*/
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
Orlagh Kelly, Barrister & CEO of Briefed, is a highly experienced barrister, accomplished legal technologist and internationally renowned authority on data protection. It is that unique blend of legal expertise and entrepreneurial spirit which inspired her to found Briefed in 2012.
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
The beginning of the legal year offers the opportunity for a renewed commitment to justice and the rule of law both at home and abroad
By Louise Crush of Westgate Wealth Management sets out the key steps to your dream property
A centre of excellence for youth justice, the Youth Justice Legal Centre provides specialist training, an advice line and a membership programme
By Kem Kemal of Henry Dannell
By Ashley Friday of AlphaBiolabs
Providing bespoke mortgage and protection solutions for barristers
Joanna Hardy-Susskind speaks to those walking away from the criminal Bar
From a traumatic formative education to exceptional criminal silk – Laurie-Anne Power KC talks about her path to the Bar, pursuit of equality and speaking out against discrimination (not just during Black History Month)
Yasmin Ilhan explains the Law Commission’s proposals for a quicker, easier and more effective contempt of court regime
James Onalaja concludes his two-part opinion series
Irresponsible use of AI can lead to serious and embarrassing consequences. Sam Thomas briefs barristers on the five key risks and how to avoid them
