- Legal Futures - https://www.legalfutures.co.uk -

Law firms “need data-sharing guidance” to avoid GDPR breaches

Pelham: ICO needs to be as clear as possible

The Information Commissioner needs to provide specific guidance to law firms on how they can lawfully share personal data, a leading City law firm has argued.

Kennedys said it had already come across problems since the implementation last year of the General Data Protection Regulation (GDPR).

Responding to the Information Commissioner’s Office consultation on a new statutory code of practice on data sharing, Kennedys said broadly that the draft was inadequate because it focused on the general requirements of the GDPR without seeking to apply them to the specific practice of data sharing.

Issues the firm said it has already encountered included insurer clients concerned that they were unable to obtain sufficient information from their insured clients in order to assess claims.

It also explained how, in a data breach response situation, Kennedys has found clients “reluctant to disclose sufficient information to us to facilitate data subject notification process (for example, customer database lists)”.

The response said: “This has the potential to cause unnecessary delays, and clarity on this situation would be helpful.”

These scenarios called into question the potential applicability of article 14 of the GDPR, Kennedys said, “as this would lead to a situation where an insurer or solicitor becomes a controller of personal data which has not been obtained directly from the data subject”.

Guidance on data sharing in legal practice needed to cover sharing personal data with the court, counterparties and witnesses in the context of litigation.

“There is a brief, albeit helpful, case study provided by the Law Society of Scotland that outlines the parties that law firms share data with on a regular basis. That guidance coupled with further clarification in the draft code would be of assistance.”

Though the ICO specified the importance of data sharing in the context of mergers and acquisitions, the response continued, Kennedys said there was limited focus on the sharing of personal data as part of the due diligence process prior to a merger or acquisition. This too would benefit from more clarity.

“From an industry perspective, particularly in respect of our insurer clients, we would also be interested to see case scenarios within the insurance sector for the purposes of underwriting and claims, e.g. in the context of fraud prevention and access to medical records.

“This information would also provide guidance to not only the insurance market but across the retail finance industry.”

Partner Tom Pelham, who heads Kennedys’ UK cyber practice, said: “We are all still feeling our way through the requirements imposed GDPR and the guidance as drafted will do little to help anyone understand the limits of data sharing.

“This is a pivotal issue for so many enterprises, and it is vital that the guidance reflects that.

“The huge fines the ICO has handed out to BA and Marriott highlight the risks of non-compliance with GDPR, and so it is incumbent on the commissioner to be as clear as possible on how the rules work.”