Law firms “need data-sharing guidance” to avoid GDPR breaches


Pelham: ICO needs to be as clear as possible

The Information Commissioner needs to provide specific guidance to law firms on how they can lawfully share personal data, a leading City law firm has argued.

Kennedys said it had already come across problems since the implementation last year of the General Data Protection Regulation (GDPR).

Responding to the Information Commissioner’s Office consultation on a new statutory code of practice on data sharing, Kennedys said broadly that the draft was inadequate because it focused on the general requirements of the GDPR without seeking to apply them to the specific practice of data sharing.

Issues the firm said it has already encountered included insurer clients concerned that they were unable to obtain sufficient information from their insured clients in order to assess claims.

It also explained how, in a data breach response situation, Kennedys has found clients “reluctant to disclose sufficient information to us to facilitate data subject notification process (for example, customer database lists)”.

The response said: “This has the potential to cause unnecessary delays, and clarity on this situation would be helpful.”

These scenarios called into question the potential applicability of article 14 of the GDPR, Kennedys said, “as this would lead to a situation where an insurer or solicitor becomes a controller of personal data which has not been obtained directly from the data subject”.

Guidance on data sharing in legal practice needed to cover sharing personal data with the court, counterparties and witnesses in the context of litigation.

“There is a brief, albeit helpful, case study provided by the Law Society of Scotland that outlines the parties that law firms share data with on a regular basis. That guidance coupled with further clarification in the draft code would be of assistance.”

Though the ICO specified the importance of data sharing in the context of mergers and acquisitions, the response continued, Kennedys said there was limited focus on the sharing of personal data as part of the due diligence process prior to a merger or acquisition. This too would benefit from more clarity.

“From an industry perspective, particularly in respect of our insurer clients, we would also be interested to see case scenarios within the insurance sector for the purposes of underwriting and claims, e.g. in the context of fraud prevention and access to medical records.

“This information would also provide guidance to not only the insurance market but across the retail finance industry.”

Partner Tom Pelham, who heads Kennedys’ UK cyber practice, said: “We are all still feeling our way through the requirements imposed GDPR and the guidance as drafted will do little to help anyone understand the limits of data sharing.

“This is a pivotal issue for so many enterprises, and it is vital that the guidance reflects that.

“The huge fines the ICO has handed out to BA and Marriott highlight the risks of non-compliance with GDPR, and so it is incumbent on the commissioner to be as clear as possible on how the rules work.”




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Reports

Our latest special report, produced in association with Temple Legal Protection, looks at the role of after-the-event (ATE) insurance in commercial litigation post-LASPO. We are at a time when insurers, solicitors, clients and litigation funders work ever more closely to create funding packages that work for all of them, with conditional fee and even damages-based agreements now part of many law firms’ armoury.

Blog

16 September 2019

The Amazon effect

I have to be honest and say it still amazes me how many lawyers we come into contact with, who are still behaving like dinosaurs when it comes to technology. It’s not about chronological age.

Read More

Loading animation