Guest blog: Orlagh Kelly - GDPR blog

21 December 2017

Much attention is being given to GDPR which is new data protection legislation which will be enforced in the UK from 25th May 2018. 

This blog is designed to give barristers and chambers relevant, realistic and effective guidance.

Over the coming months, we will cover many topics which will increase your understanding of how you can be compliant with the new legislation, and protect your practice. 

Have you ever sent an email to the wrong person? 

There is a common misconception that a data breach is a major incident, perhaps having servers hacked by cyber-criminals and millions of personal records stolen a la Uber. However, sophisticated technical intrusions by criminals aren't the only way to get on the radar of the Information Commissioner's Office (ICO). In fact, it is altogether much simpler human error that has caused significant fines and reputational damage to organisations recently. 

At the start of a training session I always ask people - Have you ever emailed the wrong person? Almost universally everyone will put up their hand. Almost all of us, facilitated by 'auto-complete', will have inadvertently emailed the wrong person at one time or another. 

Could you imagine if that one email started an investigation which ended in a fine of £120,000 and newspaper articles about you? That's exactly what happened a solicitor at a local authority when she sent emails to the wrong recipient. 

Real Life Data Breach 

A local authority solicitor sent emails relating to a family law case, intended for counsel, to the wrong person. The emails contained social work reports and highly sensitive information relating to the care of a child and further information about the health of two adults and two other children. The e-mails also contained the brief to counsel, suggested directions and comments about the conduct of the case. 

The investigation carried out by the ICO found the solicitor was in breach of the council's own guidance, which confirmed that sensitive data should be sent over a secure network or encrypted. However, the solicitor was not disciplined internally because the council had failed to provide the legal department with encryption software. The investigation also found that the solicitor had not been provided with relevant data protection training.

The local authority was fined £120,000 for this data breach. 

What can you do? 

In reality, short of taking extra care and perhaps turning off the 'auto-complete' function, there isn't a lot you can do to prevent a human error like this. However, review of the ICO judgements demonstrates that if a business can demonstrate that they have taken reasonable steps to protect personal data, they are much more likely to be able to successfully defend an incident that arose through human error.  As identified in this case, had the council made sure that encryption technology was available to the legal department and that staff had completed relevant data protection training, the Council would have been in a much stronger position to defend itself against a fine. 

The best thing any barrister, Chambers or other organisation can do is take steps in advance to keep personal data secure, and should a simple slip happen, the aforementioned steps, whatever those might be can be used as a defence. 

Orlagh Kelly was called to the Bar in 2003. She is the CEO of Briefed GDPR, a specialist training and consultancy agency which offers bespoke compliance GDPR compliance training and products for barristers and chambers.

Special discount for barristers: 

10% off our Barrister GDPR Bundle until 8 January. Type the code BCEW at checkout for your discount.