*/
Ready to GDPR? If not, think: technical disruption; embarrassment; delays to completing work; and large fines. In a new column, the IT Panel goes back to basics
After years of huffing and puffing, the European Parliament came up with a new data protection regime. Weighing in at an impressive 173 Recitals and 99 Articles, this baby is no lightweight and, as you will all be aware by now, the General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018.
The Bar Council’s IT Panel has completed a guidance document for you and your chambers to consult at www.barcouncilethics.co.uk/GDPR and this series of columns in Counsel is an abridged version of our GDPR blog.
A very brief history: the European Directive (95/46/EC for the inquisitive) became the Data Protection Act 1998 (DPA). Now there is a whole new statute (and a good sprinkling of Statutory Instruments) in the making and the Data Protection Bill is currently making its way through Parliament. Any hope readers might have entertained that Brexit would put pay to the need for a new regime is misplaced. The government has confirmed the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Data protection law does what it says on the tin. It provides a legal regime for the protection of individuals’ personal information. It is a privacy law. However, there is an increasing trend for people (including governments) to be contemptuous of people’s privacy. Cyberattacks are now so common that there is a serious risk that you or your chambers will suffer an attack at any time. The big ones reach the press. Remember the hacking of the NHS in 2017, where the hackers moved in via an unsupported operating system, Windows XP, and disrupted the NHS. A year ago, telecoms company TalkTalk managed to ‘lose’ millions of customer records to a hacker.
At the other end of the scale, you, as a barrister, record personal information every day of the week; lay clients’ identities, addresses, trade union activities, health status and the like. You can lose that information simply by leaving your laptop computer on the bus. Data not protected by a password? Password easy to guess? Anyone can take a look. If you are punctilious about keeping your laptop safe from theft or absent mindedness (or you have a desktop), have you ever opened a link in that seemingly innocent email only for it to shut down your system, scramble your data and then go off and infect the rest of the chambers’ computers?
Or it could be ‘ransomware’ – the unfortunate NHS doctors found their screens ‘padlocked’ (encrypted) and a demand was made for $300 bitcoin (untraceable cryptocurrency) release fee (double if not paid within six days). If they did not pay, all the data would remain inaccessible and lost for good.
"The new GDPR has legislated for greatly increased fines... and clients can likewise sue you for greater amounts than before"
Ah, you say, but why would a hacker target me or my chambers? What’s in a dusty old inheritance tax case for them? Let one chambers’ IT manager answer that: ‘Most virus writers send out millions of copies via spam relays hoping to hook a few suckers. They have no idea who it’s going to hit (even the big NHS encryption virus hit a couple of months ago was most likely just by chance rather than targeted at the NHS).’ So you and/or your chambers can be a target anytime, anywhere.
And it does not end with technology meltdown. Do you seriously want to spend time apologising to your clients that all the information they have sent has disappeared at the hands of a hacker? And do you really want to entertain the Information Commissioner’s representative to a cup of chambers’ tea while you try to persuade him or her that you cannot afford a large fine. Incidentally, the new GDPR has legislated for greatly increased fines – in the very worst cases – up to £17m or 4% of global turnover, whichever is greater. Clients can likewise sue you for greater amounts than before if their data has not been securely held. The Bar has a formidable reputation which everyone works immensely hard to keep up. Do you want to lose yours?
The whole aim of the GDPR is to control the way personal data is handled. As with the DPA, to fall within the GDPR, personal data has to be ‘processed’. That includes just about every conceivable thing you can do to personal data, from collection to storage, to adaptations and alterations, consultation and use, all the way through to its destruction.
This is not limited to electronic processing by laptop, tablet etc. ‘Processing’ covers hardcopy files too – but, in order to qualify, these need to be in ‘a filing system’. Put simply, can you get your hands easily on personal data because it is sensibly organised? For example, a corporate personnel department probably has a manual file for each employee and can easily locate individual personal data. If personal data is scattered randomly around different files, these don’t count. Random bits of data are less likely to cause harm if released and, the effort of locating these is disproportionate to the likely resulting damage.
The ‘data controller’ is the natural or legal person ultimately responsible for determining the purposes for which personal data is processed and the means by which this happens. In Bar terms, each individual practising barrister is a data controller if he or she is processing personal data. Each set of chambers may also be a data controller for chambers management purposes eg processing personal data about employees and their appraisals, marketing activities, and payroll. The ultimate compliance with GDPR (as with the DPA) lies with that barrister or those chambers.
Under the DPA, it was the data controller who carried the can if something went wrong. The ‘data processor’ was merely an individual, or more likely a company, carrying out processing work but with no say over the purposes for which this was done. Under the GDPR, the data processor has a bigger role to play and can be liable for its actions in certain circumstances. A barrister is certainly a data controller; and may also be a data processor. It may be that you are carrying out work on behalf of chambers eg you are involved with pupillage or the recruitment of staff or involved in management committees. Most chambers will also be a data processor, as they provide email, internet, diary, fee processing and file storage facilities for their members.
The Information Commissioner’s Office continues to be the supervisory authority for data protection with a mission to promote good practice. The ICO is also responsible for investigating breaches, issuing enforcement notices and levying fines if justified. Well worth a read by members of the Bar and chambers is its guide to the GDPR and checklists.
After years of huffing and puffing, the European Parliament came up with a new data protection regime. Weighing in at an impressive 173 Recitals and 99 Articles, this baby is no lightweight and, as you will all be aware by now, the General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018.
The Bar Council’s IT Panel has completed a guidance document for you and your chambers to consult at www.barcouncilethics.co.uk/GDPR and this series of columns in Counsel is an abridged version of our GDPR blog.
A very brief history: the European Directive (95/46/EC for the inquisitive) became the Data Protection Act 1998 (DPA). Now there is a whole new statute (and a good sprinkling of Statutory Instruments) in the making and the Data Protection Bill is currently making its way through Parliament. Any hope readers might have entertained that Brexit would put pay to the need for a new regime is misplaced. The government has confirmed the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Data protection law does what it says on the tin. It provides a legal regime for the protection of individuals’ personal information. It is a privacy law. However, there is an increasing trend for people (including governments) to be contemptuous of people’s privacy. Cyberattacks are now so common that there is a serious risk that you or your chambers will suffer an attack at any time. The big ones reach the press. Remember the hacking of the NHS in 2017, where the hackers moved in via an unsupported operating system, Windows XP, and disrupted the NHS. A year ago, telecoms company TalkTalk managed to ‘lose’ millions of customer records to a hacker.
At the other end of the scale, you, as a barrister, record personal information every day of the week; lay clients’ identities, addresses, trade union activities, health status and the like. You can lose that information simply by leaving your laptop computer on the bus. Data not protected by a password? Password easy to guess? Anyone can take a look. If you are punctilious about keeping your laptop safe from theft or absent mindedness (or you have a desktop), have you ever opened a link in that seemingly innocent email only for it to shut down your system, scramble your data and then go off and infect the rest of the chambers’ computers?
Or it could be ‘ransomware’ – the unfortunate NHS doctors found their screens ‘padlocked’ (encrypted) and a demand was made for $300 bitcoin (untraceable cryptocurrency) release fee (double if not paid within six days). If they did not pay, all the data would remain inaccessible and lost for good.
"The new GDPR has legislated for greatly increased fines... and clients can likewise sue you for greater amounts than before"
Ah, you say, but why would a hacker target me or my chambers? What’s in a dusty old inheritance tax case for them? Let one chambers’ IT manager answer that: ‘Most virus writers send out millions of copies via spam relays hoping to hook a few suckers. They have no idea who it’s going to hit (even the big NHS encryption virus hit a couple of months ago was most likely just by chance rather than targeted at the NHS).’ So you and/or your chambers can be a target anytime, anywhere.
And it does not end with technology meltdown. Do you seriously want to spend time apologising to your clients that all the information they have sent has disappeared at the hands of a hacker? And do you really want to entertain the Information Commissioner’s representative to a cup of chambers’ tea while you try to persuade him or her that you cannot afford a large fine. Incidentally, the new GDPR has legislated for greatly increased fines – in the very worst cases – up to £17m or 4% of global turnover, whichever is greater. Clients can likewise sue you for greater amounts than before if their data has not been securely held. The Bar has a formidable reputation which everyone works immensely hard to keep up. Do you want to lose yours?
The whole aim of the GDPR is to control the way personal data is handled. As with the DPA, to fall within the GDPR, personal data has to be ‘processed’. That includes just about every conceivable thing you can do to personal data, from collection to storage, to adaptations and alterations, consultation and use, all the way through to its destruction.
This is not limited to electronic processing by laptop, tablet etc. ‘Processing’ covers hardcopy files too – but, in order to qualify, these need to be in ‘a filing system’. Put simply, can you get your hands easily on personal data because it is sensibly organised? For example, a corporate personnel department probably has a manual file for each employee and can easily locate individual personal data. If personal data is scattered randomly around different files, these don’t count. Random bits of data are less likely to cause harm if released and, the effort of locating these is disproportionate to the likely resulting damage.
The ‘data controller’ is the natural or legal person ultimately responsible for determining the purposes for which personal data is processed and the means by which this happens. In Bar terms, each individual practising barrister is a data controller if he or she is processing personal data. Each set of chambers may also be a data controller for chambers management purposes eg processing personal data about employees and their appraisals, marketing activities, and payroll. The ultimate compliance with GDPR (as with the DPA) lies with that barrister or those chambers.
Under the DPA, it was the data controller who carried the can if something went wrong. The ‘data processor’ was merely an individual, or more likely a company, carrying out processing work but with no say over the purposes for which this was done. Under the GDPR, the data processor has a bigger role to play and can be liable for its actions in certain circumstances. A barrister is certainly a data controller; and may also be a data processor. It may be that you are carrying out work on behalf of chambers eg you are involved with pupillage or the recruitment of staff or involved in management committees. Most chambers will also be a data processor, as they provide email, internet, diary, fee processing and file storage facilities for their members.
The Information Commissioner’s Office continues to be the supervisory authority for data protection with a mission to promote good practice. The ICO is also responsible for investigating breaches, issuing enforcement notices and levying fines if justified. Well worth a read by members of the Bar and chambers is its guide to the GDPR and checklists.
Ready to GDPR? If not, think: technical disruption; embarrassment; delays to completing work; and large fines. In a new column, the IT Panel goes back to basics
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
Giovanni D’Avola explores the issue of over-citation of unreported cases and the ‘added value’ elements of a law report
Louise Crush explores the key points and opportunities for tax efficiency
Westgate Wealth Management Ltd is a Partner Practice of FTSE 100 company St. James’s Place – one of the top UK Wealth Management firms. We offer a holistic service of distinct quality, integrity, and excellence with the aim to build a professional and valuable relationship with our clients, helping to provide them with security now, prosperity in the future and the highest standard of service in all of our dealings.
Is now the time to review your financial position, having reached a career milestone? asks Louise Crush
If you were to host a dinner party with 10 guests, and you asked them to explain what financial planning is and how it differs to financial advice, you’d receive 10 different answers. The variety of answers highlights the ongoing need to clarify and promote the value of financial planning.
Most of us like to think we would risk our career in order to meet our ethical obligations, so why have so many lawyers failed to hold the line? asks Flora Page
If your current practice environment is bringing you down, seek a new one. However daunting the change, it will be worth it, says Anon Barrister
Creating advocacy opportunities for juniors is now the expectation but not always easy to put into effect. Tom Mitcheson KC distils developing best practice from the Patents Court initiative already bearing fruit
Sam Townend KC explains the Bar Council’s efforts towards ensuring a bright future for the profession
National courts are now running the bulk of the world’s war crimes cases and corporate prosecutions are part of this growing trend, reports Chris Stephen
