UK: Civil liability of non-medical professionals for personal data breaches
In this article, 4 New Square’s Paul Mitchell QC, Stephen Innes and Helen Evans consider the potential civil liability of professionals in this jurisdiction for data breaches after GDPR comes into force on 25 May 2018. They write, in part:
Many professionals are liable to assume that the GDPR will class them as “data controllers” rather than “data processors”. For example, the Bar Council’s Guide to the GDPR classes barristers in this way. However, in April 2018 the Bar Council became aware that some solicitors’ firms were asking barristers to sign contracts which designated them as “data processors”. This is potentially problematic for two reasons: first because “data processors” are subject to different duties to “data controllers” and liable for greater penalties but also because the Bar Council regards such arrangements as liable to put barristers in breach of the Code of Conduct (see further our regulatory article here).
Read more of their article on Lexology.