Law firms “need data-sharing guidance” to avoid GDPR breaches


Pelham: ICO needs to be as clear as possible

The Information Commissioner needs to provide specific guidance to law firms on how they can lawfully share personal data, a leading City law firm has argued.

Kennedys said it had already come across problems since the implementation last year of the General Data Protection Regulation (GDPR).

Responding to the Information Commissioner’s Office consultation on a new statutory code of practice on data sharing, Kennedys said broadly that the draft was inadequate because it focused on the general requirements of the GDPR without seeking to apply them to the specific practice of data sharing.

Issues the firm said it has already encountered included insurer clients concerned that they were unable to obtain sufficient information from their insured clients in order to assess claims.

It also explained how, in a data breach response situation, Kennedys has found clients “reluctant to disclose sufficient information to us to facilitate data subject notification process (for example, customer database lists)”.

The response said: “This has the potential to cause unnecessary delays, and clarity on this situation would be helpful.”

These scenarios called into question the potential applicability of article 14 of the GDPR, Kennedys said, “as this would lead to a situation where an insurer or solicitor becomes a controller of personal data which has not been obtained directly from the data subject”.

Guidance on data sharing in legal practice needed to cover sharing personal data with the court, counterparties and witnesses in the context of litigation.

“There is a brief, albeit helpful, case study provided by the Law Society of Scotland that outlines the parties that law firms share data with on a regular basis. That guidance coupled with further clarification in the draft code would be of assistance.”

Though the ICO specified the importance of data sharing in the context of mergers and acquisitions, the response continued, Kennedys said there was limited focus on the sharing of personal data as part of the due diligence process prior to a merger or acquisition. This too would benefit from more clarity.

“From an industry perspective, particularly in respect of our insurer clients, we would also be interested to see case scenarios within the insurance sector for the purposes of underwriting and claims, e.g. in the context of fraud prevention and access to medical records.

“This information would also provide guidance to not only the insurance market but across the retail finance industry.”

Partner Tom Pelham, who heads Kennedys’ UK cyber practice, said: “We are all still feeling our way through the requirements imposed GDPR and the guidance as drafted will do little to help anyone understand the limits of data sharing.

“This is a pivotal issue for so many enterprises, and it is vital that the guidance reflects that.

“The huge fines the ICO has handed out to BA and Marriott highlight the risks of non-compliance with GDPR, and so it is incumbent on the commissioner to be as clear as possible on how the rules work.”




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


The spectrum of vulnerability

Identifying and supporting clients who are vulnerable or in vulnerable circumstances is exceptionally important and for some time been a clear focus of the FCA and SRA.


Family mediator accreditation: can we simplify the process?

For family mediation week in January, the Family Mediation Council suggested making a pledge. Mine was to the FMC itself: to make the accreditation process more straightforward.


Can data solve the growing employment claims conundrum?

The number of employment law claims being lodged in the UK is on the rise, and both employers and the tribunal system are finding it challenging to cope.


Loading animation
loading