*/
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
Orlagh Kelly, Barrister & CEO of Briefed, is a highly experienced barrister, accomplished legal technologist and internationally renowned authority on data protection. It is that unique blend of legal expertise and entrepreneurial spirit which inspired her to found Briefed in 2012.
It’s hard to believe it’s been five years since the General Data Protection Regulations (GDPR) came into force in the UK. If I look back to that time, I spent the first part of 2018 in a blur of Bar Council speaking events, GDPR audits in chambers, and developing online training to support chambers and barristers get ready for the ‘big day’... 25 May, 2018. The furore around that date was almost unprecedented for what was simply an update to an existing piece of legislation. It certainly captured the attention of the business world at the time, and it is interesting to reflect on what we knew then and how the initial five years have panned out, particularly at the Bar.
Similar to the Y2K hype on the run-up to 31 December 1999 some hoped after the pivotal implementation period that GDPR would ‘just go away’. Included in this thought process was the idea that some work had to be done in advance of the date and that it could then be largely forgotten about thereafter. I think it’s fair to say that assumption has been proven wrong and, in fact, that date was just the beginning of a new era of privacy and data protection. With the Bar having been the focused target of cyber criminals for a number of years, and with the close link between cyber-attacks and data protection, I have observed chambers generally move to embedding data security and privacy throughout all operations, consistently reviewing and updating policies and training in light of legal sector data breaches, and continually investing more and more in IT security.
In early 2018, I observed two dominant schools of thought around how self-employed barristers would comply with the legal obligations placed on them by the then new GDPR legislation.
One, the minority view, was that this was a chambers-wide issue and that chambers would support or mandate certain steps that each member had to take. Some chambers even changed their constitution to insist that each member complete GDPR training annually and provide evidence of the other legal requirements being met, or risk being removed from chambers. This led to chambers-wide policies and procedures and a real awareness of the risks that data breaches presented to the entire membership and how they should be managed. In the early days of mandatory reporting a data breach to the Information Commissioner’s Office (ICO), it also meant that these barristers had the advantage of having a solid foundation to present a defence.
Somewhat understandably, the more dominantly held view was that each barrister was self-employed, and as such, each was responsible for making sure they were compliant with the legislation; it wasn’t the responsibility of chambers. This was certainly an easier approach to take at the time, however, it inevitably led to patchy, or poor GDPR compliance standards being implemented, if any at all.
That mindset has shifted significantly. High-profile chambers’ data breaches, that have hit the press, as well as five years’ experience of how easily and often barristers have data breaches, mean that most sets now fully appreciate that it only takes one member clicking on one phishing email to financially and reputationally impact chambers, and therefore everyone that depends on the chambers brand suffers too. The 2021 Bar Standards Board Regulatory Return also seems to indicate some expectation of chambers-wide accountability. Routinely now, chambers mandate a consistent standard of compliance with evidence of same for all their members as a minimum standard in an effort to protect everyone’s livelihood.
Already, there has been a steady increase in Subject Access Requests from unsuccessful pupil applicants, unhappy staff and disgruntled clients and ex-employees. These are costly in terms of time, resources and financially for chambers, and so new technology and advice services are being considered to cater for a generation of people who don’t always just take no for an answer but use the rights available to them.
The increased use of technology by barristers and chambers and the Court Service throughout the pandemic was staggering, and the efficiencies that digital change now allows mean that increased tech use at the Bar is here to stay. That brings with it security and privacy issues and risks that will need to be managed. In another five years, I expect that chambers’ budgets will have to account for much higher data security costs, and specialised in-house IT personnel may become de rigeur.
I anticipate that, in due course, the ICO will issue a GDPR certification scheme for the legal sector, which will become a standard that all legal service providers, including chambers, will have to meet to continue to deliver legal services. If this happens, it would be a very positive step forward as it would help chambers move out of that grey area, not knowing if they’re actually GDPR compliant or not and create a system of compliance that the legal sector as a whole could rely on, doing away with the dreaded due diligence questionnaires that have been prevalent for the past two years. This would greatly help focus the minds on what real compliance looks like and ease the stress of those tasked with ensuring compliance.
Finally, although we’re only on the precipice, I predict that the increased useability of artificial intelligence such as Chat GPT will be mainstream in the next five years and the accompanying plagiarism, HR and privacy issues will be another problem that chambers pre-GDPR simply did not have to think about.
On reflection the changes in how the Bar now operates, along with how the online world is developing, it is clear that GDPR for the Bar is now more complex than we could ever have predicted, and it’s going to continue to evolve in that direction.
In light of its upcoming five-year anniversary, Orlagh Kelly considers the evolution, experience and future of GDPR for the Bar
The Chair of the Bar sets out how the new government can restore the justice system
In the first of a new series, Louise Crush of Westgate Wealth considers the fundamental need for financial protection
Unlocking your aged debt to fund your tax in one easy step. By Philip N Bristow
Possibly, but many barristers are glad he did…
Mental health charity Mind BWW has received a £500 donation from drug, alcohol and DNA testing laboratory, AlphaBiolabs as part of its Giving Back campaign
The Institute of Neurotechnology & Law is thrilled to announce its inaugural essay competition
How to navigate open source evidence in an era of deepfakes. By Professor Yvonne McDermott Rees and Professor Alexa Koenig
Brie Stevens-Hoare KC and Lyndsey de Mestre KC take a look at the difficulties women encounter during the menopause, and offer some practical tips for individuals and chambers to make things easier
Sir Geoffrey Vos, Master of the Rolls and Head of Civil Justice since January 2021, is well known for his passion for access to justice and all things digital. Perhaps less widely known is the driven personality and wanderlust that lies behind this, as Anthony Inglese CB discovers
The Chair of the Bar sets out how the new government can restore the justice system
No-one should have to live in sub-standard accommodation, says Antony Hodari Solicitors. We are tackling the problem of bad housing with a two-pronged approach and act on behalf of tenants in both the civil and criminal courts
-(1)-(002).tmb-carlisting79eb.png){kind=logo}
