In relation to the drafting of new data protection policies, we would previously typically have been instructed to develop and deliver a full suite of new policies for a financial institution in collaboration with their various in-house teams, whereby they would provide us with information and we would do almost all of the drafting work.
This has now changed.
Recently we have instead developed and delivered specific key skeletal documents for our financial institution clients and we have then handed these over to their in-house teams to help them manage their legal spend.
In the pre-Covid-19 world, we would not have imagined our clients facing quite the same financial constraints when instructing a law firms as they do now, but then again they probably would not have had the same time or attention to attend to this specialist area.
Aside from our work on drafting data protection policies for organisations, we also receive instructions to dispense urgent legal advice and practical guidance when there has been a data breach.
Data breaches
We have found that organisations are willing to act quickly and decisively when they detect a data breach and we have seen no sign of organisations taking their responsibilities less seriously during the Covid-19 pandemic.
Urgent legal advice is important since any notifiable event triggers a 72-hour window to notify the relevant supervisory authorities and the clock does not stop ticking during the weekend.
One of the first things we analyse as lawyers is the question of which supervisory authorities need to be notified in a particular event.
For organisations headquartered in the UK or the EU (or EEA) there is typically only one supervisory authority to notify of a breach in one language (the notification for UK organisations is to the ICO and it is made in English).
For international clients, depending on their corporate structure, there can be numerous time-zones and multiple languages to navigate quickly to ensure that notifications are lodged appropriately to all relevant supervisory authorities.
We need to be able to co-ordinate and co-operate closely with our clients and to receive instructions quickly in these circumstances.
As people have been working from home during lockdown, clients can easily make themselves available to us around the clock, when their office is at home.
Data breaches of any significance typically involve a lot of focused and skilled legal work.
The technical circumstances of a data breach can be technologically sophisticated.
The finer details of data protection legislation are often misunderstood (even by clients who have received substantial training), and the co-ordination effort of organising notifications potentially in different countries and in different languages across the EU can be logistically demanding.