Some lawyers have been suffering from “GDPR fever” over the past year and given bad advice based on limited knowledge or too cautious an approach, a leading data protection law specialist has warned.
Robert Bond, who is chairing our upcoming GDPR, e-Privacy and Cybersecurity Masterclass, also told law firms that criminals saw them as the weak link in security that could be their way into clients’ commercially sensitive information.
Mr Bond, a partner at London law firm Bristows, said there has been “a lot of misinterpretation of what law requires”, such as the idea that GDPR was all about consent when actually it was only one of six lawful grounds for processing somebody’s data.
“We were surprised by the number of emails flying around asking for consent for newsletters and so on,” he said. “There’s nothing in GDPR that says you need to seek permission again if you already have a relationship with an individual.”
There has also been confusion about role of the controller and processor of personal data, as well as individuals believing they have certain “absolute rights” in relation to data about themselves, when they do not.
“There was probably an element of GDPR fever where lawyers were giving advice in circumstances where they weren’t best placed to do so. The problem is that you don’t know what you don’t know. This is a niche area of law,” said Mr Bond.
This could lead to clients claiming compensation on the basis that the advice cost them significant amounts of lost revenue.
The solicitor said the majority of law firms have taken their own compliance with GDPR seriously.
“When I look at the main players, they’ve all got good privacy notices on their websites, and no doubt all have updated their letters of engagement.
“But I can imagine it may not have been done as appropriately as it should have been done by some practices as it is quite an investment. I suspect there’s still quite a lot of catch-up to be done.”
Mr Bond added that GDPR “has been a wake-up call”, because firms should have been dealing with many of these issues – such as registering with the Information Commissioner’s Office – before the law came into force last May and the new processing fee regime does not exempt law firms.
So far as cybersecurity was concerned, Mr Bond pointed to several instances in both the UK and US where law firms have lost a significant amount of data “through a lack of everything – from process to adequate security”. And that’s before considering the Panama Papers hack.
Law firms sit on a “rich trove of information”, he said: “We’re as guilty as everyone else in saying ‘It’ll never happen to us’. But why would a cybercriminal try hacking into General Dynamics to get plans for the next fighter jet when they can go to the law firm dealing with the patent filing?”
And then there were all the inadvertent errors, such as emails with the wrong attachment or selfies with a whiteboard in the background containing the masterplan of a client’s merger.
Law firms needed also to remember that this was not just an internal issue – larger corporate clients will audit their panel firms’ compliance with cybersecurity standards.
“You find that, by carrying out the compliance, you are in a better position to market it as a differentiator,” Mr Bond pointed out.
“If it goes wrong, it’s not so much the fine that follows that’s the problem as the fact we are a trusted profession. Trust is lost in a nanosecond.”
He continued: “My experience is that there is much more being done in this area in terms of training, better policies and procedures, and any firm has got to recognise that they will have an issue and the absence of training and process is just going to exacerbate what happens next.
“You should be doing it anyway but you should be doing it as a defensive mechanism.”
The Masterclass is taking place on 2 April in London. Click here for all the details.