The Bar Council has told barristers not to sign contracts drawn up by solicitors’ firms attempting to comply with data protection legislation coming into force this month.
The contracts, required by Article 28 of the General Data Protection Regulation (GDPR), provide ‘data controllers’ with guarantees that ‘data processors’ working for them will protect the rights of data subjects – in this case, clients.
The disputed contracts assume that solicitors are data controllers and that barristers instructed in a matter are data processors. However in an advice note drawn up by its information technology panel, the Bar Council vehemently rejects that status. ‘For the avoidance of doubt, self-employed barristers are data controllers of their client’s data. They are not data processors,’ the note states.
Its justification for the stance is that barristers are not ‘sub-contractors on the solicitor’s behalf, merely processing data accordingly’, but rather providers of ‘independent objective specialist advice and advocacy’. It is therefore up to the barrister to determine what information to obtain and process for the task.
A similar problem can arise for your business if you use another company to handle activities involving your customer data – think of Paypal, Mailchimp, Eventbrite and others. Some of them will be data controllers, others will be data processors. But either way, you need a proper contract with that other organisation and you have various duties under the GDPR.
ContractStore has a model form of agreement for appointing a data processor
Regulating the flow of personal data between controllers and processors is a core aim of the GDPR, which takes direct effect across the EU on 25 May. Legislation to mirror its measures in UK law, the Data Protection Bill, is currently awaiting a date for its report stage in the House of Commons.