The data imperative
With the arrival next May of the General Data Protection Regulation, protecting your clients’ data is more
important than ever. Advice from Lockton on some basic duties, and how to prepare
Client confidentiality is at the heart of the solicitor-client relationship. Breach it, and you risk your reputation. You also risk a fine from the Information Commissioner.
To date, the Information Commissioner has been a fairly benign force, with relatively few fines meted out. This may change in 2018. The new data protection regulations (the General Data Protection Regulation, or “GDPR”) which come into effect in May enable the regulator to issue much more stringent fines – up to £20 million for the vast majority of firms. There may be more incentive for the Information Commissioner to exercise their new muscles, as their funding model is also changing. In future their funding will come from the fines they levy.
Key GDPR changes to prepare for
With client work and day-to-day practice management issues to contend with, it is all too easy not to make preparations to see that you have procedures in place to ensure compliance with regulatory changes.
Here is a summary of some of the changes for which you will need to be prepared from May 2018:
- There is a new requirement to keep records of what and how you process by way of clients’ personal data.
- Certain information requires a privacy impact assessment.
- Subjects of a data breach will be entitled to compensation.
- Under a right of data portability, client data you hold in electronic form must be transferable to another solicitor on the client’s request.
- All data security breaches require to be notified to the Information Commissioner within three days, where practicable.
- Data subjects must be notified of breaches where there is a high risk to them of rights and freedoms being breached.
What should you be doing?
Ensure that key personnel are aware of the impending changes – and designate someone as having responsibility for data protection matters.
Document the personal data you hold, where it came from, and who you share it with (for example, if you use any “cloud computing” solutions, or external archiving services, these are parties with whom you share clients’ personal data).
Plan your approach to data security breach notifications. You will need a process for recording breaches, the nature of the impact, and who is impacted.
If you are not already recording how/when you receive consent to hold and use data, implement a process now.
Can I insure against ICO fines?
In recent blogs, the Information Commissioner (ICO), Elizabeth Denham, counters many of the myths that have been spreading regarding GDPR, particularly regarding fines. She states that concentrating on fines misses the point of the GDPR, and that the ICO is “committed to guiding, advising and educating organisations… preferring the carrot to the stick”.
The possibility of large fines poses a tricky but fundamental question that many of its clients are currently asking: are these fines insurable? Despite the ICO having had the power to levy fines under existing legislation for some time, relatively little helpful guidance is available on the question of insurability. The answer may depend on the language and detail of the implementing legislation. We are, however, able to summarise some of the key high-level principles which we believe are likely to be applicable.
At the heart of the matter is whether the fine would be considered criminal or quasi-criminal in nature by a court of law. If it would, then as a matter of public policy courts are unlikely to allow any such penal sanctions to be indemnified by another. To do so would be to allow the intended deterrent effect of the fines to be defeated or circumvented. There may be limited circumstances where an insured organisation might be allowed to be indemnified for fines or penalties arising from unlawful acts of strict liability, although for such sums to be indemnifiable the insured’s actions would need to have been entirely free of fault or moral turpitude.
In practice, therefore, it is probably safest at present to work on the assumption that, in most cases, fines are unlikely to be insurable. Guidance for the insurance industry will evolve as the implementing legislation comes into force and new case law is established. In the meantime, while there remains a degree of opaqueness about this issue, it is clear that a specialist cyber insurance policy can still be very beneficial to an organisation dealing with a breach of the GDPR. For example, a cyber insurance policy can (subject as ever to policy terms and conditions):
Calum MacLean is director of risk management for Lockton’s professions clients. He is a solicitor who has specialised in risk and compliance for the legal profession for the last 10 years, following a career in private practice. Email: firstname.lastname@example.org
- pay the costs associated with the ICO’s investigation;
- through deploying the insurers’ breach response teams, pay the costs incurred in complying with the onerous notification requirements in all jurisdictions;
- pay the legal costs and compensation claims brought against the insured organisation due to a breach of the GDPR;
- pay the costs incurred to mitigate the impact on an organisation’s reputation following a breach of the regulation.
CPD – a risk-based approach
It is the time of year that many solicitors are chasing their final CPD points. You should ideally be seeking out CPD that is relevant – to your area of practice, to recent developments (such as the new AML regulations) and to your own development needs.
One area in which many of us are perhaps less well versed than we need to be is the subject of online security. With the imminent introduction of the new data protection regime, and the constant barrage of news stories about one data breach after another, there has never been a better time to focus on this vital aspect of risk management.
We are seeing a continued rise in claims arising from frauds and scams, particularly arising from the increase in online crime. The Law Society of Scotland has issued valuable cybersecurity guidance which provides an excellent overview of the risks you should be considering.
Lockton has also produced a range of online webinars, and e-learning, including modules on password security and phishing awareness, which you can find on the dedicated Scottish solicitors’ website.
If you are your firm’s risk management contact, you will already have read an update from David Cullen, the registrar at the Society, inviting feedback on a proposal by the Insurance Committee to introduce an element of compulsory risk management CPD into the annual 20-hour target. Lockton negotiated very favourable Master Policy renewal terms with insurers, offering a reducing global premium over a three-year period, subject to a number of criteria. At the heart of these was a requirement to see a continued trend of reducing claim numbers and values.
Ensuring that members of the profession, at all levels, engage proactively in relevant risk reduction training, is therefore of benefit to the whole profession. Encourage your colleagues to take a look at the risk management resources and CPD courses freely available on the Lockton website