Guest blog: Orlagh Kelly - GDPR case study

7 December 2017

Damage to the reputation of a barrister can often be much costlier than any fine issued by the Information Commissioner's Office

Real Life Data Breach

A barrister was found to have breached data protection after failing to encrypt a laptop, containing sensitive personal data, which was later stolen. The laptop was stolen from the home of the barrister in 2009 when she was away on holiday. It contained personal data relating to a number of individuals involved in eight court cases the barrister had been working on. This included some details relating to the physical and mental health of individuals involved in two of the cases. Whilst the barrister had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

As the incident happened in 2009 prior to the Information Commissioner having the power to issue monetary penalties, no fine was issued in this case. However, the Information Commissioner's Office (ICO)didissue a press release naming the QC involved, the story was picked up by media outlets and legal bloggers around the UK and eight years later if you google this barrister's name, you will continue to read these report about the data breach.

Regarding the case Ken MacDonald, Assistant Information Commissioner said:

"The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

This case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000 - it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court." 

It takes a long time to build up a good professional reputation at the Bar. To risk losing that hard-earned reputation by not properly meeting data protection obligations is fool-hardy and unnecessary. 


The Good News

Were you ever told at school that you would 'get marks for your workings out' even if you got the answer wrong?

That is my experience of the ICO during their investigations. If barrister can demonstrate that they have genuinely made all reasonable efforts to protect personal data and comply with the legislation, the ICO is much less likely to sanction them.

There are a number of key actions barristers can take right now to protect their reputation and practice in the event of a data breach. Implementing a combination of routine training, risk assessments and GDPR paperwork will in effect help create a defence for any barrister should they ever have the misfortune to be subjected to an ICO investigation.

In this context, there is no doubt that taking action as soon as possible to become GDPR compliant is the smartest and most effective way for a barrister to protect their hard-earned reputation.

Orlagh Kelly was called to the Bar in 2003. She is the CEO of Briefed GDPR, a specialist training and consultancy agency which offers bespoke compliance GDPR compliance training and products for barristers and chambers.