A legal compliance expert has warned that lawyers may need to take action over potential breaches of data protection rules.
Brian Rogers, director of regulation and compliance services for Riliance, said those who advised businesses how to comply with new GDPR rules last May should revisit that advice – and even contact clients to admit they made a mistake.
Rogers spoke to the Gazette after lawyers were publicly criticised last month by Chris Combemale, chief executive of the marketing network DMA Group. Combemale told a Westminster Legal Policy Forum conference that many of the 1,000 DMA members had been wrongly told to focus on consent as the basis for processing data. Many businesses had followed ‘extremely conservative’ advice from their lawyers, he said, and sought to gain consent – or even double consent – to retain customer details.
Combemale added: ‘The legal profession had a considerable misunderstanding of how this legislation could and should apply to the marketing sector.’ He gave one example of a lower-league football club which had 100,000 supporters on its database before May 2018, but followed its lawyer’s advice to gain double opt-in. The club’s signups dropped over 97%.
Rogers said SRA rules state that lawyers must inform clients if they discover any act or omission which could give rise to a negligence claim – and may also need to report any negligence to the regulator.
He recommended that firms that provided advice to businesses on implementing GDPR review this in relation to consent, and if it related to seeking specific consent from data subjects rather than advising them they could rely on other forms of consent, firms should consider notifying clients.
Solicitor Peter Wright, managing director of cyber-law specialist Digital Law and former chair of the Law Society Technology and Law Reference Group, agreed lawyers have been too cautious.
‘People have got funny ideas that GDPR is all about consent and it’s absolutely not,’ said Wright. ‘There were an awful lot of people who started styling themselves GDPR specialists when they had not got the expertise. It’s not a case of putting a policy in place and saying that’s it. It is a rolling obligation and lawyers should be talking to clients in any event about privacy regulations.’