Office reception
23 November 2017

GDPR and the retaining of records for professional indemnity claims – a clash of interests?

GDPR and the retaining of records for professional indemnity claims – a clash of interests?
  • Share this:

At Gallagher we can see an interesting conflict arising when the new data protection reforms come into force in May next year. While the implications of GDPR for law firms are very broad, in this article, we will focus specifically on compliance with the reforms versus the need to have suitable records to defend negligence claims.

At present the GDPR offers no concrete guidance on how to deal with this issue other than “not to hold onto data for “longer than necessary”. Unfortunately the “necessary” threshold will depend on the information, associated legal requirements and other underlying facts; to say that it will be complex and potentially fluid is perhaps an understatement. We will also look at this interaction with other legislation.

Even before this new legislation a common question posed by many firms over the years was how long should you retain documents before it is reasonable to destroy them?. A good starting point was of course The Limitation Act 1980 and as a consequence most firms adopted the view that files should be kept for at least six years. From our experience (also evidenced in the widely available but specific lawyer’s claims triangulations) the vast majority of claims tend to arise within this six year time frame.

For lawyers operating in certain work areas there is a likelihood of claims brought under the longstop section of the Limitation Act 1980. Courts will of course consider the ‘date of loss’ and ‘date of knowledge’ in deciding when to start the clock ticking on limitation.

In some instances, firms took an indefinite retention view in respect of partnership agreements, company formation and trusts. Can this continue?

Regardless of how you choose to approach it, the sooner you begin the process the more time you will have to ensure you comply. The GDPR aims to ensure that data protection and privacy are no longer just an afterthought and are included in all of your systems and processes. Organisations need to show that they value an individual’s privacy, and reflect this in how they handle the data they collect.

The way data is transmitted has changed unrecognisably in the last two decades and an overhaul to existing legislation is well overdue. You need to be working to engage senior leaders in your organisation to ensure that changes are implemented across the board. Conducting a thorough review of your existing data collection and protection policies can be time consuming, which is why many organisations are choosing to outsource the task. There is technology available which can help you to meet the requirements around data deletion and portability, and where your budget allows, you should utilise this.

Download the Professional Indemnity GDPR.pdf

Print Page