Bar Council blog: Orlagh Kelly - GDPR blog
Consumers are ready to exercise rights under GDPR
In last week's article, we highlighted the low level of awareness amongst businesses and barristers of the GDPR and their responsibilities under the legislation. By comparison, new research published this week proves consumers and clients are keenly aware and intent on exercising their increased rights post-May 2018.
Unsurprisingly, 58 per cent of respondents think the regulation is a positive step towards protecting their data and privacy. Perhaps reinforcing the rationale behind the GDPR and stricter data protection laws, only one in five (19%) were confident their personal data is used in the best possible way.
With over a third (34%) of respondents stating their intention to exercise their individual rights under the General Data Protection Regulation (GDPR), as data controllers, barristers should prepare themselves for processing a variety of requests.
What should a barrister expect?
Under the GDPR, clients have theright to be informed.Barristers need to be aware of the type of information they should supply and when individuals should be informed.Furthermore, the information must be "concise, transparent, intelligible and easily accessible"; written in clear and plain language and free of charge.
Clients will have theright of access, which allows individuals to request access to their personal data and supplementary information so they can be aware of and verify the lawfulness of the processing. It is only possible to refuse such request if it is manifestly unfounded, repetitive or excessive.
If an individual finds that data held is incorrect or incomplete, they have theright of rectification.The barrister must then take steps to correct the data held and contact anyone they have shared the information with the correct details.
Significantly, GDPR confers theright to be forgotten, which allows individuals to request the deletion of their personal data where there is no compelling reason to hold the information any longer. There is a relevant exemption for the legal profession which includes the exercise or defence of legal claims.
There are a number of others rights including the right to object, to restrict processing, to data portability and related to automatic decision making, which are of lesser significance to individual barristers.
What should barristers do?
The importance of a data protection policy for your practice cannot be underestimated as well as supporting privacy notices, which are clear and easily understood. These are the fundamental tools which detail how you manage, use, process, secure and dispose of personal data.
Any of these requests can be submitted at any time. They must be complied with, free of charge and generally within one month. Any refusal or lengthy delay risks a complaint to the Information Commissioner and/or the profession's regulator.
To comply cost-effectively and time-efficiently, barristers should review their current practices and determine how and for what length of time they store information, both in paper and electronic form. In terms of practicality, consider your current filing system, email account, offices, any storage archives, how easily could you retrieve information and comply with any of these requests? In terms of administration, barristers must be able to demonstrate their process for managing such requests, record any requests received and how they were complied with.
Any barrister or business who has processed a subject access request under data protection laws will concur that without appropriate policies and procedures, complying with such requests can be difficult, lengthy and costly. Preparing In advance of GDPR is key!