2022 was a big year for Data Protection in the UK with proposed amendments to the ‘post Brexit’ UK GDPR, significant fines handed out by the ICO including the first to a law firm, and increased hype around the potential use (and danger) of AI.
So, what can we expect for 2023?
UK GDPR amendments
Let’s start with the elephant in the room, which is the stalled attempt by the Department for Culture, Media and sport (DCMS) to introduce the Data Protection and Digital Information Bill. Initially tabled to Parliament in July 2022 following publication of the government's response to the ‘Data: a New Direction’ consultation, the Bill was put on hold following the chaos that saw two new Prime Ministers introduced in a matter of weeks. In essence, the DCMS has admirable intentions to cut red tape and simplify Data Protection thus promoting business and innovation.
In my view, any good intention is mixed in with post Brexit political chest thumping and a desire to slash and burn legacy EU legislation. The consequence will be the EU closely monitoring any proposed changes and consequently assessing the UK’s ‘adequacy’ status which if removed will put the UK in the same data transfer black hole that the US is currently in – ironically creating a new set of problems for business and EU trade.
PREDICTION: There is no current date for the Bill to be sent back to Parliament, but I predict a resurfacing in 2023 followed by threats from the EU of potential data flow sanctions.
Certifications
The GDPR provided for Certification Schemes to be set up by each Member State to help clarify to businesses what compliance means and consequently enhance consumer confidence. In addition, they are intended to assist the supply chain by simplifying due diligence to the point that a certification prevents the cost and effort of data protection questionnaires and checklists when procuring a service provider.
The Certification Scheme also exists in the UK GDPR and the ICO started to introduce these around two years ago. They have recently gathered momentum and the first certification for Legal Services is due to be approved by the ICO imminently.
Although voluntary, it is expected that law firms, chambers etc., will adopt such a scheme which will also likely impact legal tech service providers in a number of ways. Firstly, one of the requirements for a law firm to get certified is to demonstrate appropriate technical security in place for the protection of client data. This is where the likes of iManage will be able to position their solution as assisting with certification compliance but also core to any law firm’s data protection strategy.
Another likely impact on service providers will be the use of certification to streamline procurement exercises. This is where System Implementors with mature data protection cultures such as Ascertus will see a competitive advantage.
PREDICTION: A significant adoption of both the new ICO approved data protection certification and ISO 27001.
AI
The potential use of Artificial Intelligence and/or Machine Learning in legal has been talked about for some time now and following recent developments not least of which is the noise surrounding ChatGPT. Following significant law firm investment in ‘innovation’ which will no doubt come under pressure to deliver once the marketing hype dissipates, I predict announcements of new legal service ‘apps’ based on ChatGPT or some other open-source AI tool that offer simple, quick and effective responses to common legal challenges. There is no reason this should be restricted to legal services and therefore I also expect someone to launch a helpdesk first-line entirely based on ChatGPT.
I would recommend that caution be exercised however, as in the mini gold rush for a law firm to be seen as an ‘innovator’ it will be easy to ignore the potential issues regarding data protection. Two recent cases highlight the dangers of AI, the current limitations in its ability to understand context and the potential for unlawful use of personal data.
Case 1: KFC – The colonel found himself having to issue an embarrassing apology recently due to the Marketing team’s use of AI to generate social media posts on ‘celebration’ days, promoting bargain buckets and the like. Sounds like a good idea when it comes to Valentine’s Day or Thanksgiving, but the AI used did not examine the ‘context’ of important dates and subsequently sent out indiscriminate promotions for KFC on ‘Kristallnacht’ – an important and very sombre night in the Jewish calendar to commemorate the famous night of destruction and vandalism to Jewish businesses and synagogues in Germany.
Case 2: Schwa – The owner of this communications consultancy business decided to test his team’s recruitment process by submitting a CV entirely produced by ChatGPT. Less than 20% of applicants were shortlisted for consideration and ChatGPT was one of those few that made it to the owner’s desk.
The second example is far less sinister than the first, but highlights the potential for fraud and scam, where it will be increasingly easy to pretend to be a human – this only works if the AI can access personal data hugely increasing not only its value but the risk for it to be misused.
PREDICTION: A magic circle firm announcing a new AI service only to stand it down a few weeks later following a data protection concern.
Ransomware and law firm penalties
2022 saw the first significant ICO penalty for a law firm. The financial penalty was £98,000 or more importantly 3.1% of revenue – potentially crippling to some firms. Arguably of greater consequence was the subsequent reputational impact for clients and prospects.
It would be an easy and obvious prediction to say that ransomware attacks will become more frequent and get more sophisticated particularly as law firms have historically been easier targets than some of their clients, so instead I will predict the likely law firm activity. I predict a significant increase in spend and effort on information security and data protection measures that will include greater use of external Security Operation Centres (SOCs) and increased adoption of associated certifications – not least due to the exponentially rising cost of liability and cyber insurance.
When you analyse the ICO stated reasons for the fine given to the law firm, they were almost all information security failings including lack of patching, outdated software, no encryption, lack of multi factor etc all of which led to an ultimate lack of data protection. This for me highlighted the clear link between the two quite different disciplines and one that often lacks appropriate communication and collaboration. Hindsight is of course a wonderful thing but the law firm in question would almost certainly have avoided the fine and publicity if they had used cloud-based document management services which brings me to my final prediction…
PREDICTION: A rush to outsource security by migrating core client data-based services, such as document management, to the cloud.
Three action points for law firms in 2023
1 Cloud – The debate as to the value proposition for moving to cloud is ongoing but what has become clear over the last 12 months is that as the cost of protecting data increases, both in terms of expert resources and insurance, effectively outsourcing the significant technical part of keeping data safe to the cloud has become a no brainer. There is no question that a reputable cloud based DMS, along with the platform it sits on can provide levels of security way beyond the means of most law firm IT budgets.
2 Certification – The new ICO approved certification for both law firms and their suppliers is going to simplify compliance efforts, provide clarity and enhance client confidence.
3 AI – There is clearly huge scope for AI to bring efficiency and cost benefits to legal services, and as these benefits will require huge amounts of data, it is essential however that law firms bake in the appropriate data protection from the get-go.
This blog post has been written by Tim Hyman, Data Protection Consultant, 2twenty4 Consulting