So GDPR is upon us. After months of uncertainty, despair, spreadsheets and audits, it’s finally here!
How does it feel? The end of the world is nigh…or business as usual (with a brand new privacy notice and revised terms of business)? The increased furore in the media might suggest the former and, undoubtedly, you will have all been bombarded with endless emails from long forgotten companies asking for your continued consent to further marketing.
We have been trying hard to keep a level head about all of this. At the risk of repeating ourselves:
- Lawyers are unlikely to be first in the firing line.
- The ICO appears to be a sensible and proportionate regulator – fining powers are likely to be reserved for those playing fast and loose with personal data.
- The professional duty of confidentiality and legal privilege give lawyers an advantage over non-legal businesses – privacy is not an alien concept
- Compliance with GDPR need not be administratively difficult for most firms, although we must not be complacent.
- If you can show you are taking data protection seriously and trying your hardest to get to 100% compliance, the ICO is unlikely to be highly critical if you miss something.
- There are a lot of grey areas, particularly in legal practice where there are competing regulatory and professional duties. So long as you can justify why you made a decision, even if it subsequently turns out to be wrong, you are likely on safe ground.
Transparency is the key word. Open and clear policies and procedures are what are needed to keep the ICO from your door. It has always been an ongoing GDPR journey, not a race to 25th May.
And with all that in mind…it would be remiss of us not to signpost you to our updated Privacy Notice. Feel free to use the wording and format for your own use, by the way.
Can we move on from GDPR now, please? PLEASE?
All the best,
Jon and the team
SRA faces criticism over its use of waivers
The SRA has faced criticism lately in relation to the ethicality and apparent lack of transparency in relation to the granting of waivers. This followed the announcement by Rocket Lawyer, an online platform, that the SRA had permitted it to employ solicitors giving legal advice in its non-regulated business.
They, like HR company Croner, have been allowed to use the SRA’s “safe space” to circumvent regulations and develop an innovative business structure.
The lack of transparency on behalf of the SRA with regards to the details of these waivers for reasons of “commercial sensitivity” has not helped to quell the fears of its critics. Regulatory specialists have raised concerns in relation to the SRA’s new policy, suggesting that this may impact upon the future of alternative business structures (ABSs) and client care.
Why it matters
Waivers are a potent regulatory tool. They effectively allow the SRA to ignore ANY of its own rules, other than those which derive from statute.
These two waivers in question illustrate this perfectly. The SRA has effectively pre-empted the result of the recent consultation on solicitors practising in unregulated firms.
Court of Appeal find buyer’s and sellers’ solicitors liable in “imposter” fraud
The Court of Appeal has found that solicitors acting for bother the buyer and seller of a property sold by an “imposter” are potentially liable for losses suffered by their clients.
Judgment was given in Dreamvar (UK) Ltd v Mischon de Reya and the linked case of P&P Property Ltd v Owen Whist and Caitlin LLP. The Court found that the sellers’ solicitors were in breach of trust because there was not a “genuine completion” and that they had acted “in breach of trust when they released the purchase monies to or at the direction of their clients“. Mischon de Reya (the buyer’s solicitors) were also found liable for their breach of trust in paying the money to the seller’s solicitors:
“While…it was not unreasonable for MdR not to have advised Dreamvar about the risk of fraud, or to have sought greater protection for Dreamvar against that risk (such as further undertakings) it is also not irrelevant that MdR was necessarily better placed to consider, and as far as possible achieve (a matter not in the event tested) great protection for Dreamvar against the risk which in fact occurred.”
The buyer had “no recourse” against the sellers’ solicitors and “no practical likelihood of tracing or making any recovery from the fraudster” therefore it found that the only “practical remedy” was against MdR.
Why it matters
Are we off to the Supreme Court on this one? The Court’s decision is hardly satisfactory to either side.
Whatever the rights and wrongs, the case has the potential to seriously upset the PI insurance market, absent any meaningful steps taken by regulators to stamp out this type of property fraud. If both buyer and seller’s solicitor is put in the position of essentially underwriting the transaction, there is bound to be an upward pressure on premium. After all, if they can get away with it, the fraudsters aren’t going away.
Could this even price some firms out of conveyancing altogether?
Perhaps the SRA should be contributing to finding a solution to the fraud, rather than tinkering with the minimum terms, which everyone (except them) seems to accept will not make a blind bit of difference to PI premium.
In the meantime, due diligence checks in property transactions must be as tight as can be. We are not just ticking a box for AML compliance.
Cyber Security guidance published by ICO and NCSC
Back to data protection (sorry!). The ICO has helpfully published further guidance in respect of the technical security needed to ensure that firms are GDPR compliant.
Article 5(1)(f) states that personal data shall be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures“.
The security outcomes aim to establish a set of expectations you must meet. By using this type of approach it is possible to apply them to meet the size or complexity of various your particular organisation. The outcomes include:
- Managing security risk
- Protecting personal data against cyber attack
- Detecting security events
- Minimising the impact
Importantly, it is recognised that “what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents.”
Why it matters
All additional guidance provided in relation to the GDPR must be welcomed by firms no matter what their size. This guidance, in particular, is an excellent resource and is extremely helpful in terms of assisting firms come to grips with the more technical aspects of GDPR and cyber security.
SRA to look into barriers to ABSs
A report commissioned by the SRA has found that it should look to investigate potential barriers to alternative business structures providing other professional services. The report noted that “it may be more common for other professions to expand into legal services than vice versa” and went on to say that,“There may be barriers to the employment of other professionals, such as surveyors, within ABSs regulated by the SRA.”
The report confirmed that there are more than 700 ABSs now licensed by the SRA and indicated that this was evidence that there was demand for such opportunities for law firm to diversify.
Why it matters
The rate of new ABS licences has certainly slowed, although it would be naive to have thought that the initial flurry could have lasted indefinitely.
There are almost certainly a number of factors at play here. We think it unlikely that any entrepreneurs looking at legal services would be deterred by regulation – it’s called a barrier to entry and that is a good thing.
A significant number of firms in the market will be prioritising other things, such as succession and exit – a huge issue for the profession.
And of course there is uncertainty over Brexit, the boost to the unregulated market, and the simple fact that getting surveyors and accountants and lawyers to all work happily under one roof sits in the easier-said-than-done pile.
We firmly believe that there are still fantastic untapped opportunities for ABSs, and every week we see something new, exciting and think “Why has nobody done this before…?”
The fact is, there has never been a better time to try new things.
New and updated Law Society Practice Notes
- Conveyancing Protocol – an update to the protocol
- How to set up an ABS – a useful overview (but misses out the practical bits)
- Who owns the file? – guidance on which parts of the file are owned by the client and which are owned by the solicitor
Disciplinary decisions
- Mohammed Abid has been suspended for 6 months after having lent his mobile phone to a client whilst in police custody suspected of GBH. The suspect used the mobile phone to call a key witness and dissuade them from signing a witness statement.
- Andrew Thornhill QC has been fined £10,000 after the Bar and Tribunals Adjudication Service found that there was an “inference that his independence may be compromised” when he acted as an impartial expert in a property dispute.
- Former boss of Bolton PI firm, Asons, has been suspended for 18 months and is to pay £115k in costs. Kamran Akram was cleared of dishonesty. The tribunal found that he had failed to run the firm efficiently and had failed to “supervise the supervisors“.
- Jonathon Denton, a partner in City firm Locke Lord, has been struck off through his dishonest involvement in dubious investment schemes which led to him misleading third parties, producing false invoices and failing to protect clients monies.
