Understanding the Bar Council GDPR guide and what GDPR means for Barristers, Chambers and Legal Firms
A few thoughts on the Bar Council GDPR guide notes and Third Party Risk compliance. In October 2017 the Bar Council issued a GDPR guide for Barristers and Chambers that outlined the key issues and requirements for regulatory compliance.
The Bar Council GDPR guidance is a clear reminder for legal firms that Barristers and Chambers represent just as strong a potential risk to the security and privacy of data and systems as any other outsourced supplier or Third Party.
Understanding their roles and responsibilities in the data supply chain, particularly in respect of GDPR, is an important first step in assessing and managing the risks to data, systems and ensuring compliance with these new, strict regulations.
Beyond the usual references to GDPR definitions and related ICO guidance the Bar Council GDPR guide notes clearly point out the specific impacts and responsibilities GDPR represents for Barristers and Chambers.
Key takeaways from the Bar Council GDPR guide notes
Some of the key considerations specific to the privacy and security of personally identifiable information (PII) data and the application of GDPR within this environment include:
Every individual practising barrister is a data controller. This means that every individual practising barrister must comply with GDPR requirements. In order to comply with these requirements, individual barristers will need to give careful thought to a number of matters, including the period for which they retain emails and files relating to previous cases. As a data controller the ultimate responsibility for compliance lies with you. In some situations that responsibility may be shared with the data processor.
Each chambers is a data controller in respect of information about the management of chambers e.g. employment and assessment of staff and information about suppliers and marketing activities. Each chambers is very likely to be a data processor as a result of processing being carried out for barristers. There also may be circumstances where barristers carry out processing on behalf of Chambers e.g. management committees and recruitment.
A set of chambers which operates through a management company will be a data controller in respect of some matters, for example records relating to pupillage, employment of staff and marketing. Other sets of chambers operating under a different model may also be data controllers, depending on the set’s formal constitutional arrangements. Alternatively this role may fall to the Head of Chambers on behalf of Chambers. To the extent that the Chambers is a data controller, the set must comply with the obligations which apply to data controllers.
A barrister’s obligation of confidentiality is not limited to personal data. Commercial clients will have an expectation that the barristers they instruct will adopt appropriate measures to protect the information which they disclose to the barrister, in accordance with best practices which prevail from time to time. For these reasons, it is in many respects prudent to treat commercial data in a similar way to personal data.
Although the GDPR does not apply to personal data kept on paper unless contained in a filing system, the security of paper documents is also important.
Chambers will have obligations as a “data processor” where it provides IT facilities for use by or for the benefit of members of chambers within which defined data processing activity is undertaken including:
1) a server for use by individual barristers for storage of files
2) an email server
3) a network for accessing those servers
4) a data connection to the internet
5) fee, diary and record-keeping software
6) client relationship software, and
7) facilities for record-keeping and document management in relation to chambers management, pupillage, diversity and employment of staff.
Clearly GDPR raises the stakes for any data processor and poses a potentially huge challenge for Barristers and Chambers who may now find themselves under a greater level of scrutiny over the use and storage of PII data.
Compliance should therefore be seen as imperative for all parties concerned as both a matter of good business practice but also to ensure the avoidance of the stringent penalties levied upon any person or legal entity subject to a data breach and found not to be in compliance with GDPR regulations.
Putting compliance of your data supply chain into practice is not quite so simple. EU regulators expect both data controllers and processors to go to great lengths to properly secure PII data. In order to meet GDPR’s requirements, you need a solution that centralises management of these assessments and streamlines the entire process. Legal Vendor Network and our GDPR Third Party Assessments deliver just that.
GDPR-readiness assessments for data controller and processors
Our GDPR Third Party Assessments use purpose-built GDPR questionnaires and assessments that provide a set of clear and well documented answers that accurately reflect each Third Party’s capability to comply with GDPR requirements. Our Risk Assessors can also include GDPR compliance assessments into onsite risk assessments that can be integrated into your overarching risk assessment program and analysis.
Legal Vendor Network is an innovative solution for Third Party Risk Management for the Legal sector. It operates in a “Complete Once, Share Many” model designed specifically for law firms of all sizes to perform smarter risk management through standardised risk assessments and threat monitoring of common Third and Fourth Party suppliers.
Members gain access to a supplier repository where they can view the supplier information, assessment results and documented evidence for any existing supplier’s risk assessments performed on behalf of other network members and upload any additional information specific to their own risk assessment needs – privately and securely.
As a result, Legal Vendor Network can significantly reduce the time, effort and cost of performing third party risk assessments and GDPR compliance programs for new and existing members. Learn more about Legal Vendor Network here.
With expert evaluation of the risks and compliance issues identified within each Third Party risk and GDPR assessment our IT Security Consultants can also provide a detailed risk remediation plan illustrating where and how you, and your Third Party can improve policies and procedures to ensure full GDPR compliance.
We’d be pleased to hear from you and help find the most cost-effective way to achieve optimal security and compliance throughout your data supply chain.
Call Us on +44 (0) 161 476 8700, or complete our Contact Form