The philosopher and jurist Jeremy Bentham wrote that "Lawyers are the only persons in whom ignorance of the law is not punished.” No doubt he had good reason to say this, but this is certainly not true when it comes to the expectations on law firms in terms of GDPR compliance. The standards expected of us are rightly high. That makes sense: if your business is law, then adhering to the law is fundamental. Ignorance of (or worse, failing to comply with) the GDPR could, as the Solicitor's Regulatory Authority ("SRA") points out, lead to "financial, reputational or personal consequences for the client, and for the solicitor". The enormous fines which can be levied by regulators for breaches of the GDPR (up to £4% of annual worldwide turnover or (if higher) 20m euros), as well as the risk of action by the SRA mean that ignorance of this particular law is simply not an option.
But there is also a cultural shift. The GDPR made individuals think about how their data is used in a way that they had not done before. Innovation is rapid. As firms consider how artificial intelligence and machine learning can enhance efficiency, embedding data protection by design and default is not only about compliance: it makes good business sense. It captures where we are going next, and addresses the privacy concerns of the client of the future.
The risk and compliance function has therefore moved beyond ensuring that records are kept and processing documented. Risk and compliance have become central to navigating the fast moving landscape in this "fourth industrial revolution". Their expertise is a crucial component of strategic thinking on how firms can equip themselves for the innovations and challenges ahead.
This article looks at the way in which the status of the risk and compliance function in law firms has changed since the advent of GDPR, the current challenges, how those challenges can be met and how risk and compliance teams can support firms in preparing for the privacy issues of the future.
Status of the risk and compliance function
Anecdotal evidence suggests that GDPR has led to a significant expansion of risk and compliance teams in law firms. This is due to a considerable increase in workload. The GDPR requires records of processing to be kept and to be regularly reviewed (see Article 30). The volume of data subject requests has increased substantially (some consider that the figure is probably around 100%). Further, law firms are fifth on the list of sectors reporting data breaches to the ICO. The number of breaches reported is likely to reflect the fact that the legal profession often processes sensitive data, is highly regulated and risk averse. But it also underscores the need for adequate resource for risk and compliance teams.
The risk and compliance function is also much more high-profile. Where a firm has appointed a data protection officer, they are required to report "directly to the highest management level" (see Article 38(3)) and to be "expert" in terms of the advice they deliver. The GDPR confers significant protections on them in terms of the performance of their tasks. They are not to receive "instructions" on the exercise of their functions and may not be penalised or dismissed for performing them (see Article 38(3)).
Data protection officers also have an important outward facing role. They are the contact point with the regulator (see Article 39(1)(d) and (e)) and for data subjects (see Article 38(4)).
In the run up to the implementation of the GDPR in May 2018 organisations undertook the (often very substantial) tasks of mapping their data, undertaking risk assessments, considering and plugging gaps in compliance, developing policies and procedures, embedding security and setting up monitoring, auditing and compliance tools.
The next phase is to instil good data protection practices in the organisation at a fundamental level. The Information Commissioner has spoken about accountability - the requirement under Article 5(2) to take responsibility for and to demonstrate compliance - as being at the heart of GDPR. She has said that the direction has shifted "from box ticking or even records of processing". Instead, data protection should be seen as "something that is part of the cultural and business fabric of an organisation".
Compliance may sometimes be described in derogatory tones as "red tape" - bureaucracy for bureaucracy's sake. But GDPR requirements are significant because, as colleagues explained, they "made us really think about privacy in detail, in a way we hadn't necessarily done before". So the high standards and considerable "bureaucratic" requirements of GDPR have also helped risk and compliance professionals to engage with privacy issues in a more profound way.
How are the challenges of GDPR met?
The Information Commissioner's message is that risk and compliance are the ambassadors for GDPR. Their mission is to ensure that data protection, far from being a matter for the risk and compliance team alone, becomes something fundamental to the way an organisation works.
Training is an obvious way of changing the culture of the organisation. So is visibility: senior level GDPR leadership is crucial to ensure that data protection compliance can be woven into the practices of the organisation.
Further, technology is helping to streamline processes. For example, ediscovery review tools can assist with the review and redaction process for subject access requests. There are also some privacy specific platforms that help track the data subject rights process from end to end.
But the push for a more sophisticated, "embedded" approach to data protection doesn't only come from the risk and compliance teams. Clients, especially in formal procurement processes (eg to panels), often require evidence to show that the organisation has the required technical, security and organisational process in place to deliver good data protection outcomes. Data protection compliance has therefore become a requirement against which firms will be assessed as part of the engagement process.
That's not to say that the challenges are necessarily easy to meet. In reality, privacy by design can be hard to maintain as a priority in IT procurement, where cost is crucial. It is also not unusual for new technology to be acquired before a data protection impact assessment has been considered.
How can risk and compliance help firms to prepare for the future?
The GDPR has changed people's attitude to how their data is being used. So the push towards privacy can be said to come as much (if not more) from outside the organisation as within it. This point was highlighted recently by Boris Johnson's references to privacy in a speech to the United Nations in New York: "You may keep secrets from your friends, from your parents, your children, your doctor – even your personal trainer – but it takes real effort to conceal your thoughts from Google. And if that is true today, in future there may be nowhere to hide." Privacy is thus becoming a concern of society at large. Organisations which recognise this will keep ahead of the curve. Taking privacy seriously is a good business decision. Risk and compliance teams are therefore not necessarily there to be reactive: to assess data breaches or, in the words of the Information Commissioner, fill in forms or tick boxes. They are central in shaping the business as it evolves and in taking a leadership role.
The impact of GDPR cannot be underestimated. It is shaping debate about how our data is used and in turn how our society is ordered. As technology allows firms to innovate and to provide legal services in new ways, risk and compliance won't simply be there to react to events. They are at the forefront of ensuring that the technology works for clients in the way they expect: respecting their privacy and keeping their data safe. Risk and compliance teams will play a central role not only in ensuring awareness of the law, but as privacy ambassadors, guiding firms to become businesses fit for the future.
Eleonor Duhs and Martin McElroy
Eleonor Duhs is a Director and Barrister in Fieldfisher's Technology, Outsourcing and Privacy team. She was the UK Government's lead lawyer in negotiations on the GDPR.
Martin McElroy is Fieldfisher's Data Protection Officer.
This article was first published in "Legal Compliance Insight" on 10th October 2019.