, as you will all be aware by now, the General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018.
The Bar Council’s IT Panel has completed a guidance document for you and your chambers to consult at www.barcouncilethics.co.uk/GDPR and this series of columns in Counsel is an abridged version of our GDPR blog.
A very brief history: the European Directive (95/46/EC for the inquisitive) became the Data Protection Act 1998 (DPA). Now there is a whole new statute (and a good sprinkling of Statutory Instruments) in the making and the Data Protection Bill is currently making its way through Parliament. Any hope readers might have entertained that Brexit would put pay to the need for a new regime is misplaced. The government has confirmed the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Data protection has been going for donkeys’ years – why is it so important now?
Data protection law does what it says on the tin. It provides a legal regime for the protection of individuals’ personal information. It is a privacy law. However, there is an increasing trend for people (including governments) to be contemptuous of people’s privacy. Cyberattacks are now so common that there is a serious risk that you or your chambers will suffer an attack at any time. The big ones reach the press. Remember the hacking of the NHS in 2017, where the hackers moved in via an unsupported operating system, Windows XP, and disrupted the NHS. A year ago, telecoms company TalkTalk managed to ‘lose’ millions of customer records to a hacker.
How is this relevant to me?
At the other end of the scale, you, as a barrister, record personal information every day of the week; lay clients’ identities, addresses, trade union activities, health status and the like. You can lose that information simply by leaving your laptop computer on the bus. Data not protected by a password? Password easy to guess? Anyone can take a look. If you are punctilious about keeping your laptop safe from theft or absent mindedness (or you have a desktop), have you ever opened a link in that seemingly innocent email only for it to shut down your system, scramble your data and then go off and infect the rest of the chambers’ computers?
Or it could be ‘ransomware’ – the unfortunate NHS doctors found their screens ‘padlocked’ (encrypted) and a demand was made for $300 bitcoin (untraceable cryptocurrency) release fee (double if not paid within six days). If they did not pay, all the data would remain inaccessible and lost for good.
"The new GDPR has legislated for greatly increased fines... and clients can likewise sue you for greater amounts than before"
Ah, you say, but why would a hacker target me or my chambers? What’s in a dusty old inheritance tax case for them? Let one chambers’ IT manager answer that: ‘Most virus writers send out millions of copies via spam relays hoping to hook a few suckers. They have no idea who it’s going to hit (even the big NHS encryption virus hit a couple of months ago was most likely just by chance rather than targeted at the NHS).’ So you and/or your chambers can be a target anytime, anywhere.
And it does not end with technology meltdown. Do you seriously want to spend time apologising to your clients that all the information they have sent has disappeared at the hands of a hacker? And do you really want to entertain the Information Commissioner’s representative to a cup of chambers’ tea while you try to persuade him or her that you cannot afford a large fine. Incidentally, the new GDPR has legislated for greatly increased fines – in the very worst cases – up to £17m or 4% of global turnover, whichever is greater. Clients can likewise sue you for greater amounts than before if their data has not been securely held. The Bar has a formidable reputation which everyone works immensely hard to keep up. Do you want to lose yours?
Data protection concepts
The whole aim of the GDPR is to control the way personal data is handled. As with the DPA, to fall within the GDPR, personal data has to be ‘processed’. That includes just about every conceivable thing you can do to personal data, from collection to storage, to adaptations and alterations, consultation and use, all the way through to its destruction.
This is not limited to electronic processing by laptop, tablet etc. ‘Processing’ covers hardcopy files too – but, in order to qualify, these need to be in ‘a filing system’. Put simply, can you get your hands easily on personal data because it is sensibly organised? For example, a corporate personnel department probably has a manual file for each employee and can easily locate individual personal data. If personal data is scattered randomly around different files, these don’t count. Random bits of data are less likely to cause harm if released and, the effort of locating these is disproportionate to the likely resulting damage.
Where the buck stops: key players
The ‘data controller’ is the natural or legal person ultimately responsible for determining the purposes for which personal data is processed and the means by which this happens. In Bar terms, each individual practising barrister is a data controller if he or she is processing personal data. Each set of chambers may also be a data controller for chambers management purposes eg processing personal data about employees and their appraisals, marketing activities, and payroll. The ultimate compliance with GDPR (as with the DPA) lies with that barrister or those chambers.
Under the DPA, it was the data controller who carried the can if something went wrong. The ‘data processor’ was merely an individual, or more likely a company, carrying out processing work but with no say over the purposes for which this was done. Under the GDPR, the data processor has a bigger role to play and can be liable for its actions in certain circumstances. A barrister is certainly a data controller; and may also be a data processor. It may be that you are carrying out work on behalf of chambers eg you are involved with pupillage or the recruitment of staff or involved in management committees. Most chambers will also be a data processor, as they provide email, internet, diary, fee processing and file storage facilities for their members.
The Information Commissioner’s Office continues to be the supervisory authority for data protection with a mission to promote good practice. The ICO is also responsible for investigating breaches, issuing enforcement notices and levying fines if justified. Well worth a read by members of the Bar and chambers is its guide to the GDPR and checklists.
- Each individual practising barrister is a data controller and may also be a data processor.
- Each set of chambers may also be a data controller and data processor.
- What’s ‘processed’ personal data? Put simply, any personal data you can get your hands easily because it is sensibly organised.
- The new GDPR has legislated for greatly increased fines.