Interpretation of GDPR risks, SRA inconsistencies and Iran condemnation: your letters to the editor

GDPR risks open to interpretation

John Hyde’s story ‘Lawyers warned over potentially negligent GDPR advice’ (4 March) highlighted the fundamental problem of regulations that allow for differing interpretations. The article focused on the views of the marketing network DMA Group, which claimed solicitor negligence and plainly wanted a relaxed interpretation of the General Data Protection Regulation.

However, the problem is more fundamental and relates to the interpretation of subjective guidance-based rules, and this issue is not limited to the GDPR.

The potential issues are equally problematic for the reporting of personal data breaches to the Information Commissioner’s Office (ICO).

Under the rules a data controller must report all breaches to the ICO unless the breach is unlikely to result in a risk to the rights and freedoms of the individual involved.

Whether a risk is notifiable hinges on the interpretation of the phrase ‘unlikely to result in a risk’.

This risk-based approach requires a careful assessment of the likelihood and severity of the adverse effect on the individual.

The ICO does offer guidance on breach notification but this has not been overly helpful and ultimately leaves it up to the controller to decide whether or not to notify.

A cautious approach would be to notify the ICO of every [personal data] breach. That way the controller has the certainty of complying with the notification obligations. However, this could result in unnecessary notifications. The problem here is the reluctance of many organisations to notify on data breaches because a high or medium risk is not differentiated from a minor one and assessing the risk can take up valuable management time. Organisations therefore may take a default position not to report unless a risk is [clearly][OR patently] ‘likely’.

While the European Union Agency for Network and Information Security has published some helpful recommendations for a methodology of the assessment of severity of personal data breaches, these, once again, are open to interpretation.

The problem is that we may not see certainty on this issue until the ICO and European data protection authorities start taking enforcement action against organisations that fail to notify.

In a highly competitive legal market, lawyers are caught between the DMA and its clients arguing for a lighter touch and rejecting overly cautious advice, or advising clients to adhere to a [rigid][OR strict] interpretation of the law on the other. To safeguard their business, we can understand why some firms may be inclined to adopt more relaxed risk assessments.

This is inevitable in the absence of greater clarity in the regulations which would prevent the ambiguity in the first place.

Dorothy Agnew
Partner, corporate and commercial, Moore Blatch, Southampton

SRA alarmingly inconsistent

The action taken by the SDT in striking off Richard Thomas Clegg (Gazette, 4 March) discloses an alarmingly inconsistent approach by the SRA.

Like professor JW, I was an expert who sued my instructing solicitors for an unpaid fee. Like professor JW, liability for my fee was denied by my instructing solicitors. In the defence they asserted that their client was responsible for the fee. A month after filing the defence in my claim, the same solicitors commenced proceedings against their client for unpaid fees and included in them a claim for my fee – the very fee for which they had denied liability.

The response of the SRA? It was not interested. It failed to understand what had occurred, initially believing that my report to it was a complaint about unpaid fees. The SRA failed to grasp the significance of the obvious inconsistency of the statements of truth that the solicitors had signed. When I reminded the SRA of the judicial pronouncement regarding ‘complete integrity, probity and trustworthiness’, it replied: ‘While I appreciate you stating case law it is not how we govern, we only ensure our Code of Conduct is followed and case law and statute is a tool used by the courts. We then decide whether to sanction individuals or firms based on what the court decide, we have no legal jurisdiction.’

In January, the SRA advertised for an ‘Investigation Officer (Caseworker)’. The job description listed ‘essential’ and ‘desirable’ abilities. Astonishingly, a ‘comprehensive knowledge of the legal framework and the SRA’s principles/rules against which the key regulatory risks in the regulation of legal will be assessed’ was only a ‘desirable’ characteristic.

If caseworkers cannot grasp simple facts and are in ignorance of essential information, how can the SRA properly regulate the profession?

Mark Field

Iran condemnation

Consistency and professional obligation require our representative body to protest at the highest level the brutal sentence meted out by Judge Mohammad Moqisseh to our brave colleague Nasrin Sotoudeh (‘Hijab protest lawyer gets 33 years after secret trial, news, 18 March). She was merely doing her duty by her dissident clients, themselves the victims of unconscionable repression.

The Law Society’s president has more than once condemned the Iranian regime’s flagrant abuse of her basic human rights and its flouting of international norms of conduct. This latest outrage demands that those condemnations be further amplified. 

Malcolm Fowler
Solicitor-advocate (retired) and human rights activist, Kings Heath, Birmingham