First, the GDPR will on that date have direct effect across all EU member states. There is a UK bill – the Data Protection Bill – making its way through Parliament at present, but it will not undermine the applicability of the GDPR as from 25 May 2018. The GDPR and the UK bill should be read side by side.
The UK bill contains a number of provisions, for instance as a result of the GDPR giving member states limited opportunities to make provisions for how the GDPR applies in each country. However, the UK Bill is not limited to GDPR provisions, and also covers items such as data processing outside the GDPR (for instance, covering immigration), along with national security provisions.
The UK bill has been dogged by some controversy, because of issues outside the GDPR. Two votes in the House of Lords a few weeks ago supported the launch of Part 2 of the Leveson Inquiry into alleged data protection breaches by the media, and also required the press to sign up to a state-supported regulator or else pay their own and their opponents’ legal costs in relation to alleged data protection breaches, even if they were successful in court.
Regarding implementation of the GDPR, the Law Society has so far mainly referred solicitors to the general advice contained on the Information Commissioner Office’s (ICO) website. This is certainly useful, but is not tailored to the specific needs of lawyers. The European Commission’s website has further useful general advice.
Last week, the Law Society issued its first tailored advice, in relation to the appointment of a data protection officer (DPO).
The guidance drew attention to the need to bear in mind, when making a DPO appointment, the difficulty of juggling the various duties of being a DPO: expertise, independence, the avoidance of conflicts of interest, the conduct rules, the partnership agreement and applicable legal rules.
However, there has been lawyer-specific advice available for some months. The Council of Bars and Law Societies (CCBE) issued guidance for lawyers on the main new compliance measures in the middle of last year. It also has a long section on the appointment of a DPO, which seems likely to be one of the most problematic areas.
However, the CCBE was more specific in its advice, addressing in particular the situation where a lawyer might be asked to be a DPO by a client:
‘The assimilation of the two functions (lawyer/DPO) and the risk of confusion between these functions are a key point for any lawyer who might be appointed as a DPO at the request of a client. A lawyer who is placed in such a position may find that he will need to alternate between the DPO function and the function of a lawyer exercising a regulated profession … In view of this potential conflict of interest, Bars and Law Societies may wish to recommend lawyers to assume such a responsibility of a DPO for an external client only if they have neither acted as a lawyer in matters which might fall within the DPO’s responsibility nor will act, during their term as DPO, as a lawyer in matters they were or are involved in as DPO.’
In addition to this, there is widespread commercial training available, there are books and other guides. You have been warned.
On the topic of data, but unconnected to the GDPR, there was an important development reported in the US last week about border searches of data devices owned by lawyers. I wrote last year that the president of the American Bar Association (ABA) had written to the US government complaining about the effect of such searches on lawyer-client confidentiality. The Department of Homeland Security has now issued new advice, with some improvements.
Although a subpoena will still not be required, the improvements include that: a Customs and Border Protection senior counsel should be consulted before searching a lawyer’s device; privileged material should be segregated, and copies of it should be disposed of at the end of the review process; only material stored on the device may be searched, and nothing stored in the cloud; and passwords may be requested, but must be destroyed afterwards.
The ABA had a meeting last week over the border in Canada, and issued useful advice to delegates travelling to that meeting, such as: travel as light as possible regarding confidential data, carry lawyer ID, be prepared to distinguish between a request and a demand for inspection, and if you are inspected, consider whether you need to notify clients. This should be heeded by all travelling lawyers.