By now, if you have not heard of or seen 1000 references to the General Data Protection Regulation (GDPR), then I can only assume that you either have been hiding under a stone, or have elected to live with your head firmly inserted in sand. There is nothing to fear however. With the right assistance, resources, common sense and a little good old-fashioned hard work, compliance is more achievable than you might think.
GDPR is a European Union regulation that serves to protect the personal data of anyone in the EU. As a regulation, it is immediately and simultaneously enforceable as law in all member states (distinguishable from directives that, at least in principle, need to be transposed into national law).
From May 2016, the GDPR entered into a two-year transition period giving organisations time to understand the new regulation and ensure compliance. This means that GDPR is already here and from May 25th 2018 will be enforced and must be complied with.
However, with less than 1 year to go, some organisations are only now starting to explore the full implications of GDPR and beginning to set any sort of plan for compliance in motion.
Why the big fuss?
Of course, data protection regulation is nothing new. GDPR builds upon the Data Protection Act 1998 (DPA) which sits alongside The Privacy and Electronic Communications Regulations (PECR – which ensure specific privacy rights in relation to electronic communications).
There are however two significant differences in the GDPR that should really have raised corporate alarm bells pre-May-2016:
- At present, the maximum fine organisations can suffer for breaching data protection laws is set at a modest £500,000. However, under GDPR, organisations that commit a serious data breach could be fined up to £17m or 4% of global turnover.
- The DPA focuses liabilities more towards ‘controllers’ than ‘processors’. Under GDPR, whilst the definitions are broadly the same, specific legal obligations are imposed on processors as well as controllers. This ups the stakes dramatically if processors are responsible for a breach.
The significant increase in financial penalties coupled with the extended scope over processors leaves organisations with no excuses (other more altruistic motives for compliance are available…). No action is not an option.
Why the delay?
A degree of apathy towards the GDPR may be explained by the emergence of post-referendum questions about the effect Brexit would have on implementation. Some believed (hoped) that the regulation might never reach our shores. However, the Digital Minister, Matt Hancock recently submitted proposals for an overhaul of UK data protection laws, which categorically confirms the incorporation of GDPR into UK law after Brexit (so no escape there, I am afraid).
Additionally, whilst generic information about GDPR is plentiful (I commend the Information Commissioner’s Office (ICO) for the guidance documentation they have produced in advance of May 2018), the lack (until recently) of what would appear to be practical advice for individual sectors (legal/chambers, in particular) has been hard to obtain. To some extent, this has led to a delay by small/mid-size firms to act in the hope that larger organisations or regulatory bodies would ‘lead the way’.
There is no need for trepidation in approaching the subject. Yes, the risks for Chambers are high. The level of personal information often disclosed during the course of proceedings, and the length of time proceedings can last, dramatically increases the levels of security needed by Chambers to store/transfer/utilise the data they are provided with for processing. Not to mention the additional responsibilities of maintaining personal information about internal individuals (Barristers, Clerks, Staff, etc.). However…
Help is at hand.
There is no silver bullet for GDPR and no single outside consultant or service provider holds all of the keys. However, if Chambers engage with the right providers of services, and deploy the correct hardware & software solutions, the empty tick-boxes of compliance really can start to complete themselves.
There are several IT companies with vast experience in the niche Chambers market, who offer practical GDPR compliant solutions. In most instances, they fit seamlessly (in fact improve) the daily business processes of Chambers. They can help with the fundamentals of Data Security and help Chambers to limit risk by implementing Centrally Managed IT Systems and Policies, which:
- Control where data is accessed from, and by which devices;
- Can ensure secure access to data by implementing technologies such as 2FA (Two Factor Authentication), SAML Authentication, stringent password policies and secure connections;
- Guarantee UK based cloud services (for case management/storage/document solutions);
- Help control/limit retention of data;
- Encrypt the transmission of data (including emails);
- Manage marketing records for consent purposes;
- Provide secure integrated/cross platform solutions.
There are obstacles however for traditional sets where members tend to work in silos and self-manage their IT services. Those Chambers need to be prepared to face down opposition to deploying a more centrally managed approach to IT. That battle may be great, but respectfully, so too are the risks following GDPR. Whilst individual members may fall into the definition of ‘Controllers’ in relation to the way certain case data is used, Chambers certainly fall into the now equally legally liable category of ‘Processor’. It is no longer just one neck on the line…
It is not all about IT
It is important to remember why we have Data Protection laws, and what they represent. GDPR is not the construct of an evil mastermind intent on causing havoc. Yes, the increased liabilities and fines are real, as are the reasons for organisations to take heed and act. However, the ICO will not be handing out ‘punishments’ with sinister cruel intentions. The true spirt of this sphere of regulation is about protection of people. About ensuring personal information about all of us, remains private, secure, and cannot be sold or abused without control or consequence.
It would be foolish however, to think that putting up barriers, locking down data, or indeed that any amount of technology alone, provides all of the answers. Yes, without investment in IT, risks are higher. However, no matter how resilient the systems in place, or the size or the scope of a breach, usually it is the action/omission of ‘People’, someone inside an organisation, which is to blame.
The 2016 Cyber Security Intelligence Index, produced by IBM, attributed 60% of all cyber-attacks to employees. Couple that statistic with the very real possibility of data breach by human error (none of us are after all perfect) and the picture becomes clearer. Investment in people, placing them in the correct roles and providing dedicated training is a huge part of ensuring any business can manage risk and limit opportunities for breaches to occur.
It is common sense with any initiative to ensure that everyone ‘buys-in’ to the concept in hand. Educating members of chambers and staff about the importance of protecting data and the risks/consequences of data breaches are paramount to not only complying with, but also going beyond the GDPR.
Embedding good data protection practice as a principle from the ground up of an organisation, rather than as an afterthought, means that future legislative changes will be easier to face. GDPR is just the beginning. Recently leaked, were the details of the replacement for the EU e-Privacy Directive (the origin of the PECR). A consultation organised by Digital Minister, Mr Hancock also aims to determine how to implement the Network and Information Systems (NIS) directive, which aims at protecting ‘services’ not just data (with similar fines levied for insufficient protection of them too). The recent chaos caused by ransomware to the NHS is a good example of where failure in the maintenance of services can have a devastating effect.
Choose the right suppliers now, be proactive not reactive with technology.
However, firstly, trust and invest in your members and staff. By doing this you will be further ahead of the game than most in May 2018 and when the inevitable further regulation lands post-GDPR.
Damien Breingan is Product Development Manager for Bar Squared LEX