Professionals, Their Regulators And Personal Data Breaches: Who Is In Charge Of Policing The GDPR?


There have been some high profile data losses by professional firms which have hit the headlines- Mossack Fonseca's loss of the "Panama Papers" being a prime example. Other personal data losses or breaches of confidentiality have not attracted so much attention, but that does not mean that the problem is not a prevalent one. According to the Solicitors Regulation Authority ("SRA"), it receives some 40 reports of confidentiality breaches each month. Further, the Information Commissioner ("ICO") has identified the legal sector as one of the highest sources of data security cases. It is therefore not surprising that the SRA's 2017/2018 Risk Outlook identifies information security as one of its priority areas. The Institute of Chartered Accountants of England & Wales ("ICAEW") is clearly concerned about what the GDPR means for accountants as well: it has published draft engagement letters dealing with data protection rights, as well as detailed guidance on document retention policies. Guidance of this nature is likely to be of great relevance when regulators consider whether members have breached their principles or rules.

How does the GDPR overlap with existing professional regulatory rules?

Professional rules have long required members to keep their clients' affairs confidential. Professional requirements tend to require professionals not only to keep information confidential but to ensure that their employees and staff do too.

In recent years, regulators have also increasingly focused on the need for professionals to take steps to maintain efficient systems and controls to mitigate risks to client confidentiality. Key examples of this two-fold approach are both SRA Outcome 4 and Core Duty 6 (for solicitors) and rC89 in the Bar Handbook (for barristers). The ICAEW (in its Code of Ethics and its GDPR Guidance) also emphasises both the need to keep client's affairs private and to ensure that data protection is take seriously at an organisational level. The latter focus on maintaining appropriate systems is echoed in the GDPR, which requires data controllers to take responsibility for and to be able to demonstrate compliance with the GDPR data protection principles (known as the "accountability principle").

For some professions there is express interplay between data protection law and professional rules; for instance the Bar Handbook states in terms that barristers are under a duty to have proper arrangements in place to protect...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT