Law Society event hears there is no tick-box route to compliance with the new data protection regime – and 25 May will be the start, not the end of the process.

Anyone hoping to leave Chancery Lane with a cut-and-paste guarantee of conformance with the new data protection regime coming into force on 25 May would have been disappointed. During an often lively debate, speakers at the Law Society’s final GDPR readiness event emphasised that compliance with the General Data Protection Regulation coming into force in 19 working days is not a matter of ticking boxes. Rather, it is unique to each individual enterprise – and involves cultural changes that will continue long after the regulation comes into force.

Michael Cross byline

Michael Cross

Even the organisation with the job of enforcing the new regime, including its massive new maximum penalties (of which more later), admits to uncertainties. ‘We won’t have all the answers on day one,’ Richard Nevinson, policy and engagement manager at the Information Commissioner’s Office (ICO) told the event. He characterised the regulation as ‘principles-based legislation’, with not necessarily a right or a wrong way of achieving those principles. ‘Following a template is not necessarily going to guarantee that you are going to meet the requirements,’ Nevinson said.

The picture is complicated by the fact that legislation to replace the 1998 Data Protection Act with legislation that will mirror and extend the GDPR is still going through parliament.

Of course, some certainties about the new regime do exist, and authoritative free information is available to set firms on the road to compliance (see checklist, right).

The first certainty is that the GDPR takes direct effect as an EU-wide law on 25 May, with no period of grace.

The second is that the UK government is determined to preserve alignment during and after the Brexit process. It was not always so enthusiastic: an aide to David Cameron once described the regulation as a ‘demented’ piece of legislation which would cripple Europe’s already sluggish digital economy. However, the climate has changed and the Data Protection Bill is one of a handful of pieces of new legislation granted time in the parliamentary calendar alongside the EU withdrawal bill. The aim, of course, is to maintain the UK’s ‘adequacy’ status so that personal data can continue to flow to and from the EU after March next year. However, the bill also includes some UK-specific extensions and protections, including a derogation for legally privileged material from subject access requests.  As the Gazette went to press the bill was awaiting a date for its report stage.

Richard Nevinson, information commissioner's office

Richard Nevinson: ‘template won’t guarantee meeting the requirements’

A final certainty is that the new regime will tilt the balance of the law more towards the interests of people whose personal data is stored and processed – data subjects – rather than data processors or controllers. While the principles of data protection remain the same as under the 1998 legislation, the GDPR introduces a raft of new obligations on the way data subjects are informed of their rights and on dealing with their requests for information, alteration or deletion. For example, the time allowed to comply with subject-access requests for data is cut from 40 to 30 days.

At the Law Society’s preparatory half-day event, aptly named ‘down to the wire’, Nevinson was careful to deliver a reassuring message. The change in regime is ‘evolution not revolution’, he said – a line that has emerged repeatedly from the ICO over the past year. Nevinson’s boss, information commissioner Elizabeth Denham, has said: ‘I have no intention of changing our proportionate and pragmatic approach after 25 May. Voluntary compliance is the preferred route.’ Echoing that message, Nevinson noted that the number of fines the ICO levies annually is only in double figures. ‘We don’t anticipate any change to that,’ he said. The regulator would reserve its punitive powers for ‘those organisations who choose not to cooperate, or show deliberate disregard for the law.’

On the possible multi-million-euro fines, he said: ‘It is not our aim to put organisations out of business. If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR.’

So far, so good. The big snag, however, is that the GDPR regime introduces a whole new spectrum of misdemeanour.

The key concepts are accountability, with a new requirement to document how you are complying, transparency and ‘data protection by design’.

Subjects must be told the basis on which their information will be processed. Thanks to the barrage of ‘opt-in’ emails currently filling up inboxes, the most familiar is consent. However, Nevinson stressed that consent is only one of six lawful bases and will not be appropriate for many law firm purposes. (The other five are performance of a contract, compliance with a legal obligation, the vital interests of the data subject, legitimate interests of the data controller and public interest of exercise of official authority.) The Law Society’s guidance notes that the GDPR makes the consent criterion significantly more stringent than in the past: firms can no longer rely on pre-ticked boxes, infer consent from the lack of objection or rely on one consent to cover a range of processing activities. Consent must also be capable of being withdrawn as easily as it is given.

An important new duty is timely breach notification: the ICO must be notified no later than 72 hours where a breach is likely to result in risk to rights and freedoms of individuals. Data subjects must be notified ‘without undue delay’. However Nevinson noted that ‘high risk’ was ‘quite a movable target – you will have to exercise judgement’.

Hard-pressed partners and sole  practitioners already coping with an unforgiving regulatory regime could be forgiven a sense of frustration at having to chase ‘movable targets’.

The conference heard calls for the publication of compliance material, such as privacy notices, that would be specific to the sector. However, when asked by the Law Society’s technology policy adviser Tim Hill whether specific guidance would be forthcoming, Nevinson said: ‘I wouldn’t like to commit to that at the moment.’ In the interim, Hill commended the ICO’s 12-step guidance and the Law Society’s own checklist: ‘As we move into the next phase the work we have done will start to crystallise into sector-specific guidance.’

In the meantime there is an important safety net. Both the ICO and the Law Society stressed that firms that document their decision-making about data privacy will be in a much better position if their decisions subsequently turn out to be at odds with the way the regulation is being enforced. For example, the Law Society has advised that most firms will not be required to appoint a data protection officer under the GDPR – but that they should evaluate their data processing against the criteria for the mandatory appointment, document their decision and continuously review the decision. Nevinson agreed: ‘It is important to document that decision [not to appoint], and the reasons,’ he said. He also noted that there are ‘certainly advantages’ to appointing a data protection officer voluntarily.

Conference attendees also had the chance to question representatives of a range of organisations about their experiences in drawing up action plans: a high street firm, an international giant and a large local authority. A common concern appeared to be the risk of falling foul of the GDPR’s provision that personal data be kept ‘no longer than is necessary for the purposes for which the personal data are processed’. (Though of course this already exists as the fifth data protection principle.)

Peter Wright

Peter Wright: no one would get into trouble for keeping a will indefinitely

Chair Peter Wright of specialist firm DigitalLawUK responded that the key words were ‘necessary for the purposes’ – no one would get into trouble for keeping a will indefinitely. Judith Gower, a solicitor in the commercial law group at Hertfordshire County Council, mentioned another special case – children’s services records, which are kept for 99 years in case of later investigations or inquiries. At the opposite end of the spectrum are some HR records such as unsuccessful job applications.

Mark Pentecost, of Berwick firm Sanderson McCreath & Edney, found that his information uncovered that most files were being kept for 12 years. ‘We’re having a major clear-out, it’s amazing what you find,’ he said. However, the conference heard that some firms had discovered that older case management systems do not allow a ‘hard delete’ of out-of-date files. At global firm CMS Cameron McKenna Nabarro Olswang the situation is complicated by systems inherited with recent mergers, Valentina Zoghbi, head of risk and compliance, said. ‘We close a file automatically if it has not had any work done for six months,’ she noted. Any lawyer requesting reactivation will have to explain what they intend to do with the information – in itself a good discipline.

Again, the important thing is to document what you are doing, said Wright. ‘If your policy says keep data six years and it turns out you’ve been keeping it for 20 years, that’s a problem.’

DigitalLaw consultant Heather Anson summed up the overall lesson. ‘What the ICO is demanding from you is to think about it – and write down what you thought about it. We all want specific answers,’ she said – while reminding delegates that the most common answer lawyers give to clients asking for yes or no is: ‘It depends… This is a process, not something you have to do right as of 24 May. Do the best you can until you know better, and when you know better, do better.’


12-step list summarised here covers the ICO’s basic guidance.

1. Awareness and training. Ensure that decision-makers and key people are aware that the law is changing, appreciate the impact it is likely to have and identify areas that could cause compliance problems. 

2. Information you hold. Document what personal data you hold, where it came from and who you share it with. Firms with fewer than 250 employees need to document only those data processing activities that: are not occasional, could result in a risk to the rights and freedoms of individuals, or involve the processing of highly sensitive ‘special category’ data.

3. Communicating privacy information. Update the firm’s privacy notices to comply with the GDPR. This must be provided at the time personal data is obtained and should include the right for the data subject to withdraw their consent at any point where consent is the basis for processing. 

Tim Hill

Law Society technology policy adviser Tim Hill

4. Individuals’ rights. Check procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

5. Subject access requests. Update procedures and plan how you will handle requests to take account of the new rules. Clients should be able to access their personal data easily and in a concise, transparent and intelligible form.

6. Lawful basis for processing personal data. Firms should identify the lawful basis for processing, document it and update privacy notices to explain it.

7. Consent. Under the GDPR data subjects must be able to withdraw their consent to processing at any time and withdrawing must be as simple as granting it.

8. Children. Firms that process children’s data should pay particular attention to data protection by design. Privacy notices for services provided directly to children must be written with their understanding in mind.

9. Data breaches. Firms must have the right procedures in place to detect, report and investigate a breach of personal data. They should consider pseudonymising and encrypting the personal data they hold.

10. Data protection by design. This means that data controllers must put in place appropriate measures to implement the GDPR’s six data protection principles.

11. Data protection officers. Consider whether the firm should appoint a data protection officer on a mandatory or voluntary basis.

12. International. Firms operating in more than one EU member state should map their decision-making regarding data processing; firms sending personal data to third countries will need to consider ‘adequacy’ arrangements, or in their absence, binding corporate rules.

The full checklist is available here.


New frontiers in data protection, e-Privacy and workplace surveillance – Thursday 26 September 2019

Join us at this half-day conference and extend your knowledge on the GDPR / DPA, LawTech, latest developments in regulations, ePrivacy, be the first to hear about our new GDPR guidance, launching at this conference and more.