While the implications of the EU’s new data protection law, the General Data Protection Regulation (GDPR) for law firms are very broad, in this article, we will focus specifically on compliance with the reforms versus the need to have suitable records to defend negligence claims, and how this might impact the deployment of a PI insurance policy.
At present the GDPR offers no concrete guidance on how to deal with this issue other than not to hold onto data for “longer than necessary”. Unfortunately the “necessary” threshold will depend on the information, associated legal requirements and other underlying facts; to say that it will be complex and potentially fluid is perhaps an understatement. We will also look at this interaction with other legislation.
Historic Stance
Even before this new legislation a common question posed by many firms over the years was how long should you retain documents before it is reasonable to destroy them?. A good starting point was of course The Limitation Act 1980 and as a consequence most firms adopted the view that files should be kept for at least six years. From our experience (also evidenced in the widely available but specific lawyer’s claims triangulations) the vast majority of claims tend to arise within this six year time frame. For lawyers operating in certain work areas there is a likelihood of claims brought under the longstop section of the Limitation Act 1980. Courts will of course consider the ‘date of loss’ and ‘date of knowledge’ in deciding when to start the clock ticking on limitation. In some instances, firms took an indefinite retention view in respect of partnership agreements, company formation and trusts. Can this continue?
GDPR vs other legislation
A good example of another file retention conflict is anti-money laundering requirements. According to information from the Law Society, the anti-money laundering (AML) legal supervisors have agreed draft legal sector anti-money laundering guidance taking account of the changes introduced by the Money Laundering Regulations 2017, which came into force on 26 June 2017 (It is marked ‘draft’ because it is subject to approval by HM Treasury, which is expected later this year, and so may be subject to change).
Included within these requirements is provision to retain customer due diligence records for a five year period after a business relationship ends and/or the date a transaction is completed. However, we suspect that even though this is new guidance, it cannot now be viewed in isolation but must be considered in the context of the GDPR developments. GDPR imposes harsher penalties and transparency requirements, meaning that firms must up their game when it comes to compliance with data protection requirements in the context of AML. One questions how the implementation of combatting money laundering will compare to the need to respect one’s privacy; what will take priority and how will policymakers manage this conflict? It is also likely that the GDPR regime will become more onerous over time, forcing companies to manage changing data protection laws where the goal posts are likely to move over time.
The benefits of retaining files in the event of a PI claim
Typically professional indemnity policy wordings are silent on the issue of retention of files. However, you will see claims conditions refer to things like reasonable assistance in cooperating with the defence of any claim, and the use of due diligence to do all things reasonably practicable to avoid or diminish any loss under a policy. Therefore the retention of records can only assist in the defence of an allegation of negligence. From our experience the ability to recall a file (and we have seen the good, the bad and the very ugly of client files over the years) has only ever aided an insured and their insurer in promptly responding to an allegation of loss arising through professional negligence.
How you can protect yourself from the penalties of non-compliance?
Under the previous regime (ICO) fines have been paid by either professional indemnity or cyber insurance policies; this doesn’t necessarily mean GDPR fines will be!
In fact, under the new regulations, fines are likely to fall under the category of statutory penalties or criminal sanctions – making them unrecoverable by insurers. These fines are complicated areas, and until they are rolled out it will be impossible to affirm whether they can be recovered under a professional indemnity or cyber policy but you should, at the very least, work with your insurance advisor to ensure the policies wordings have been adapted accordingly.
