A look back at five years of GDPR
May marked five years of GDPR — what went wrong, what went right and what should law firms anticipate in a rapidly changing digital landscape and an environment of fickle politics? Suzanna Hayek, junior editor at LPM, reports.
Enacted in May 2018, the EU General Data Protection Regulation (GDPR) represented a set of laws considered to be more stringent than its predecessor the Data Protection Directive. References to UK GDPR began in 2019 as Brexit procedures were underway.
To become GDPR compliant, law firms — which typically deal in a significant amount of sensitive information — needed to overhaul how they thought about managing information.
Professionals in the legal sector are also often perceived as not being tech savvy — which makes them ideal targets for cybercriminals, according to Orlagh Kelly, barrister and CEO of Briefed, a full-service compliance business.
James Castro-Edwards, privacy, cybersecurity and data strategy counsel at Arnold and Porter believes what grabbed companies’ and law firms’ attention were the powers granted to supervisory authorities, such as the Information Commissioner’s Office (ICO) had to issue fines of up to €20m — or 4% of a firm’s annual revenue, whichever is higher — for serious violations.
Misunderstandings around GDPR
There isn’t a clear understanding of what the rules are when it comes to personal data and where it should be stored, says Peter Wright, solicitor and managing director at Digital Law, who is critical of firms’ approach to choosing IT systems.
“Some firms will end up signing up with a new system, or persevering with the legacy system that simply doesn’t comply and ends up storing data outside of the European Economic Area. And if it is outside of the EEA, it often ends up being done without any of the compliance measures that should be in place, ie standard contractual clauses, binding corporate rules, or a data adequacy decision,” says Wright.
Referring to the EU-US Privacy Shield that allowed transfer of data to the US but was struck down by Schrems European court decision in 2020, Wright says, “So for the last best part of three years, if you were storing data in America, you had to be doing it using a data transfer agreement with standard contractual clauses, those mandated by the ICO. And if you’re not using the up-to-date clauses mandated by the regulator, then you’re in breach.”
GDPR restricts the transfer of personal data out of the EEA to third countries. This meant that businesses in Europe may not have been able to transfer personal data to the UK after Brexit. However, in June 2021, the European Commission (EC) granted the UK a data adequacy decision, which means that the UK’s data protection laws are considered to be equivalent to the GDPR. This enabled the transfer of personal data to continue between the UK and the EEA.
Kelly points out that GDPR was initially framed as an IT issue due to marketing by suppliers, when in fact it’s a compliance issue. Many firms, therefore, upgraded their IT security but didn’t train their teams or update their policies and procedures to meet GDPR requirements.
Another common misconception was needing to seek consent to process personal data. Consent is only one option and the rules around obtaining and storing it can make it the least favourable one. There could also be legal complications when relying on it.
What went wrong?
In October 2020, the ICO slammed British Airways with a £20m fine for a data breach that impacted the personal data of over 400,000 people. It was one of the first instances of the ICO exercising its powers to signal the seriousness of GDPR compliance to companies.
Less than two years later, Tuckers Solicitors was fined £98,000 for failing to secure sensitive court bundles that were then published on the dark web, sending shockwaves across the legal industry. By waiting six months to install a patch, the firm was in breach of its own internal policy which said they would install patches promptly. The ICO said the firm had failed to implement appropriate technical and organisational measures which rendered it vulnerable to attack.
It is largely up to the firm to decide on which security measures to implement as GDPR doesn’t go into specifics — it depends on the organisation and it needs to be proportionate to the risk. “So you can’t have one size fits all technical security measures specified in legislation because they’ll quickly become obsolete,” says Castro. A firm could get fined if an attack was simple to prevent but it didn’t have the appropriate measures in place.
Law firms are often under pressure to keep on top of fast-changing new regulations that GDPR ends up being pushed down their priority list — but a firm might not be able to survive the reputational and monetary damage of falling victim to a data breach.
Covid-19 and hybrid work
Covid-19 presented a new set of challenges as firms were forced to implement remote work processes at short notice. There were many awareness campaigns at the time advising companies to ensure that they are GDPR complaint, so some firms were cognisant of the potential security pitfalls of a working from home arrangement.
To ensure the highest level of security for working from home during Covid, Bowling Law offered their staff one-to-one training to secure data during the pandemic. “We polled staff about their specific work arrangements. Then we focused on a solution that worked for them because people had different living situations,” said Jon Gough, IT director at Bowling Law.
Some firms did struggle to grapple with the new arrangements and found themselves cutting corners, and “rightfully so” according to Wright, given we were in a health emergency. But after the pandemic, as hybrid work became prevalent, some firms didn’t re-evaluate their systems’ security nor did they provide appropriate cybersecurity training for staff, Wright adds.
What went right?
Conveyancing firm The Partnership focused on cultivating a culture for transparency, in which employees don’t feel they need to hide a breach. “Everyone’s approachable and we’re a team at the end of the day,” says Nikki Owen, operations manager at The Partnership. If a lawyer reports that information was accidentally sent to the wrong person, Owen will immediately run a risk assessment and take the appropriate action to safeguard information. She’ll then write a breach report and contact the clients whose data was breached.
It took The Partnership six months to prepare for GDPR, and it has continued to make changes over the past five years. “Everyone’s human and mistakes can happen, but we always strive to improve our systems,” says Owen.
What should firms be doing?
Castro advises firms to focus on training, accountability and to have a data protection team which can be comprised of people who have other roles within the firm. The team’s responsibilities would involve keeping on top of procedures, policies and making sure that staff receive adequate training. Members of staff need to be taught to spot a security issue and know who to escalate it to.
Wright adds that some firms believe GDPR compliance is complex and expensive when it actually isn’t and agrees that one of the most effective measures is simply awareness training — to be able to identify personal data breaches or malicious links, for example. In addition, he suggests holding regular GDPR compliance meetings to review standards, security, regulatory guidance and implementation — as well as keeping records of meeting agendas and notes to demonstrate compliance to a regulator.
Preparing for the future
Wright predicts the rapid improvement in quantum computing and processing power will lead to a fresh wave of software and hardware procurements over the next few years. Therefore, firms need to start thinking about their procurement criteria and put in place a questionnaire for suppliers and good due diligence.
The advent of AI language learning models like ChatGPT could present a new risk. This is because the standard training to identify phishing emails involves identifying grammar mistakes, but using ChatGPT can help cybercriminals produce error-free emails, making phishing more difficult to spot.
To give law firms more clarity on how to be compliant, an ICO GDPR certification for law firms is expected to be available soon. “It allows law firms to move from this space of trying very hard to get everything right, but not really knowing how to interpret the law, whereas the certification will be very black and white in terms of what you have to do,” says Kelly. It will also enable law firms to assess which suppliers have the right levels of security and data protection in place and improve the client experience overall.
As for EU-UK data transfers, the UK data adequacy decision is up for revision in 2024. The EC will decide whether to extend it for a further period of up to four years. If it isn’t extended, it will expire on 27 June 2025. If UK data protection policies diverge from those within the EU, there’s a possibility the adequacy decision will not get renewed.
“The adequacy finding rests on the UK remaining aligned with the GDPR in terms of data protection, and there’s been a lot of noise from the UK government desperate to show a Brexit dividend to sort of streamline, as they call it, the GDPR and do away with this so-called red tape. Now if doing that reduces the protection afforded by the UK data protection regime, the EC could then revoke the UK adequacy decision, which would mean businesses in Europe would struggle to transfer data to the UK, which becomes more complicated,” says Castro.
In June, the UK and US governments reached a commitment in principle over a data bridge. Companies in the US who are approved to join the framework would be able to receive personal data from the UK — thereby allowing the UK to conduct international business more easily.