Law firms “need data-sharing guidance” to avoid GDPR breaches

Pelham: ICO needs to be as clear as possible

The Information Commissioner needs to provide specific guidance to law firms on how they can lawfully share personal data, a leading City law firm has argued.

Kennedys said it had already come across problems since the implementation last year of the General Data Protection Regulation (GDPR).

Responding to the Information Commissioner’s Office consultation on a new statutory code of practice on data sharing, Kennedys said broadly that the draft was inadequate because it focused on the general requirements of the GDPR without seeking to apply them to the specific practice of data sharing.

Issues the firm said it has already encountered included insurer clients concerned that they were unable to obtain sufficient information from their insured clients in order to assess claims.

It also explained how, in a data breach response situation, Kennedys has found clients “reluctant to disclose sufficient information to us to facilitate data subject notification process (for example, customer database lists)”.

The response said: “This has the potential to cause unnecessary delays, and clarity on this situation would be helpful.”

These scenarios called into question the potential applicability of article 14 of the GDPR, Kennedys said, “as this would lead to a situation where an insurer or solicitor becomes a controller of personal data which has not been obtained directly from the data subject”.

Guidance on data sharing in legal practice needed to cover sharing personal data with the court, counterparties and witnesses in the context of litigation.

“There is a brief, albeit helpful, case study provided by the Law Society of Scotland that outlines the parties that law firms share data with on a regular basis. That guidance coupled with further clarification in the draft code would be of assistance.”

Though the ICO specified the importance of data sharing in the context of mergers and acquisitions, the response continued, Kennedys said there was limited focus on the sharing of personal data as part of the due diligence process prior to a merger or acquisition. This too would benefit from more clarity.

“From an industry perspective, particularly in respect of our insurer clients, we would also be interested to see case scenarios within the insurance sector for the purposes of underwriting and claims, e.g. in the context of fraud prevention and access to medical records.

“This information would also provide guidance to not only the insurance market but across the retail finance industry.”

Partner Tom Pelham, who heads Kennedys’ UK cyber practice, said: “We are all still feeling our way through the requirements imposed GDPR and the guidance as drafted will do little to help anyone understand the limits of data sharing.

“This is a pivotal issue for so many enterprises, and it is vital that the guidance reflects that.

“The huge fines the ICO has handed out to BA and Marriott highlight the risks of non-compliance with GDPR, and so it is incumbent on the commissioner to be as clear as possible on how the rules work.”

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Keeping the conversation going beyond Pride Month

As I reflect on all the celebrations of Pride Month 2024, I ask myself why there remains hesitancy amongst LGBTQ+ staff members about when it comes to being open about their identity in the workplace.

Third-party managed accounts: Your key questions answered

The Solicitors Regulation Authority has given strong indications that it is headed towards greater restrictions on law firms when it comes to handling client money.

Understanding vicarious trauma in the legal workplace

Vicarious trauma can happen to anyone who works with clients who have experienced trauma such as domestic or other violence, child abuse, sexual assault, torture or being a refugee.

Loading animation