Personal injury law firms are among those most at risk of fines under the General Data Protection Regulation (GDPR), while data subject access requests are increasingly being used as a litigation tactic, it has emerged.
Specialist Liverpool law firm Legal Risk identified three particular risks arising from GDPR: one for domestic firms, one for international firms, and one for all firms.
In his predictions for 2019, partner Frank Maher said: “On the home front, we believe personal injury firms are highly exposed through a combination of handling large volumes of medical records and, in many cases, a degree of complacency.
“We have already encountered a post-GDPR example of medical records in a file left in a cab, and a case where copies of two clients’ records were mistakenly sent to two other clients jointly instructing the same firm.
“But this is barely the tip of the iceberg: medical records and reports are routinely copied many times into instructions for counsel and experts, court bundles and file copies, exponentially increasing the risk of data breach.
“Can you account for what happens to each and every copy when the case is finished? The same principles apply to other areas of work.”
Many international firms, Mr Maher said, relied on the standard contractual clauses issued by the European Commission for transferring personal data outside the EEA.
But he questioned whether firms would be able to find a signed, complete copy when a data breach occurred.
“We have heard of a scanned copy from a leading law firm’s overseas office which comprised only alternate pages, and the Information Commissioner’s Office (ICO) monetary penalty notice in the Equifax case noted that no signed copy could be found…
“Even if you have a signed, complete copy, did your compliance end with the signing of the agreement incorporating the model clauses? In the Equifax case, the ICO found that there were no audits or adequate checks.
“The data processing agreement failed to provide adequate safeguards and security requirements, and numerous technical breaches were identified.”
This led to the widespread risk of failing to keep staff updated on GDPR after the initial training that many received earlier this year, and of not training new joiners.
Mr Maher pointed out that inadequate training was a factor in the ICO’s fine of the Heathrow Airport data breach.
He continued: “Data subject access requests are increasingly being used as a tactic in litigation, including partnership disputes and employment.
“It may be possible, in appropriate cases, to resist the request on the basis of legal professional privilege but it is critical to examine the basis on which privilege is claimed.”
Another issue for international firms was how GDPR compliance issues were being tackled in other European countries.
Mr Maher said: “We have seen a German court fine on a lawyer for an incomplete privacy notice, and the French supervisory authority has taken the point that if you rely on a third party to obtain consent, that does not relieve you of your obligation to verify that the consent is valid; auditing, by definition, cannot suffice, because it is only a spot check.”
Brexit was also causing uncertainty over GDPR, he added.