You’re Probably a Data Controller: Read Me

In discussions with various professionals, I have been surprised with the number of people who immediately switch off at the mention of data protection. Well, perhaps not surprised, but troubled. That observation has led me to this article.

The purpose of this short article is not to offer any advice or explanation on the current or future regimes. It is to let those people who perhaps don’t know there IS a regime, that there is one.

Solicitor? Legal Executive? Paralegal? Lawyer? Chances are you will need to know about forthcoming data protection law changes.

Unless you are of a particular persuasion (I am thinking of my chancery colleagues who get a thrill from dusty books hundreds of years old) you are unlikely to find data protection interesting. It is, however, incredibly important. It is simply too dangerous to plead ignorance- you MUST be aware.

The current EU data protection regime is based on the Data Protection Directive (95/46/EC) from 1995.

Look in your briefcase. Smartphone almost certainly. Tile? Perhaps. Fitbit, maybe. There might also be an iPad, perhaps a laptop. Possibly a kindle, and a pair of wireless headphones. This is advanced technology that was not around in 1995.

The ways we communicate as professionals have changed. The manner in which information is shared is completely different. 1995 – letter by post. 2017 –email. Probably attaching a document stored in the cloud.

Countries throughout the EU have had different approaches for many years, meaning that you could be legislation compliant in one country, and falling foul of the law in another.

“Why should this bother me John? All my clients are in England.”

Have you ever had to email a client whilst they were on holiday, perhaps attaching a document you have prepared for urgent approval? Yes, I thought so… you are potentially controlling and sending confidential information across two countries.

The powers that be have created a new, uniform data protection law: Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, shortened to the General Data Protection Regulation.

You will see/ read about/ hear people referring to the “GDPR”. This comes into force in May 2018.


It remains to be seen exactly how Brexit will effect GDPR. If any country wants to share data with the EU, it must have “adequate” measures in place. GDPR is adequate. So be aware.

Further reading

As I mentioned earlier, this is not an article explaining the GDPR, but a red flag to tell you it exists. Should you want to read more ( and I recommend that you do!) the Information Commissioner’s Office is an excellent place to start: