Page 1

LegalScot An independent publication from www.canongate.org


We’re all data subjects now


Distributed with The Times Scotland 29 November 2017

Implications for eMarketing


In association with

Handling poor performance


‘It’s about trust’ GDPR enforcement extends beyond the fine – think serious brand damage, says Ken MacDonald

You might not think, given the somewhat hysterical tone of much recent media coverage but whilst the General Data Protection Regulation (GDPR) marks a step change in the importance of data protection, it also represents an evolution, rather than revolution, of the existing law. The new regime, which applies from 25 May 2018, builds on existing data protection legislation and many of the fundamentals remain the same. These include the following: Being transparent and fair about what personal data you are collecting and how you intend to use it; Ensuring it is accurate and up to date; Only processing personal data for specified purposes and not keeping it for longer than is necessary; Keeping it safe and secure; Respecting individuals’ rights. So, what does this mean for the legal profession, and the particular data protection challenges it can face, such as the sensitive nature of much of the data lawyers handle, and the fact that paper documents are often carried out of the offices to courts, tribunals, and client meetings? Processing personal data always carries its risks and it’s a fact that the legal sector faces some of the biggest risks of data breaches due to the nature of the information it processes and the type of work undertaken. Where sensitive information is involved, for example data relating to criminal convictions, family circumstances or medical conditions, the stakes will always be higher than in many other sectors. There are real life consequences for individuals if their personal data is not collected and used appropriately in accordance with data protection requirements. The volume and the often sensitive nature of the data that legal professionals will process are both risk factors in terms of GDPR compliance and the consequences of a breach. How can these risks be minimised? The answer is surprisingly simple and differs little from the current regime: Identifying risks and building in privacy and security to your systems, policies and processes; Strictly follow-

ing the principle of data minimisation (don’t collect what you don’t need); Having robust retention policies in place; Managing data well. A SIGNIFICANT aspect of GDPR is putting onto a statutory footing much of the existing best practice and guidance from the Information Commissioner’s Office (ICO). GDPR, and the prospect of a strengthened enforcement regime, should bring an increased focus on the importance of data protection across all areas of the business. There will be a need to ensure that all staff are appropriately trained and that internal processes and policies reflect the changes, and that they work in practice. The legal profession already operates in a highly regulated environment and should be well placed to identify the gaps between what they are doing now and what they should be doing in future. Essentially, data protection should be a primary consideration at the start of your product development, processes and procedures, not an afterthought at the end.

In terms of data security, what are the risks for the profession, and what practical steps can organisations take to mitigate these? Again, we have to recognise that GDPR represents a development that builds on current legal requirements, and not a leap into the dark. The Data Protection Act 1998 already requires organisations to take appropriate organisational and technical measures to keep data secure. Data security threats will not change overnight on 25 May 2018. What will change are the requirements to report security breaches to

This is probably more serious for the legal profession than almost any other

the ICO and to those affected, along with the strengthened enforcement regime. Following the Government’s review of cybersecurity regulation and incentives, the GDPR is viewed as a key lever to improve data security in the UK. The ICO’s guidance document Protecting Personal Data in Online Services: Learning from the Mistakes of Others* is a good place to start. AND WHAT are the consequences for the legal profession and their clients if organisations don’t meet the requirements of the new regulation? While much of the media and online coverage and discussion around GDPR has focused on the increased financial penalties available to the ICO, we feel this is missing the point. GDPR is essentially about trust. Failing to get data protection right will ultimately damage your brand reputation and your client relationships. The impact of ICO enforcement action extends beyond the economic impact of the fine itself – think about serious brand and reputational damage, not to mention the potential personal impact on the individuals

Directories guide part three

European Commissioner Věra Jourová who oversaw data protection reform

concerned. This is probably more serious for the legal profession than almost any other – being found to be breaching the law would not only be embarrassing in the extreme, but also potentially damaging to reputation and trust on a significant scale. Where organisations fail to take data protection seriously, and are not being accountable and transparent, the Information Commissioner, Elizabeth Denham, will have a wide range of sanctions available to her which will be used to change behaviours and protect consumers. In her recent series of GDPR myth-busting blogs**, the Information Commissioner explains that heavy fines for serious breaches reflect just how important personal data is in a 21st century world, but that we intend to use those powers proportionately and judiciously. Information management - knowing what data you have, why you have it, where it is and who can access it – is key to compliance. Without appropriate attention to good information Continued on next page



Legal Scot LegalScot is an independent publication by Canongate Communications EDITOR Will Peakin

0131 561 7364 will@futurescot.com DEPUTY EDITOR Kevin O’Sullivan 0131 561 7364 kevin@futurescot.com ADVERTISING Katrina Merrilees

0141 465 7652 katrina.merrilees@canongate.org PUBLISHER Hamish Miller 0131 561 7344 hamish@canongate.org LEGALSCOT

Creative Exchange 29 Constitution Street Edinburgh, EH6 7BS www.futurescot.com

LegalScot is an independent publication by Canongate Communications distributed in The Times Scotland. All rights reserved. Neither this publication or part of it may be stored, reproduced or transmitted, electronically, photocopied or recorded without prior permission of the Publisher. Futurescot is published and exclusively distributed in The Times Scotland. We verify information to the best of our ability but do not accept responsibility for any loss for reliance on any content published. If you wish to contact us please include your full name and address with a contact telephone number.

Continued from front page management, legal professionals are failing to mitigate risks and will be more exposed. For example, individuals will have strengthened rights to access the data organisations hold about them. Unlike the £10 charge you can make under the current Data Protection Act, subject access requests under the GDPR regime will be free of charge, the data will need to be provided within a month and the data may need to be provided in an electronic format. Provisions relating to GDPR will be included in the Government’s recently announced Data Protection Bill, along with other measures relating to areas such as law enforcement and national security. Organisations need to remain focused on the fact that GDPR is coming next May, come what may. There is lots of material already available on our website*** and elsewhere about the changes to help organisations travel a long way down the road to compliance and the ICO’s Scotland office is here to help (scotland@ico.org. uk). There is no grace period. The legal profession, like all businesses, have had two years to get their houses in order. Ken MacDonald is the ICO’s Head of Regions * http://bit.ly/2fI7tA6 ** https:// iconewsblog.org.uk/tag/gdprmyths/ *** http://bit.ly/29lxF0U

29 November 2017

We’re all data subjects now It is the time for individuals to exercise their rights BY MATTHEW RICE We’re all consumers for someone. Whether you are a chief executive with a LinkedIn account, a charity worker with a Twitter presence, or a lawyer subscribed to newsletters and conference websites, you are an individual that has signed up and agreed to the terms and conditions of a service. But when it comes to discussing data protection and the new law which is currently making its way through Parliament, most attention is paid from the perspective of data controllers (those that hold the data), and not as data subjects (those whose data is being held). We are all data subjects, with rights that we can exercise. It’s important not to lose sight of that. The General Data Protection Regulation – and the UK Government’s Data Protection bill which brings it into UK law – intends to create more accountability, with less bureaucracy. One way towards achieving those goals is to empower individuals to exercise their rights. These rights give individuals the opportunity to change services, to restrict or refuse automated processing, and the right to be forgotten, among others. They have potential to redraw the accountability between an individual, and the public or private body that controls their data. The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Providing the processing is based on the individual’s consent or the performance of a contract, and that it is carried out by automated means. For example, you would have the right to request your energy provider processing your meter readings you submit to generate your bill, to provide those readings back to you in a format that can transfer to another energy provider. The right to erasure, is also included

GDPR intends to create more accountability, with less bureaucracy in the new rights framework. While not as absolute as some would like to scaremonger, it is another important development. When personal data is no longer necessary in relation to the purpose for which it was originally collected or processed, an individual can request the erasure of that data. A CONTROLLER COULD refuse to comply with that request, but would have to come up with a good reason for doing so (for example, defending legal claims; or performing a legal obligation of a public interest task). If no good reason can be provided, then you have the right to have that personal data erased. Importantly, if the data controller had shared the personal data with other third parties, they have to go to those third parties and inform them about the erasure, unless it is impossible to do so. Taking our energy provider example again. You’ve decided you are going to switch providers and get that better deal; you could also return to the old provider and ask for your personal data currently held to be erased as it is no longer necessary for them to pro-

cess that data. That energy provider would have to inform third parties they shared your information with (say a smart meter provider) that your personal data is to be erased. One right that will grow in importance in the future are the safeguards against the risk that a potentially damaging decision is taken without human intervention. Individuals have the right not to be subject to a decision when it is solely based on automated processing, and produces a legal effect or similarly significant effect on the individual. While this right has its carve outs too, ensuring processing is fair and transparent by providing meaningful information about the logic involved is an important step in holding back the tide of significant decisions rendered unaccountable on behalf of algorithms. IT IS VITALLY IMPORTANT we start to understand how we can exercise our rights. The consumer group Which? published research this month that almost 1 in 5 consumers said they would not know how to claim redress following a data breach. Those statistics suggest a deficit in the public’s

understanding of rights that we have, and how to exercise them. The Open Rights Group is working alongside Which? and others to place in law the power for not-for-profit bodies, such as Open Rights Group, to seek redress “independently of a data subject’s mandate”, if it considers the rights of data subjects have been breached. This optional power, not currently implemented in the proposed law, would improve the rights enforcement framework for everyone. There are two outcomes for this new data protection law; one guaranteed, one potential. The guarantee is that the lawyer, the chief executive, and the charity worker will understand their responsibilities as data controllers. They have to, and there are enough trainings and seminars out there to remind them of that. The potential outcome is that we will all become data subjects capable of exercising our rights under this new framework. The work Open Rights Group plans to undertake will help the public reach that potential outcome. Matthew Rice is Scotland Director of the Open Rights Group.

Processing personal data under GDPR BY CAROLYN THURSTON SMITH Data processing is only lawful if an organisation’s data controller has a legal basis for the particular processing activity taking place, so it may be lawful to use a particular set of data for one purpose but unlawful to use that same data in a different context another time. Article 6 of the GDPR sets out legal bases for processing of personal data and is key to understanding how the GDPR affects you and when you can – or can’t – use the same data for different purposes. The possible legal bases for processing data are: Consent; Performance of a contract to which the data subject is party, or to take steps prior to entering into a contract at the request of the

data subject; Compliance with a legal obligation which the controller is bound to comply with; Protection of the vital interests of the data subject or another natural person; Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; Legitimate interests pursued by the controller or a third party. For the last of these there is an exception where the interests in question are overridden by the interests or fundamental rights and freedoms of the person who is the ‘data subject’ which require protection of personal data, in particular if it is a child. This basis also has restrictions on its use in the public sector. Where the basis for processing is a legal obligation, or a task carried out in

the public interest, or exercise of official authority, then the parameters will be determined by EU law or domestic law of the relevant member state. In some cases a controller may wish to use data they hold already for a different purpose from the one for which it was originally collected. This is permitted in certain circumstances. Where the controller seeks to rely on a basis other than consent, or on EU or Member State law, the controller has to consider whether this other purpose is compatible with the original purpose, taking into account the following factors: Any link between the original purpose and purposes of the intended further processing; The context in which the personal data was collected and relationship between the data subject and the data controller; The nature

of the data; Possible consequences of further processing. As a rough rule of thumb, if someone (the data subject) would be surprised by the different purpose then it is probably incompatible. These rules apply to all types of organisation from law firms and other businesses to public authorities. A particular processing action may be lawful on the basis of more than one of the conditions for processing outlined above. The most important thing is to consider that whatever data processing you’re carrying out, you must have identified at least one legal basis to support that action before going ahead. Carolyn Thurston Smith is a policy executive at the Law Society of Scotland.


29 November 2017



eMarketing: the implications of privacy law reform BY MARTIN SLOAN With six months to go until the General Data Protection Regulation (GDPR) comes into force, many organisations would be forgiven for focusing solely on preparing for compliance. However, for those engaged in electronic marketing, GDPR is just one part of privacy law reform. What does the law say at the moment? Marketing by electronic means, such as email or SMS, is also governed by the Privacy and Electronic Communications Regulations (PECR), which sits alongside the Data Protection Act 1998. As with the 1998 Act, PECR is derived from an EU Directive. PECR supplements the 1998 Act with additional rules that govern when an organisation can send unsolicited marketing by electronic means. In short, unsolicited electronic marketing can only be sent where the recipient has given consent. However, the law is not that straight forward. Where contact details are collected while selling goods or services to an individual, the organisation can send unsolicited marketing to that person about similar goods or services, provided that the communication gives

the individual an opportunity to opt-out of future marketing (the “soft opt-in”). PECR also sets out rules on using cookies and other online tracking technologies for websites, mobile apps and emails. The interaction between the rules on electronic marketing and data protection can be complex. For example, PECR does not generally regulate business-to-business electronic marketing, but sending such messages to a sole trader or English partnership is regulated by PECR. However, regardless of whether PECR applies, all electronic marketing sent to an individual (whether in a personal or professional context) is subject to underlying data protection law, including the right to object to direct marketing. Will the rules on electronic marketing change? In January 2017, the European Commission published proposals for the ePrivacy Regulation, which would replace the existing Directive and national implementing legislation such as PECR. While the ePrivacy Regulation is not expected to change the basic rules on electronic marketing (in particular, the soft opt-in is expected to remain), whether or not consent is valid will be

The ICO has fined a number of organisations for sending what purports to be a service email based on the rules in GDPR. Under GDPR, consent must be “freely given, specific, informed and unambiguous,” and given by a statement or “clear affirmative action.” In particular, pre-ticked boxes, silence, and bundling consent up for multiple purposes (for example, “tick here to agree to our privacy policy”) will not be acceptable. GDPR does not provide for any “grandfathering” of existing consents. The Commission originally planned for the ePrivacy Regulation to come into force on the same day as GDPR. However, with the text yet to be finalised, it is unlikely to come into force until late 2018 at the earliest. Potential amendments include the possible extension of the ePrivacy Regulation to all business-to- business communications. What should I be doing to prepare? While we do not have a finalised text for the ePrivacy Regulation, it is sensible to build the ePrivacy Regulation into any preparations for GDPR.

It is important for organisations to understand: l What electronic marketing they carry out – in particular, whether a message is a genuine service message or marketing; l Whether this is based upon consent or the soft opt-in; and l Where they are relying upon consent, whether it complies with the requirements under GDPR Organisations should also be reviewing their data capture forms and privacy statements. In many cases, organisations may be able to rely upon soft opt-in for electronic marketing, but that will not be the case where an individual has previously indicated that they do not wish to receive electronic marketing, or where contact details have been obtained other than at the point of sale or by another legal entity. Where consents do need to be “repapered”, organisations will need to plan their strategy carefully. It is tempting to encourage everyone

on your CRM system to sign up to electronic marketing, using GDPR compliant consent. However, sending such a message to someone that has not previously agreed to receive electronic marketing will breach PECR, as that email itself is marketing. The ICO has fined a number of organisations this year for sending such individuals what purports to be a service email asking them to update their contact details, but is actually marketing. While those organisations were trying to ensure that they had GDPR compliant consent in place for the new rules coming into force, they fell at the first hurdle. The need to understand what marketing individuals have agreed to previously underscores the importance of good record keeping – something that becomes even more important under GDPR. Martin Sloan is a partner in the Commercial Services Division at Brodies LLP, @lawyer_martin http://www. brodies.com/GDPR

Scottish Law Firm of the Year Clyde & Co is a dynamic, rapidly expanding global law firm focused on providing a complete legal service to clients in our core sectors.





29 November 2017

When the job doesn’t work out ‘Protected conversations’ offer a way of parting company amicably BY WILLIAM PEAKIN It can be one of the most difficult challenges facing a firm’s management; letting go an employee who is not up to the role. But mishandling an issue of capability and performance can prove costly. This is likely to be more the case now that charges for bringing employment tribunal claims have been ruled unlawful. After the fees, of up to £1,200, were introduced in 2013, claims fell by 70%. But in a case bought by Unison last July, the Supreme Court ruled they were “inconsistent with access to justice” and it is expected the number of tribunal cases will rise. For employers, dealing with underperforming employees is a test of their management expertise. Section 98 (2) (a) of the Employment Rights Act 1996 sets out potentially fair reasons for dismissal including where they “relate to the capability or qualifications of the employee for performing work of the kind which he was employed…to do”.

“Employers can be wary of dealing with poorly performing employees under a capability procedure,” said John Grant, senior associate at Wright, Johnston & Mackenzie LLP. The purpose of the capability procedure is to allow an employer to deal with any concerns it may have about the performance of its employees. An employer is entitled to manage performance, providing it does so for a genuine reason. But, said Grant, “wariness can make the situation worse”. WJM has provided a special focus for clients on employment law training this year, through a series of events covering data protection, discrimination, and capability and performance. Grant said that the capability procedure, which should be non-contractual and “ideally part of a staff handbook”, should cover a range of issues. These include:

l Identifying the issues

l Ensuring confidentiality

l Arrangements for hearing l Procedure for hearing l Number of hearings

l Appeal against outcome

“An informal procedure should be used first and the initial meeting is



Around the globe, a team of 1,000 partners and 4,500 lawyers in 71 offices across 40 countries

crucial,” said Grant. “Everyone should be clear as to expectations and you should allow witnesses to be called. The cause of the poor performance should be established and what can be done to assist should be identified, with timescales set for improvement.” He added: “Ideally you should agree the review period and further meetings may be required. Rights of appeal should be given at each stage and final written warnings used.” The use of so-called ‘protected conversations’ should be considered. “Protected conversations can be well-suited to capability to capability situations,” said Grant. Held correctly, the content of the conversation cannot be referred to by either party in any subsequent employment tribunal claim. But legal advice is best sought to be sure of the parameters and identify any

‘Mishandling an issue of capability and performance can prove costly’ John Grant, Wright, Johnston & Mackenzie LLP

potential pitfalls. “Hardly a month goes by without the report of a legal challenge being brought, the outcome of which could have far reaching consequences for employers and employees alike,” he said. “The earlier you seek expert advice, more often than not, the better the outcome will be.” Following the successful completion of a protected conversation, a settlement agreement can follow. “Settlement agreements are now an established part of HR practice,” said Grant. “They have to be carefully worded to suit the circumstances of each individual case and will generally follow from a successful protected conversation. “But they can allow a dignified exit for an employee in difficult circumstances and provide the employer with the certainty that the employee cannot bring an employment tribunal claim.”



Wright, Johnston & Mackenzie LLP is a full-service, independent Scottish law firm, with a history stretching back over 160 years. We work with private individuals and clients of some of the most inspirational and entrepreneurial businesses – industry leading nationals, family businesses, investors and non-profits. We put you at the centre of everything we do. We know you’re busy, your personal and business life challenging. Our clients stay with us because we shoulder some of these challenges.



Wealth Planning

Family Law

Supporting your Agricultural and Rural business

Personal Tax

Powers of Attorney

Looking after all your Leisure and Hospitality and Renewable Energy needs

Residential Property

Trusts and Trust Administration

Providing expertise in the Construction, Technology, Healthcare and Telecoms sectors


Advising your Family Business

For more information, or to make an appointment,





email: enquiries@wjm.co.uk or call one of our offices.

T: 0141 248 3434

T: 0131 524 1500

T: 01463 234445

T: 01786 822296



29 November 2017

Scottish firms meeting their match Clients continue to look for expertise that extends further afield BY MICHAEL PERKIN Companies in Scotland have continued to grow, both domestically and internationally. As such, they are seeking the kind of legal representation that can match these requirements. Research for Chambers UK 2017, which involved interviews with thousands of clients across Scotland and the wider United Kingdom, revealed that clients are continuing to look for business advice and expertise that extends across the border and further afield. As such, law firms have continued to look for growth opportunities, although the trend for merger activity looks to have calmed of late. That is not to say that the appetite for merging is not there. Following a busy period, a number of Scottish firms remain on the lookout for consolidation opportunities. The feeling that the legal market in Scotland is becoming saturated is one that is growing. Mergers, therefore, become an attractive proposition. Talks have stalled for various reasons, however, and it remains to be seen when the next significant move will be made. With English volume-driven business models remaining keen to expand, the Scottish market will remain a significant option. So, the feeling within the market is one of

Companies in Scotland have continued to grow, both domestically and internationally cautious optimism. Law firms across Scotland are reporting numbers on the rise in terms of both revenue and personnel. But caution remains the key with high profile administrations, such as the recent collapse of McClure Naismith, still very much fresh in the mind. AS A MARKET THAT many think is

already overcrowded keeps on growing, the sense of optimism is countered by predictions of further merger activity, or worse, fears of more

‘The feeling within the market is one of cautious optimism’

significant insolvencies for established local firms. In the immediate term, the market looks comparatively stable when compared with the rush of merger, consolidation and administration activity this time last year. In keeping, then, with the theme of expansion further afield, another key topic of discussion going forward will be the fallout from the EU referendum. Just as questions were asked in Scotland about its position in the UK, the debate has been reignited as Scotland now considers its place in

Europe, with Britain’s preparations for exit beginning in earnest. Once again, law firms and their clients will be considering the extent to which they must balance their interest in growing their international capabilities with the desire in Scotland for greater independence while maintaining a presence in Europe. Michael Perkin is editor of Chambers UK. The full Chambers UK 2017 rankings and editorial commentary can be found at www.chambersandpartners. com


29 November 2017



Positioning your brand In the final part of our directories guide we focus on maximising the impact of results BY WILLIAM PEAKIN Having poured many hundreds of hours into preparing submissions, martialling referees and meeting directory researchers, there may be an understandable tendency within law firms to sit back, relax and await publication. But precisely because directory rankings can mean so much to firms’ fortunes, maximising the impact of new positions is key. Know the publication date as far in advance as possible; the precise date can vary slightly, but for Chambers and Partners is early November and for The Legal 500 lateSeptember/early-October. It is important to prepare well in advance; consider where you ranked in last year’s results and be in a position to quickly compare. Communicating gains and losses through the firm, and asking for feedback on possible reasons for any changes, is valuable in developing practice strategy. Understanding where you sit against competitors and communicating gains externally is vital in building a brand. Knowing the key dates for submis-

sions and publication are equally important in having the best chance of your company’s merits being properly assessed, and in planning how you can maximise your rankings when they are published. Submission deadline dates can be found on Chambers website (https://www.chambersandpartners.com/launch-dates). In marketing your rankings, consultant and former Chambers editor Lloyd Pearson recommends developing clear summaries and analysis of directory performance, and creating a dedicated directories intranet page. Compare with last year’s results – communicate gains and losses internally – and ask for feedback on areas lost. Look at where you sit against your competitors and think about how to use your rankings as a marketing tool. Position positive quotes strategically in future projects and pitches; they provide third party validation in an industry in which it is often challenging to differentiate. “Evidence suggests that directories are often used to generate a shortlist,” he said, “to narrow down a long list to a shortlist, to validate an existing selection, to reassure a previous choice, or to act as a ‘tie breaker’ in the event that it’s hard to differentiate between two competing firms, when clients are deciding which law firm to instruct in unfamiliar jurisdictions.”

Position positive quotes strategically within future projects

A partner’s perspective

ANNE KENTISH Partner, Clyde & Co

After the submission and interview cycles, the launch of results is eagerly awaited. The rankings allow firms to understand the value of applying to directories. Directory rankings are often used to instruct law firms and individual experts for work in unfamiliar jurisdictions. Being placed within the top bands can support you toward being shortlisted for new client work. This also applies to retaining current client relationships and therefore should not be overlooked within your wider marketing development plans. It also gives firms an understanding and appreciation of where they sit against their competitors in each practice area, working out what differentiates themselves from others and areas to work upon. Directories are a clever

way of measuring your progress and assessing them against how the leaders in the field are performing. Be proactive - if there is an area where your ranking position was not expected, reach out to the publications. They may be able to identify the areas to develop for next year. Anne handles a number of complex claims on behalf of the Law Society of Scotland Master Policy insurers as well as for other legal professionals and their insurers and has also represented construction professionals, accountants, financial advisers and educational institutions.

Profile for Canongate Communications

Legal scot November 2017  

Legal scot November 2017