GDPR – controllers and processors
The introduction of the General Data Protection Regulation (GDPR) has sparked questions about whether solicitors are generally data controllers or data processors.
Six months on, the emerging consensus appears to be that, as under the old directive and act, providers of professional services including solicitors will generally be data controllers. In certain circumstances and in respect of particular sets of personal data, they may be acting as data processors.
Whether you are a controller or a processor is a question of fact, and each role carries with it specific legal responsibilities.
Defining controllers and processors
Under the GDPR, controllers (alone or jointly with others) determine the purposes and means of the processing of personal data and processors process personal data on behalf of controllers.
These definitions are similar to the definitions of controllers and processors in Directive 95/46/EC and in the old Data Protection Act 1998.
Providers of professional services, including solicitors, will generally be data controllers. This will include being data controllers in relation to their employees’ personal data and in relation to client data. In certain circumstances and in respect of particular sets of personal data, they may be acting as data processors. It is possible for an organisation or a person to be both a data controller and a data processor in respect of different sets of personal data.
Relationship with barristers
The Bar Council has issued a guide in which it regards every individual practising barrister as a data controller.
The Bar Council is also of the view that self-employed barristers are data controllers of their client’s data and only in very limited circumstances could be properly regarded as data processors.
Therefore, it will not be appropriate for self-employed barristers to sign as processors data processing agreements with their instructing solicitors in relation to work carried out by them in the course of normal practice.
The Bar Council also issued a note on whether barristers and solicitors could be regarded as joint controllers.
The Bar Council guidance sets out a useful framework and where any issues arise between solicitors and barristers about their respective roles and corresponding obligations under the GDPR could form the basis for a dialog to resolve them.
Deciding whether or not you are a controller or a processor
Law firms should always analyse their personal data processing activities in the light of the provisions in the GDPR and the Data Protection Act 2018.
They should also consider guidance from the Information Commissioner’s Officer (ICO), the new European Data Protection Board (EPDB) and, where relevant, opinions issued by the old Article 29 Data Protection Working Party (WP29).
WP29 published an opinion on controllers and processors in 2010 and the ICO has issued draft guidance on controller and processor contracts which is being finalised in the light of consultation responses. The EPDB does not appear to have issued any guidance yet.
Law firms should always analyse their data processing activities by reference to those documents and, if requested by their clients, not automatically sign processor agreements without first undertaking a full analysis of whether their use of the client’s data in fact puts them into the category of a data processor rather than controller.
Law firms should also carefully consider whether contractual obligations imposed upon them in such processor agreements could put them in conflict with their professional duties.
Engaging a data processor
Where a law firm is a controller of personal data it must only use processors who provide sufficient guarantees that they will implement appropriate technical and organisational measures to meet the requirements of the GDPR and ensure that an appropriate data processing contract is in place and includes the terms mandates by Article 28(3).