Hello. I'm welcome. Teoh today session called the GDP are today. We're gonna be talking about GDP arches. The General Data Protection Regulation, which is a regulation that sits together driven by the U sits together. Previous some previous legislation under drawing from the U, which is about protecting personal data. Protecting your data, protecting individuals data we're gonna take elements of the GDP are how about a breakdown? A discussion of those What the impact is on your phone on what the impact is likely to be in terms of clients, consumers of the firm employees, people that you do business with and how that impacts will. Further the things that you can do is put in place in order to deal with that situation. My name's Kate Jackson, our compliance consultant. I've been working with law firms across the country for about six or seven years now, prior to that part of my career, I've worked with There's list of regulation authority, Law Society of England, Wales Cancer belies its components. Is Legal Services Commission as well as numerous on different orphans as a consultant. So I'm bringing to this point a point of regulate tree knowledge. If you like this weapon are is suitable for people who are compliance. Officers who are looking for a refresher course in GDP are perhaps you're moving over into data protection. Maybe you want to bush up again on some points of the GDP are or just brought in your knowledge, away from us our way learning and into data protection on Maybe you're starting out on your compliance journey. Maybe you're being inducted into a new firm or you're somebody in the mid point of your career here, saying, Actually, I do need to learn a little bit more about this because it has such a fundamental impact on on our overall. Let's move on in tow, having a look at what we're gonna do in today's session. So, as I've said, this is a kind of a basic overview today off the main point relating to GDP are on the points that relate to that how it works and sits under dealing with what's you know that the policies and procedures in your firm, how that works and the kinds of things that you should be taken into consideration what you will find your session is that a lot of terms relating to the GPS. There's lots of different definitions that we have to provide lots of different articles on lots of different ways of looking at thinking about things that they do. DPR brings in. What it therefore is important is to take away this information put into your policies and procedures. Now come being this course, he is a set of notes, which goes into more detail than I am here on this lines so you can have a read of, you know, notes afterwards, out to your CPD on at your CPD record, but also within that I've included samples of some of the documents that the Information Commissioner's Office has helpfully provided for you to have a look. I'm pleased to say We can use, for example, this this document way way dealing with our work we can use on develop hard policies and procedures using these template documents that the icy has produced. So where I found them, where they all available on lots of useful downloads from the icy, provided those within the notes as well on. In addition to that point will further reading further support and that's it within your notes So if you are somebody who is looking for that little bit extra stretch and challenge, who would like to know more than that is an opportunity for you to go and do that. But this weapon all really is focused on the basic overview of the GDP are on how that works and how that looks is not something where we can give a sort of specific advice is to the circumstances. Nor is it I saw that violence weapon all that's going to build on. We're going to take a very basic starting point. Go through that. So with my mind, the agenda for today session, he's to think about definitions relating to personal data on what we mean by personal data enhance that work. We're gonna have a look at special category Data's when we need to be more concerned about some data on some day to be more sensitive, we're gonna have a processing. And so that's really about saying how we handling date on what we're doing with it cause personal data. Yes, people got your name and address and they call this individual inspiration about you, but actually it's what they're doing. That information how they're taking it, molding in different ways on the results and outcomes for you that come out of that process at the end. That's what personal data on the use of personal data actually is. Are you getting the product out? Comes out of the processes that you're interacting with businesses with or you get in the wrong outcomes. After those processes on, How does that look? How did that work? And how does that operate? We're gonna have a think about the data protection principles and client rights and how you can comply with those What also can have a look at some exemptions as well? I'm dealing with the GED part, some of those except you from some of those climb bites. We're gonna have a good relationship with confidentiality on fire destruction as well. We're gonna have a look at data privacy impact assessments. I have to make sure I get that bite Data privacy impact assessment sometimes call it data protection Impact assessment data Privacy impact assessment. On the point being with the data privacy impact assessment, you have to assess the impact of what you're doing. We're also can have a look at data 100 in your firm, some ethical challenges and common challenges that come up on some of the things that are out there concerning reporting in respect, money laundering, some of the challenges in terms of identification with money laundering, access issues, those constant. So these kind of thorny problems that people are encountering on what might come in the future in relation to that's we are gonna push a little bit the end in terms of thinking about some of these points house upset. There's a set of notes that accompany these enough, and they always include where the reading on. Then, at the end of the weapon out, I'm gonna ask you to complete acquaints as well, just to test your knowledge and see how you got with that. So let's move on to looking at personal data. So the next time it is about personal data. Now, before we get into the definition, which is down slides and I will read it to you, we need to understand and think about the personal data. Is data relating to voters individual So it might be my name. It might be my address. It might be my telephone, but not be any of those things. Anything but all I could be identified. But the business interacting with my personal data, it's using a different way. So your law firm is gonna take my personal data on, say, all. Let's say, for example, I changed my name or might be undergoing family situation might result in Well, hang on a second. Okay, let me think about how you gonna interact with my personal data. Let's say I had a divorce. For example. I might change my name so accordingly you're going to process that you're going to be e mailing about my name. You know, e mails contain my personal information contained financial information. They're gonna contain everything. It's happening in perspective. My a personal situation on that is processing my personal data in the way. So I then your business, I'm the client of your business. It gives may the opportunity toe come to you and say, Oh, how have you processed my personal tighter through subject access, you then have to produce not only the details elected to my name, but also in a way in which you've interacted with that data, what you've done with it and how you dealt with it, you might make assumptions in relation to my person takes. But really, when we're talking about personal data, we're talking about processing, but the use of personal data on what we mean by that let's I want it was a will. Okay, In that situation you can have will writing, which is automated artificial intelligence products out there that deal with that automatically. Wow, In that situation, I might get a bonus was also if you don't have the right personal data about me, so there are a myriad of reasons why it's important have accurate personal data. But also we need to think about personal data in the way that the firm interacts with it on how we can use it. Some firms are becoming more data driven as well, so personal data forms the back drop of if current in this situation. With this circumstances, it takes this particular legal course of action. For example, what's the most likely outcome of the case on? We can use data to particular on. We can improve our lines between in order to get to those outcomes well again, that's how we're interacting and processing that personal data. So that's what we mean by personal data. We mean data which relates to Earth as individuals. But when we're asking about our personal data, often we're asking about what? A firm system within on how they've interacted with it. So I want you to think about those concepts as we go through the GDP are. So let me just read to you what they say. What's on the slighty? So personal data. And this is when the information commissioner's office, where the regulator for three GDP are work all data collection. So what it says is information related to natural persons who can be identified or identifiable directly from the information in question. All who can be identified from that information in combination with other information. So can I be identified by my name? For example, that might be somebody else called Kate Jackson Squad coming. All that might be catered Jackson at this address with this telephone. So these are the things that allow me to be identified on a more specific basis. However you might case Okay, Jackson Compliance Control. Jump aware another one. But that might be so. You might be upto identify me from two pieces of information. For example, what you need in order to process personal data, supports the input. It what? We mean my posts and put it into a computer with doing something with it. Okay, we're starting that processing journey. For us, it's a lawful. We might be opening following, for example. That's why we're processing personal data. What we need is a lawful basis on that is covered in Article six of the GDP are on the lawful basis has to be one of these criteria that you got on your slides that now the 1st 1 that is consent. This has to be positive. So somebody must be positively opt in your toe what somebody else is doing with their personal data. They must be informed about what you're gonna do with their personal data what you're gonna gather it for, on the reasons why you needed that consent must be positive. It must be for fulfilling a contractual obligation on That's another lawful on basis. You don't have to have those two things together. That's a different lawful basis. So you can always have consent, or you might have a contractual obligation on that contractual obligation even extends to giving a quote on the ice CEOs website. The example. They use it. Somebody phones up. Once a quote you might need to take their personal data on doing so would fulfill would be under a contractual obligation if that was the case. So you got two options there. Let's move on to the 3rd 1 to fulfil a legal obligation. Now there's lots of different legal obligations that you might be under when processing client data on they might be. One example might be, for example, were pointing to the about any suspicious circumstances. Okay, so there becomes a lawful basis and a legal obligation for doing so until you need one of these lawful basis. There's these options you only need one on. Then it can process this personal data. Okay, Other on this include vital interest. Now this is less likely to apply to a lawful. This is where somebody's, for example, health and safety risk. If somebody fell down in the street, I was unconscious. Number comes on, they came looking that person's pockets. Find out that wallet, get driving license and understand who that person is, and they can start processing that personal data contact the next of kin, for example. Now that is, that person's vital in just the might. Also be information in there about somebody's health and well being, for example, that would be important for them to know. So these are the things where fighting interest come into play less likely to apply to lawful. The next one on the list is public task. Now this is most likely to apply to public authorities. But if you're an in house lawyer working in a local authority, for example, that's the kind of thing that's going to apply to you on then The Final one is legitimate interests on. We'll talk more about that in a minute on the next slide, because it's a bit more complicated. But these are the lawful basis for processing personal data on this is the basic elements of it, and I'm gonna refer to these lawful basis for processing personal data throughout the weapon. Also, please remember, there's thes six elements there that might sit where you can say I've got a lawful basis for processing personal data consent. You might be putting that now in your climb care that is a crime care. Welcome. Pack. When somebody joins the first where you have to fill in all the documents tell people want, provide your evidence and identity and you return along with consent process personal data. Okay, Somebody needs to be formed about up on that stage. You also need to be giving them information. At that point in time about how you process in the first day. You might also be relying on that legal obligation. Depending on circumstances, they might be various legal obligations that solicitors under the professionals need to rely on. You might be dealing with a contractual obligation, highly likely to be doing so. So those 1st 3 on that list of six lawful basis for processing are the most likely to apply to lawful. You only need bomb basis by not have lots of different basis. Okay, if we can get consent, were being open and transparent. That's a real bonus. Okay, so let's move on to looking at legitimate interests. So this is also potentially a basis for processing, however, requires a bit more of a balancing act. We're just doing a deep dive in there. This is not something different. We're still looking the lawful basis for processing. But what it is is giving us that option to say, uh, there is another basis. If you look for processing on that is I'm just going to read something to you, huh? Where processing is necessary for the legitimate interests off the controller of all the legitimate interest. But the party now that has come from the information commissioner's office. Okay, so, um, this is where you are taking up processing on you're saying, but I've got legitimate interest as a business or 1/3 party has a legitimate interest on on. There might be a situation in which you can use that legitimate, interested, justify a lawful processing. So he obviously hoped for helpfully provided a three part test their house the big purpose. Are you appreciating a legitimate interest? So, does your business or the party have a legitimate interest on Sometimes they say that sometimes it's going to be where you're by the subject that might expect you to be processing personal data reasonably on may not be a minimal impact on their privacy. Might be expecting. So, for example, there's a list that the bottom that's mentioned in the GDP are which includes an employer status, for example, dealing with employees. Your clients might also expect you to be processing that their personal data. So all you pursuing your a little interest is the processing no necessary to pursue that legitimate interest? So the data that you holding are you definitely processing the data I have. You got any additional data that you don't necessarily need? What else might it be that you don't need her? And then there's a balancing test. Do the individual's interests override the legitimate interest? Okay, so in this situation, we have to have a balancing situation. What about the individual processing? Is it reasonable to be doing so? Is there any element that could be considered unfair that needs to be taken into account? The Genie PR does provide some examples on mentions. Ford Marketing, A client struck employee data for businesses on I t. Security as possibles for when you might be issuing a legitimate interest, although you need to consider that carefully, keep a record of your decision making in relation to that if you were lying on legitimate interest to do so. But there can sometimes be a legitimate interest for processing people's data. Just balance. I don't think are fair. What's that description to somebody on what's the type in nature of the data that you're processing now? On that note, we should move onto talking about special category data because special category data is more sensitive than other data. So big is where some people have data about them. That's very sensitive. Let's say, on this list, for example, that's in front of us on the slide. Health is a good example. I don't particularly like it. If people have access to my health data that I don't know very well want to control who has access to the health data. I knew you may feel the same way, okay, but we may need a ZA law firm to be in a situation where we process health data. Let's say we have a capacity issue with crime. We might need to make further enquiries about whether somebody has the capacity to provide a legitimate, valid instructions in order to for us to go forward with the case. Well, in that situation, we're going to be processing special category data. There's other data that falls into this as well. So including race, ethnic origin, politics, religion, trade, union membership, genetics, biometrics, health, sex, life and sexual orientation. Okay, so there are all these, uh, categories, if you like, And this is now in a special category data. This is more sensitive than ordinary personal data. So more sensitive than your name more sensitive than your age or your address. Okay, so this special category data is more sensitive. I need more protection. Okay. In order to process it, you need to consider first the lawful basis of processing personal data, which we mentioned on that slide previously. So those six categories there you remember I discussed with you. Okay, so that lawful basis for processing has to be there. In addition to that, there's 10 additional categories for processing special category data that need to be considered, and you need to have one of those as well. The most lighting ones for law firms are explicit consent or where it's necessary for a legal claim to be undertaken on DSO. Those are providing explicit consent to the firm. So you might say, for example, we have to process this health related data related to your capacity to perform a certain action for later took pastie to perform this on a legal transaction. We have to process your data on being transparent and open with a client about You're doing that. There was also a category in that second T, if you like, which is where it's necessary for a legal claim on again. This might be something where, for example, it was a personal injury plane that would fall into that category. So you have to have 1st 6 lawful basis for processing, then those they additional categories. Okay, a similar situation exists with criminal offence data. Again, we're looking at Article six of the GDP. Are those six lawful basis for processing on personal data? We also have to think about Article 10 unless says, we have to be processing from reference data in an official capacity with official authority. So this isn't for you to look at if you are processing criminal defense data on Article 10 of the G D. P R. Processing personal data relating to criminal convictions and defenses, all related security images, based on Article 6.1 should be carried out only into the control official authority or when the processing is also voiced by union member state law, providing for appropriate safeguards for the rights and freedoms of data subjects. Any competitive register criminal convictions should be kept only in the control of official authority. I get a nervous situation exists relating to the data belonging to Children in the UK Georgia number 13 can offer consent as a lawful basis on for processing. So if they understand that it's important that they had a full explanation tailored potentially to them so that they clearly understand the terms of what they're signing up to, they can provide their own consent for processing Onda again. You have to have a lawful basis, but under those six lawful basis that we've talked about previously. Otherwise it's down to parental responsibility to think about signing to say that their chart consents for their data to be processed. There is specific on requirements to think about protection on for people if there are for user profiles on when you're considering marketing a swell. So I was thinking about that, making sure you're not taking advantage of a dangerous situation by marketing to Children all where you're creating a user profile by summer. Child, sometimes with strength, is going to be need again. Make sure you're not taking advantage of the situation, making sure that if you are gaining consent, that you understand about Walker processing being completely transparent about that, I'm thinking about the way in the language in which you're framing. There are some situations which the rights of the child is going to be important to think about, make sure that you're balancing the needs in the best interests of the time. Now we'll see later that data data privacy impact assessment on have to get those worked by the data Privacy impact assessment does require you to consider you are quite considered data privacy impact assessment, sometimes in relation to data relating to Children. And it's a good idea to do that deep dive If you're dealing with sensitive while data relating to Children to make sure you're processing that in the by, why, Okay, so this is where you're going to need to do that further work to make sure that's being processed in the right way. Within your on day three. I see I refer to Article three of the United Nations Convention on the Rights of the Child in all options concerning Children whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interest of the child will be a primary consideration. Okay, so let's then move on to thinking about GDP are very on. And I'm also thinking about data protection on how we can bake that in, if you like into our processes. So this is a concept called on data protection by default data protection by design. It's also known as privacy by design. We have to think about various steps relating to the Jeep on how we're gonna fundamentally use that within our business. It means to become a fundamental pillar of our business so that we safeguard privacy within our business as a whole. We start with the premise that all personal data is confidential and if you're a lawyer on if your sister, for example, if you were license conveyancing, that is true in terms of the CLC on the way they require you to keep personal data confidential, and that goes beyond the rights in the GDP are that also applies to your professional obligations. From there, we have a lawful basis for processing personal data when somebody comes through the door that says to implement new file or when we starting a potential new client relationship with somebody we're thinking about what basis with processing we have when we have those six lawful basis that I talked about in the beginning. Why chosen consent on this? Lloyd is an example, but you might have a different lawful basis for processing. Okay, if you're processing certain types of data where there's a high risk of something going wrong with particularly sensitive is a high impact on somebody you're going to want to consider a data privacy impact assessment. Okay, begins before you start processing the data are more. Talk more about data privacy impact assessments later. Do you then got that consent or other lawful basis to process? And you've done your data privacy impact assessment if you need to, which informs your approach to processing that data on how you're going to process it. You're then set for processing. People can start in putting the details into an email. People can start in putting the details into the system in that situation. Then you're thinking about how the firm's interacting with the date. What they're doing with it, how they're pulling apart on me, putting it back together again. What's happening with me in respect of the family situation underscored what's happening with me. Respect in the world I want to write. How is that being used on what personal data would be taken from me in order to determine more instructions and in order to determine what you needed? Okay, so that's about the processing bearing in mind that somebody can have access to their data and that data potentially could go back to the person concerned. So or don't I think your story has to be factual and must be kept professional has been some instances where I've seen where people have written things about lions, that PAP section to Britain. So in that situation, we have to say we have to keep everything professional. We have to say, make sure that anything that's recorded is factual about what's happened with Klein. Clients also have the right to port that date over to a similar provider, so so obtained the personal data and give it to somebody else. If they're giving you lots of information about house purchase, for example, they won't take it Well, they might ask Support their data if they want to start. Transaction is one else, so they don't have to fill in all the forms all over again. They might ask you for that day to in a portable. For if there's a day to protection breach, we have to think about reporting it to the icy on when you should have policies and procedures in place for thinking about making sure that people can identify data protection breaches, that they know what to report to the i c e. O. On that, reporting mechanisms are in place to your data protection officer. We also have to think about storage of data and how we deal with that. What your description parity place are they adhere to? What's the security like Away you store your data. We should also be aware about within our firms about the distinction between data processes on data controllers. You might think about the controllers if you like being the ones in charge. OK, so to see that stands for the controllers being the ones in charge. OK, but both stop it said in charge. OK, and that's the easy way of remembering it. They're the ones with Overwatch, responsibility for policies, procedures by the way things have done for how it's all being set out within your for and how data is being processed. Okay, they take the overarching compliance responsibility. A data processing is somebody who just does the processing of the data on something else has probably told them have to do it on what's necessary to do it now both of those parties of duties to the client country more whoever. Personal data processing. But they have to make sure that they only process data in the way it's supposed to be processed and this process fairly transparently and accurately. We're no going on being nosey into people's data that we don't need to know about. We're respecting people when we did with their personal data and can be fines leveled against people for failure to comply with their obligations in respect off data protection. That could be for both processes on controllers. So the process is likely to be the staff who were told what to do on the controllers are not to be people with responsibility for compliance. Let's move on, then, to looking at the data protection principles. The data protection principles, concern lawfulness, fairness and transparency. So that's the 1st 1 We have to make sure there's that lawful basis for processing personal data on. We've seen some examples of where this additional criteria as well to comply with. Okay, then we have to think about fairness in dealing with data protection. We have to make sure that we're balancing those interests of everybody. We're not just taking somebody's personal data on doing whatever we want. Making sure. For example, we're live on the gentleman interest that we've considered those tests and we demon on there. Also, we only deal with data for we need to do with it, for we're also gaining that consent to getting being transparent with when we're dealing with and using their data. We're being transparent with clients about how we're doing so. So in the client Carol Letter were not only seeking consent, but when describing all the actions were going to do. If you're in a data driven firm where you're using data to protect the outcome of cases, for example, you're being honest with kinds about that's what you're doing on this is the benefit unity We would like to do that with the data relating to your case. We also have a purpose limitation. If we say we will only process personal data for what it's necessary to do, we're not gonna pass it on to 1/3 quality. For example, sell it on a day to set to somebody else. Okay? We're only here, Teoh deal with the data in the in the way that it was intended. We're gonna minimize the data that we hold. So if we don't need somebody's data about something particular relating to them, they're giving us instructions. But they've given us too much information. We don't need to record certain aspects of it, and some of it might be sensitive. Okay, They could ask for that thing to be redacted. Or you could make the decision. We didn't need to know that piece of information. Okay, We need to make sure that data is accurate relating to that person. People have the right to ask for dented to be corrected as we'll see on the next line. So it's important to make sure there is an accuracy element. What we do there is also making sure that we consider limitations on storage. So there were no holding debtor for large amounts of time. Okay, we need to understand why we're storing later on. Make sure it's legitimate. Okay, we're only stole the data that we need. So again, we know processing and use your personal data all keeping it when we don't necessarily need to in terms of security. They're talking about integrity, confidentiality, making sure that we've got the data. We know where it is and that is kept secure, confidential on the individuals within the firm. Accountable for how they're using personal data on that applies to staff making sure they're not being nosy to different peoples matters who they won't know. For example, accepting three different things. Just falling out information or discussing that private information with people. If they do, then accountable for the actions there could be consequences, making sure the furnace account more, making sure that people feel responsible on behave accordingly in relation to personal data. Let's move on having a client boards and how we're dealing with handling now client wise relate to how clients can access their personal data. But there's a relationship with that with the firm as well, so in relation toe all aspects of private rights, there is a two way relationship with for so to say to somebody. Well, actually, you can request this data from us. However, we also have to have the right to respond to think about your request. In addition to that, there are some exemptions to the GDP are on the exemptions often applied to the client rights. So, for example, some exemptions to the GDP are applied to, for example, domestic purposes using your just somebody who uses somebody's personal data for you everyday domestic purpose. And it's not related to your business in any way, then then they don't. The GPR rights do not apply to them. But if you're and also in addition to national security as well, there are some exemptions will go through them. Collecting Teoh legal professional privilege. There were some exemptions related to crime, for example, in the prevention of crime. Some of these exemptions that will talk about later. I mean that some of these whites you know there's an exemption to complying with them. I'm not include, for example, the right to be informed. The white access put two stars that he's a common ones be taken out process. For example, if you've got an issue of national security or crime prevention, somebody may not be informed of their processing of their personal data in relation to that. Okay, so they may not comply with that. Want to be, for in addition to that, they may not have a right of access to that information or know that information is about. But generally speaking, these are the rights of clients in relation to their data. There was a void to be informed. So they have to want to be informed about what their personal data is being used for, how their personal data is being used and that your gathering and collecting the personal data. So if you are using it as a data driven for in order to process different things in different ways on to provide a better overall client experience, Um, so thinking about using data to predict the outcomes of cases, for example, on the collection of attention you have to inform the client perhaps at the outset of the matter decided that's what you're intending to do, and this is the benefit to them and gain their consent be transparent about doing that. Kinds have the right of access to their data unless relates to, for example, of subject access requests. So this is when I was talking about it's almost stretches the term personal data. What you're saying is it's not just the personal data, so the fact that they've used your name, the fact that they've used your information is the fact that they were touched something else to it. Well, that might be their personal opinion. It might be their assessment of a situation or circumstances, and you have the right to see all of that, which poses, then question marks for the business as to what means to be disclosed on you can go through on. There are ways in which to say what we're not going to disclose certain things. So there are things that you don't have to disclose in subject access requests. Similarly, on immolation toe all of these prime right there is the right Sometimes to go back and say we're not going to disclose this. We're going to deny a part or all of this fighting relationships, or we can't cooperate with this because of a particular business reason, forms and means to challenge this in some circumstances in relation to climb right. Generally speaking, you have a month to comply in relation to all of these things that set out on what I'm doing In terms of that pushback availability on where they might be indicated that in your notes with points throughout, find further information at the moment, subject access requests. Another client mites the wife to portability, for example. There's a relatively low take up in relation to the so it's something went. If I went into a large firm, they might have had more, nor to requests in the last year. It's not something that is happening all the time. People are not necessarily taking this up in the way in which you know it. It becomes a burden something. However, however, it is something that can be used. Clients have the white rectification of their data and you inaccuracies in that you might be getting erroneous results. For example, out of data driven process on, the outcome is not what you expected, because the date is well, you might be in a situation where you can tell this inaccuracies in personal data because the way people are behaving so in that situation, you might have somebody requesting to see what personal data they have. A right to be put right. Have to make sure we have data about somebody that is correct. There is a right to have that data raised. Okay, The right to be forgotten. We can see this now. The good example is on Google. If you go into a search engine, people want the right to be forgotten up. Search engine results by data is a bonus or its historic there. Is that right to be forgotten? There is the right to restrict processing. So in some situations, they might. I don't want to process this particular piece of data that might have given you a piece of personal data and then said, Well, actually pleased. They process that piece of personal data if you don't need to. For this transaction, there is the right to object to being contacted, for example, to direct marketing. There is the right to object to data being processed, including the absolute right to object to dialect marketing people phoning up, asking you if you've been in an accident, you can sign up to the telephone preference service, for example, you've got the right to object and to direct marketing. There are rights also related to automatic decision making. Client should be told if there's automatic decision making in place, and they should also be on opportunity, come away from that process and have access to a human being. Those automated decision making processes should be reviewed on a regular basis to ensure that there's challenge bought into the system. On that processes are producing those a bonus results. This is the computer says, no type scenario, which could be very frustrating for people. Okay, so coming out of that process and getting things put right on with that challenge can be an important part process. Now, when we're talking about processing personal data, we have to, as I said, to think about storage limitation on destruction periods. There are specific requirements in place if you are regulated by the council, license conveyances or if you're regulated by the Sisters Regulation Authority. The counselor license compare, it says, is specific about what they want you to do and how they want. You distort the files for what the COC code says is you retain the contents of files relating to all matters for a minimum of six years except those relating to convince him of his brother in the sale of 40 on that becomes from a minimum of 15 years. So what they're saying is for sale far, you're going to keep that full six years for a purchase file. You're going to keep that for a minimum of 15 years. Wills you have to keep for minimum. Six years after the test date was died, I pray, but not just for minimum six years from the end of the executive year. And, yes, I way has introduced new standards and regulations. Does it coming into force from November. But that's the current situation. So how? The day we're expecting the new standards and regulations coming into force is November 2019. The new standards and regulations don't specify a time limit for holding onto files, so the Law society is probably the authority on this subject on what they say is there is no fixed period. But it is important to consider both the client's interests and also that of the indemnity as well. You might want to speak to the client directly about how long we're going to store their fire, for how it's going to be stored, on what access they might have in relation to that. I'm not be of particular interest to anybody who's making a will with It's important to think about also, in terms of professional obligations, your profession obligations relating to confidentiality. So CFC is very similar to the new S away requirements and standards and regulations in respect about what they say is you keep the affairs of current and former clients confidential unless disclosures required or permitted by law or the client consents. Anomalous like in front of you can see that is taken from the new s always standards and regulations, which come into force in November 2019. What I don't well have quoted that new s always standards and regulations that come into force in November 2019 or expecting to it's I've also within your notes quoted that Cohen versions of the handbook as well. If you want to go have a look at those. However, this is very similar to the Sale C code that says clients present treated confidentiality confidentially except as required or permitted by law, all with the client's consent. Okay, Andi, it's important to know this goes beyond what's required in the GDP by someone. It really does it. It says that really there is no point at which you could disclose that even after this destruction of files. So you may know you see somebody walking down the street on, you know that you've destroyed there for you represented more than six years ago. You still know who they are. Okay, You still required to keep those details confidential. Andi, there's a professional duty that touches to any breach related Teoh. A breach of data protection may also be a breach relating to client confidentiality on then, maybe reporting obligations relating to both the information Commissioner's office under the GDP are also to the CFC on. All the S are very depending on your regulator as well. So do you consider the position carefully? Now, let's also think about the obligation and this obligation under the PR to bake in our processes where I've just been talking about the new as always, have a book. This is a good opportunity for you to go through your policies, your processes, your procedures toe. Have a look into side. This is what we're going to be doing in the future. You know, we're going to potentially writer Ham, but tell all up we do it all those kinds of things on, and this is an opportunity for you to take that never look. And so have we truly baked in the GDP our into our processes on what to stop look like. And the idea is with baking enlist on data protection by design in default. His voice school is that data privacy and data handling should be considered in all of your processes. From the very beginning, you can do data privacy impact assessments where necessary, but also you can take the opportunity when you're really wanting your handbooks in relation to to go back and say, Did we consider data protection in relation to this from the very beginning? So it's a really an opportunity to take another look at that under, So can we bake it in those the bullets that they use? Can we bake it in in some of the way you mix it all up in there so that every time we were thinking about new policy procedure. Does that happen? Impact undated Just that have an impact on data. Does that have any impact that you need to go back through and have a look at that? And it's a good opportunity, and it goes some way than to showing into evidence. And if there ever wasa data protection breach on do you commute? It's a 17 with COC. Andi s always well, the data protection has been baked in, and it really is a fundamental part of the business. And we've thought about all the way through. Okay, so let's move on into thinking about reporting to the Information Commissioner's office. Now I've talked about in the previous light when you might need to consider reporting to the S away on and or the sale. See, I'm not. If there's a breach of confidentiality, for example, Andi, there is an element of also considering whether you need to report to the Information commissioner's office. Now. It's important to think about when you're doing this. They're different requirements, depending on the regulator that you're dealing with. Andi do go by and have a look at each individual. Regulators requirements were not going to cut without indeed her in this session at all. What we're trying to discover those basic elements of the GDP are on what the icy requires. Now what the always Theo says is that you should assess whether there has been a breach on if the husband reach. You need to make a report within 72 hours. Now part on this like that. There are heavy penalties for data protection breaches. So it is something that needs to be taken very seriously for for all firms. Okay, so you need to have a think about that on putting in place. The right policies and procedures within your firm is going to be really important, making sure that you're demonstrating that you're putting in place those policies and procedures on that you taking all the steps is a business that you possibly can to respect and bake in on those The comments in respective on data protection Undated. Privacy. You must also think about informally individuals as well. Andi, informally in individuals is a new option for you, where you are considering the thinking about also making a report to the to the CIA Morsi that there are criteria in relation to making report To make a report to the you have to have in place the Theobald itI to investigate a situation on to find out asbestosis possible on whether there has been a dent protection breach so that capacity to do so and the capacity to act on potential breaches is important unless can also help you limit any data protection breaches. So, for example, if somebody leaves a computer on a train, do you have the option of safely locking that all? Wiping what's on the electric device on that can be useful mitigation? We have to have the capacity within in the business to do that. Is that something that you want to invest in? And what's the nature and size of your business and personal data that's there? Can I will be balancing practice, sort of to take into account. You need to make a report to the I C E o onda, also two individuals where the breach has been severe on where it's likely to have less likely to be an impact on on the individual's rights and freedoms. On this is really thinking about the type of nature of the breach and the type of nature of the data that's been disclosed. So individuals whose and those who you're holding special category data four or more sensitive data. So, for example, belonging to Children data relating to criminal offenses, anything like that where we've got the additional layer of requirements put in place, or where there might be some additional sensitivity around a particular issue, there's more likely to be an impact on that individual in relation to that. Okay, so I'm bearing those things in mind. It's important. Also, this severity of its well, I'm the likelihood that that which has taken place. So if it's something where you can lock the computer remotely, all wipe it of any personal data. We don't think there's been any day to breach. Make some point relation to that on your RT. Security systems or social, you've managed to repel an attack before it really got going, and nobody had any day to taken. Then in that situation, you don't need Teoh. Think about making a poor because they're like, you know, very, very small in relation to that. If you managed to tackle it, however, something where somebody's taken a box of files containing highly sensitive information. They left them on a train. You got off the train, you know, daydream. You know, we thought about it. This is situation where you know, if it's very severe in that's highly confidential information and very, very sensitive Onda, let's say, for example, there was information that was highly confidential on and would be in the public interest for it if it was disclosed. You know, people would be interested in that because it related to public figures, for example, of something up. Then that's the kind of situation where it might have an impact on someone's rights and freedoms. You do have to think about making a disclosure in that in that situation to the i. C. So there are different ways of weighing this up on also different requirements relating to the sisters Regulation Authority on the council belies its components is personal data breaches and needs is something of the examples from the CEO. I take them. They can include on access buying it, authorize their party, deliver all accidental action or inaction by control over process. Er sending personal data twinning, correct recipient. So we all do this. How many people have auto ads on their email function house. Um, you know, I usual common way of data breaches taking place. So sending personal data to any correct recipient computer devices containing personal data that have been lost or stolen on alteration of personal data without permission on any loss of availability of personal data as well where you would normally expect it s so if you're in this situation, there are mitigating factors that you contain in order to get better. Think about making sure that data is secure. And that's one of those data protection principle was bringing that interaction to, say data has to be secure, and it has to be acted on in the right way. So there are different mitigating actions. So one of the things, for example, you can do is on Li e mails, if you can. Instead of having auto ads, you might type in John Smith, but it will be you might have a number of different John Smiths and on confidential information goes off to the wrong to the wrong war. You can be in a situation where you know you can turn that function off on your outlook, and instead you have it so that somebody has to input the data of every single time. So there are mitigating factors that you can take in policies and procedures that you can put in place to say that this try to stop these things from happening. You might be in a position where you say what, No takes any physical paper out of the office. We're not having people leaving files on trains. We're gonna come back that by nobody is allowed to do that. You're literally not allowed to walk out of the building with anything. So there are different ways of combating some of these common and, you know, pitfalls. If you like people that people fall into in terms of data breaches, it is important to consider whether to report to you the i c e o. On also whether to report to the individuals as well. They may have the right to know if their data, if there's been a data breach in respect of them there is also need to consider, as we've discussed throughout the course date data privacy impact assessments. So there are certain requirements to do a data privacy impact assessment or more talk. Also on the next. Like about that, I've got some examples of where the CEO would also like you did to automatically do data privacy impact assessment. But generally speaking, what they say is you must do it. Data privacy impact assessment If there is a high risk to individuals data. So you have to conduct a risk assessment yourself when you're thinking about a new project. Or perhaps when you're thinking about the type in nature of data that you was a firm hold process can be a good idea if you got a very complicated situation or if you're handling sensitive data to do that deep, dive into the data that gives you that opportunity to weigh up what it is that you're processing and how your security on. Also do you need extra security in certain departments. So, for example, to automatically need extra security in your family department, for example, because of the sensitive nature of the date that you might hold it. So how does that work and have a look who has access to that data? Can you block off in your system, for example, so that some people can't see it? Okay, so during that risk assessment gives you that option on. You have to think about the risk of the probability of something happening, but also the impact. Okay. And you mind, Do it. You might data privacy impact assessment simply because there could be a large impact on somebody's data. That would be a justification in itself. You know, the impact will be so large. If somebody's you know, sensitive family data was disclosed, you might go ahead and decide. Yes, actually, we're going to do this data impact assessment, and we're gonna think very clearly about how we secure put those extra security measures in place in relation to that. It's good practice to do it if you're doing any major project as well. So let's say you changing your computer system over on having the support people come in To do that, you've got lots of people pulling all over your data came. What's the impact going to be? A client's in relation to that. Can you secure that? Have you got the what security measures in place? So a day to privacy impact assessment allows you to assess the situation, but it also allows you to put mitigating measures in place, and that's the benefit of doing on. Then you've demonstrated if there ever was a problem that you didn't take it when you put those mitigating measures in place, which is highly likely to be taken as a positive step if that ever waas only data breach as a result of what's happened. So if you're doing a data privacy impact assessment, you should describe the nature, scope, context and purpose of the processing that you're going to undertake. So this might be, for example, processing Children state in relation to family matters. On you might describe what data you're processing it might be. We've got a new computer system coming into place, and we're going to describe how we're going to use it to process data. And we're going to describe how we're gonna transfer all the data across and all of the people they're gonna be involved, their qualifications. We're going to be thinking about the security measures on the contractual arrangements we have in place. We have to think about necessity, proportionality on compliance missions. So what are the different things that we can put into place to make sure that we comply still with our requirements for security for fairness, making sure that we're thinking about only processing the data that we need but also that proportionately this also works in our legitimate interests. Well, because a new computer system might actually be more secure. Okay, provide parents with great event, so yes, actually, it probably does work out in the end, we can identify this First assess any West 20 particular individuals. So if you're moving date, of course in your system, for example, is this particularly sensitive data busy holding a special category data? Do you want to protect that from outside contractors, or do you want to set limitations on the or say we have to have additional security measures in place in relation to this? And how can we build that into our new? So if we can identify any additional measures that we can take and also risk mitigations that we've just talked about OK, so there are some examples there, and those are the kinds of things. And so the benefit of doing this is to really risk assess plan, what you're doing on if you're a larger firm that undertakes project planning a se a normal part of its core business. This might be something you into taking any way without realizing it. So it's very, very similar to some of those I had so processes of luck. Planete review might be planning it all up in a months anyway. Very similar to project management processes, about thinking about what you're going to doing, any risks and issues in relation to some of these things, any of the risk management tools that you might have in place within your practice. If you're a small firm, it's a very simple talk to sit down with the management team and provide that discussion point for your lawful basis for processing any additional considerations beyond that lawful basis for processing. And also how you gonna manage risk mitigator up with somebody to go and do those research points into what I t. Security. That might be, for example, how you can secure the building. What you going to do about clients who come in teaching of stuff to challenge anybody who comes in? You might just be walking around the building. Those are the kinds of things that you can start to think about training of stuff on confidentiality. There is an example of a data privacy impact assessment at a template there that's provided within your notes you to go and have a look at MP to implement in your business. Andi. There are examples on the next lighter. When the icy I would like to do that, you can dio consultation as part of your data privacy impact assessment. So if you're a small firm on your sat around the management team, let's go out and discuss it with stuff from what did they think? You can now see any points, but they're a bit concerned about data privacy on. Have they been in any situations where they felt that perhaps you could do with a bit more security in relation something or anything that would ease them about something? Sometimes they're the eyes and is in the building, and they can tell you. Actually, sometimes I am a slightly concerned about people walking past the window and all of the client files with client names on sat upon the window. Those kinds of things can be something where we say, Well, actually, you know, we need to change our way of storage in relation to that way we can build that in. So these things, the feedback coming but you can also involve outside stakeholders is, but it doesn't just have to be stuff. So let's move on to the circumstances were thinking about when the I C I would like you to do that Data impact assessment. Thigh CEO requires you to do a data privacy impact assessment If you plan to use any innovative technology, we're gonna talk more about that towards the end of the webinar. Um, on to think about this. There's something but I knew that you're using definitely put in place a data privacy impact assessment. If you think this is particularly innovative, it's something that needs basis to make sure we understand the full ramifications of it and also has been tried and tested. Do we know what's happened in relation to other law firms? He might be using this by your using profiling or special category data. In order to decide on access to services, certain people might fall into certain categories and then forget certain services. You need to do a data privacy impact assessment to make sure people get in the right services. Make sure it's necessary that on. Why is it that you're making decisions about services that having access to what does that look like? Are they getting the right result? Are those results bonus If you intend to profile individuals on a very large scale, okay. And is that your client base? What basis are you doing that? And why is that? Why is it necessary to do it if you're in any way processing biometric data on their while some, um, situations now where people are starting to process biometric data in order to establish true identity for know your client anti money laundering purposes. Because in some parts of the world, for some people having basic forms by can be an access issue and a challenge in order to obtain legal services which are under the banking services, for example which are regarded as being necessary and basic full human life. Now processing biometric data is an extreme example Off, you know, identify like somebody being a process true identity. You can also process a genetic data. I have you using genetic data in any way again. This is where you have to do a data privacy impact assessment. If you're much in data or combining data from different data sets. If you obtain data from somebody else with the party props, it's been done with consent. Make sure that you're bringing that across and you're thinking about data privacy impact assessment. And if you are collecting personal data from a source other than the individual on your paps, collecting it with their party, you have to and you're not providing them with that transparency that we talked about so that privacy notice Then you have to think about doing a privacy impact assessment on the app that might be that you need to provide that will think about you obtaining that data, what's being done in that way. Um, if you're using it to track anybody's individual location or behavior, if you're using it to profile Children or target marketing or online services that I'm not something that we mentioned earlier. So there's that fairness principle in dealing with situations. If you are processing data that might endanger the individuals, physical health or safety on whether there's any security breach that could occur in relation to that, so you should also have in place a data protection officer. They have to be the contact point for the information commissioner's office. Andi and they have to take responsibility for data protection on. They have to be an expert on data protection. They also have to be adequately resorts on. They have to report into the highest management level possible, be part off on ideally, in those very clear conversations with the appropriate level of influence in order to direct data protection policy and to make sure that the voice is being heard in respect of data protection on Thio Thio, facilitate that bacon processes, they have to be heard in order to be able to say yes, we do want to do this is unethical consideration within the business on to make sure that things are adequately being done in divine wise. That's being data protection being taken seriously on data collection and those concerns being heard on the pope, it levels off challenge of being provided, if that's what's necessary within the business. So that's the world of the data protection. Of course, I have seen situations on. I'm sure you probably have a swell those few more expense with plants, but sometimes those wells within compliant aren't necessarily the world's that you expect somebody to be fulfilling? Have they got the right lever of influence? Somebody taking advantage of a situation. Those kinds of things can pull out some pinch points in terms of compliance. The data protection officer, if you've got any concerns about their protection within your firm, should be the place that you go to. But they should also be somebody has not influenced challenge within within the organization. Let's move on to looking at some different points and common queries on common problems. If you like, we're gonna have also look at we're gonna have a money order. Important goals have exemptions to the GDP are as well before we then move on, finally having a data driven for some of the ethical challenges around being that kind of data driven firm. So money laundering reporting. Just be aware that reports that you make to the National Crime Agency might be disclose herbal, particularly if their historic on and you know there's not necessarily going to be concerned about tipping off or pretty to sing on investigation, so it might be disposable to the client. There are also possibilities for you to disclose information in terms off communicating with the other side about disclosures but anti money laundering legislation, which contained within the Criminal Finance Act On Also, there's also a provision for talking to the other side about wandering within the proceeds of climate as well. If you're in that situation by, you are making a report that require agency we have concerns about money laundering. More generally, it's important to consider the position generally. So do you bear in mind that there is? There is a myriad, if you like different factors that conflicting in there, you mustn't tip off people. You must only disclose the information that's necessary, But you can discuss with the other side if you don't suspect that they're involved in money laundering. Once it goes, If you made a report to the nth, what goes past a certain point becomes highly unlikely that any further action is gonna be taken on door. You know, if it's been left on time, something not be historic issue, so I'm do better on that. Sometimes these things get into a situation where it could ultimately be disclosed. Balto, a client that the fact that report has been made to be in here so do take legal advice if you need Teoh. But those things are points that are worth bearing in mind and thinking about when you're dealing with. When you're dealing with money laundering. Let's move on to thinking about exemptions from the GDP are there was a general exemptions on theon CEO. You point out, if you know somebody personally, you're not dealing with the GDP are when you're dealing with domestic purposes. Okay, so there has to be a distinction between two everyday domestic life is not covered by the GDP are there can be a distinction between that, your home life in your work they can, because between two. But again, you in that position where you might say, Well, actually, I know when working, even when I'm home. Law enforcement on the processing of personal data by competent authorities for law enforcement purposes is not covered by the GDP. So if you're in one of those bodies, you might be in a situation where you're not covered by the GDP are similarly. If you're interacting with one of those bodies, you might have to bear in mind that they know coming to the body feeling the same. Why There's also exceptions when dealing with matters of national security. Okay, but personal data is being processed. I'm clearly and forth purposes of safeguarding national security for national defense is also not covered by the GDP are there are exceptions that might apply to your firm relating to crawling on taxation. Andi. For the prevention and detection of crime, there might be an exemption to the GDP are there's also exemptions relating to legal regulate reproductions on that includes the work of the Legal Services Board or some some other legal have recollected functions. Also covered in this further detail provided in respect that in your notes that this is getting into some quite some details. The some further detail is provided in your notes related to some further comments relating to each of the exemptions, as noted, is providing new notes There's on exception from the GTP are relating to self incrimination. Onda also related to judicial appointments on judicial independence proceedings, including sits in in a court or tribunal acting in a judicial capacity. There's also interestingly, um, on exception to the GDP fell for journalism, academia, art and literature, which I always think is quite interesting. Eso if you fall into one of those categories, there may be an exemption to the GDP. Are. However, there are quality leery. That's behind that as well. So it's not a blanket exemption. And as we've seen, some of these exemptions don't apply hole to the GDP. Are they applied to set parts of the genie PR? They might apply to client writes, for example, that might apply certain articles relating to the genie appeal. So again, if you think that's an exemption applies to you person furthering my notes, but something you can go further reading various very much a detailed provisions within the GDP are that would be getting into them. This really is a very basic tall off that the main terms and that sort refresher level for people coming back and thinking about the GDP are again. There is an exemption interesting. You elect into legal professional privilege, and what it says is where there's a claim to legal professional privilege or confidentiality communications in Scotland, or in respect of which duty of confidentiality is owned by professional legal adviser to its client, exempt you from the GDP. Ours provisions on the want to be informed divide access on all of the principles, but only so far as they relate to be the right to be informed on the right of access. And so this gives you an example of when I highlighted those points in The Client writes box previous that this is the kinds of things where might exempt you from part of the genie PR. But it's certainly not going to accept you from from all of it on DSO. In that circumstance and situation, you can say we're not going to disclose this data to somebody might be data relating to the inside of the post process that personal data we can use three exemption related to legal professional privilege. So in that situation except you from the GED peels provisions on the right to be informed on the right of access as well as all of bin sports, but only so far that they relate to the right to be informed on the right of access. So this is what I'm saying previously. That situation is that people might be exempted from DPR, but they might be exempted from part of it. It's unlikely they're going to be accepted for more of it. So the situation with legal professional privilege if you're holding date of the other side, they make a subject access requests to obtain that data. You can say well known. Actually, this is covered by legal professional privilege on the GDP are mirrors that you don't have the right to be informed of that on. And you don't have the right of access to that data either. So there is, um, providing there that exists for you to sort of say that legal professional privilege mirrors that which is there in relation to the GDP l now in relation to international transfers of data there something to bear in mind relating to that. The general principle is that you should stop and think about if you're going to transfer personal data outside of the European economic area. Now, this is under the GDP. Are individuals risk using protection of their day to produce the GDP? Are doesn't apply if it's transferred outside of the European economic area, and it's called it a restricted transfer. So it's something that should be in some way restricted. There are some improved nations which have adequacy decision, so this is where they're saying that big protections in place are adequate, so there's similar the same for that adequate, and this includes a number of countries on the world. But I just put someone that close by for ease. Includes the Isle of Man, Jersey, Guernsey, I think also news, even dishonor and a couple of other countries. So it's important to think about think about that. There are also in there. If you want to think about transferring data outside of the European economic area, the icy was helpfully put together. Some standard clauses relating to this and there are there are there available on their website for people to use it. They want to. You can also some full guides in there about using things that Barney corporate walls. If you're public body, you can use this some enforceable instruments. So it's one of those things where there are options there if you want to do international transfers of data. But it's something where there needs to be some quite tight on bond well understood situations related to that in terms of value transfer personal data seats on what the requirements related, and there's further information in your notes with some links there. Teoh. What the i c I was said in respect of that, let's move on then. Along the same thing to thinking about books it on and the GDP are What are the Information Commissioner Elizabeth Denham, Per said is the status quo will largely be the same for us in terms off. Complying with the GDP are the GDP are not gonna go out the window just because of Brexit. We therefore are going to be fine sending data across to the European Union. However, if you have partners in the European Union that sending data back over to there may be a difficulty Okay, so in that situation, have a chat with those that you have contractual relationships with their seat. You have the party relationships with any of those structures that you have a place to see, how that is going to affect you in terms of Brexit on what that looks like. This might be something that springs up later. It may be time, you know, we've implemented the GDP are there may be agreements that being put in place as as time goes on, or something again to inadequacy decision that comes about after any implementation period is no at this point in time, clear with Brexit will take place on about what the implications of that will be with It's a no deal. Books that were not so This is the best information available also considered great, comparing company structures as well on how that works with the provisional flow of data. So I think about the legal basis on which that's being done. So then let's move on to think about the implications for your phone on. And this'd really taking that further step to say whether law firms country be data driven and what that means for the clients. So the increased use of artificial intelligence, what that looks like for clients and how that works on and whether client services can be impacted in those particular ways in the fairness, principally relations that some ethical considerations. So thinking about are you having your processing client data? What data gathering and how can you use that in ways to deliver the best client service, but also our clients, happy with using their doctrine that way to create a data set, if not weaken them, manipulate and consider having being done if you're doing it, for example, to reduce complaints, you might have to say that the client we're gonna take this data, we're gonna put it into a data set, use in different ways, and other people might have access to it. You might be using it before business development. You might be using it for Target client management. So to target individual clients to say, would you like to come and use our services? You might use it for client on boarding on for saying, you know, this is the type of nature of service that they can't requires according to who they are. You might use it for ongoing climate farm management. What, the outcomes that come out of this particular while What were the circumstances that led up to this and using the data that you had before that you captured in your computer systems to build a data set? So, you know, experts y equals have said, you know, this there's lots of different things that you can do with a data set that you've gathered on looking, then informed the provision of service to climb AnnTaylor that serviced your climb. Now I'm in during that you have to think about processing, Applied, stated without purpose. Are they happy with you doing that? It's up the kind of service that clients are necessarily going to want, Or do they still want to vote individual based service. They come in and they tell you what they want. They expect a provisional advice from the sinister that they see. Or do they want that feedbacks? They will most of the circumstances. This is what happens and are you people. It's at your experience. This data set that we're developing how we thought about all of the gather points in that data in order to provide a sophisticated enough analysis to provide that level of bugs on what are the steps that come out to that process. So you're doing the automated decision making. You might be on the basis of that, doing more to make a decision making. Do we need to come out of that process where quality and diversity poses for reasons, or to provide that human intervention challenge and move you in perspective? And so there's lots of different ways in which you can use data, but there's going to be ethical concerns around doing that we're increase in your data driven world. People take data and they use it for different things. On this might be how law firms have built in structure for the future. So is likely to be ethical concerns about what that means, where data is transported to. If you're part of parent company, for example, that is overseas, that might be concerned for you about how that's being dealt with and how it's being managed. Also could be part of parcel of what? The client. It's something where people sign up to these things for the beginning. In terms and conditions. Andi isn't necessarily talk through to the end degree, but might have to start to be as people find that data available in different places or being used for different things on something else. To be bear in mind is the innovation. If you like to money laundering Andi, on what that looks like in terms of trying to find people's true identity. There's something called open banking now where people can go through news, their bank records in order to help identify the by asking questions and got a question response in order to I'm identify and beat that be part of their verification. You can also, in some countries, that I'm using a phone records made by phone operators on and also biometric data as well. And this is the same kind of thing that you get with national I D cards come here. So these similar kind of ethical concerns now some people have access. Issues relating to accessing legal services were like, for example, we're late into accessing financial services hand. They could be vulnerability there as well, and it restricts people whether they're going to be able to get driving license, whether they're going to be able to get a passport out of the confidence that they have been doing that. And some of the solutions that presented, however, might be more intrusive in the way that we know about presenting a fingerprint. For example, processing that I'm very personal data provides additional ethical concerns. So you're taking a date to set them from people who might be some of the most vulnerable. I'm processing that full for anti money laundry. So there are, um, difficulties. And there are ever more stringent requirements for money laundering for it, knowing and understanding applied. But There's also very much I would echo that balancing judgment that is there within the GDP are about making sure it's fair and it's transparent and the people are aware in relation to that. So let's me want to think about what we've covered today. We've covered personal data, what we mean by personal data with covered special category data on what that means. We've looked at processing on how that relates to what we do with the data within special category data. We've also looked at criminal offence data and data relating to Children. We've looked at the data protection principles and we've also looked at client lines. We've looked at the conference confidentiality aspect off the SA way. COC rules Onda also data attention on destruction. We've looked at reporting to the I c e o. I would look to exemptions a swell to the GDP are and how they applied policy. Sometimes we've looked at data protection eso data privacy impact assessment. We've also looked at data handing your firm and some of this. But I was just talking about some of those ethical challenges some of the future that you might say Aunt, how that sort works with the future of law firm so increasing technological advances and some of the ethical challenges that come from that. So that brings us to the end of this webinar. Thank you very much about watching. Do you have a look at your notes? There's more information, more reading that, along with some different examples of things that put together the from the information commissioner's office on also have a go at the quiz as well.
Webinar
Notes
Quiz 
4423 Users
91 Courses
165 Reviews
