The Expert Witness Institute Annual General Meeting 2018

The EWI invites you to join us for our Annual General Meeting taking place at the Grange Holborn Hotel on Tuesday 5 June.

The Grange Holborn, 50-56 Southampton Row

 London, WC1B 4AR

6.15pm - 6.30pm: AGM (EWI members only)
6.30pm - 7.00pm: Drinks Reception
7.00pm - 7.45pm: The State of Independence: The EWI’s 20th Anniversary Research Project (Part 1) A keynote address by Professor Penny Cooper
8.00pm - 10.00pm: Dinner
Special guest, James Badenoch QC as our after-dinner speaker

AGM: EWI members only: FOC
--------------------------------------------------------------------------------
Reception and lecture: EWI member: £15 / Non-member: £25
-------------------------------------------------------------------------------------------------------
Reception, lecture and dinner: EWI member: £75 / Non-member: £95

Click here to download a booking form

Notes: All members and provisional members of the Institute are entitled to attend the meeting but only members duly registered and who have paid subscriptions and all other sums currently due to the Institute may vote. Founding Sponsors, professional bodies and associations and corporate members may appoint representatives to attend the meeting on their behalf but only those bodies who are registered as members may authorise their representative to vote on their behalf.

Please note the Sir Michael Davies lecture will be held at a later date during the year. Further information will be sent out nearer the time.

Is the onus for GDPR compliance on the Expert or the Instructing Lawyer? Find out here

When the General Data Protection Regulation (GDPR) and Data Protection Act 2018 come into force on 25th May 2018 they will place a burden on businesses, including sole traders, to show compliance, they will make it harder to rely on consent alone as a ground for justifying the processing of personal data, they will increase the rights of individuals whose data is processed to gain access to that data, and they will (of course) increase the penalties for breach.

Your firm will, undoubtedly be, a Data Controller for some, and perhaps all, of the data processing it carries out. Your firm will be a Data Controller if it determines the purpose for and means by which data is processed. It may also be a Data Processor for data which is processed under the direction of another firm or individual. A Data Processor is someone or a firm that manages, stores, modifies or analyses personal data, on behalf of a Data Controller.

An expert witness is likely to be both a Data Controller, for some data, and a Data Processor, for other data. You should ensure that they clarify this with their Instructing Solicitor when they agree to act as an expert witness.

The GDPR requires both Data Controllers and Data Processors to ensure to ensure that compliance procedures have been put in place. In particular, they should ensure any third party with whom data is shared is GDPR compliant and that all employees are aware of GDPR.

Data Controllers and Data Processors need to consider if they must appoint a Data Protection Officer (DPO). This is an individual responsible for ensuring your firm has GDPR-compliant systems. You may not have to appoint a DPO. If you do not have to you should consider appointing someone in your firm to take charge of data protection in your firm. That person could then also help ensure – if you are a Data Controller – that your firm pays the Data Protection Fee, which replaces the Data Registration Fee, to the Information Commissioner. They should also ensure your firm has good data protection procedures in place including data security and staff training, ensure that any “Subject Access Requests” are handled properly and that reports to the Information Commissioner’s Office concerning any breach of security which is likely to result in a risk to the rights and freedoms of individuals is reported within the 72 hour reporting deadline.

Whoever you appoint to be in charge of GDPR compliance must determine what information the firm holds. Apart from written records, other significant categories could include your database of present and former customers, staff HR records, financial records and any marketing database.

They must also assess the risk attached to the information that you hold. Risks will usually include the possibility of a breach of security, improper processing, for example using details from marketing without explicit consent or failing to delete personal data when you no longer have any reason for continuing to hold it. Another risk is failing to use appropriate Privacy Notices or otherwise explain what you are doing with the personal data that you hold.

You must now take action to ensure compliance and this will include training staff. You must check that your cyber security is sound and that backups are made of electronic files and anti-virus protection is up to date. If you take data out of the office then any laptop should be encrypted and suitable passwords chosen. You must check that any third parties or suppliers with which you are dealing are also GDPR compliant. You should also ensure that any WiFi you use is not likely to compromise your cyber security.

Any employment documentation you hold on your staff must be proportionate. You may have used employee consent to process their data under the Data Protection Act 1998. It is highly unlikely that you will be able to do so under the GDPR. This is because to rely on consent there must be no imbalance of power between the party being asked to give consent and the party asking for it. It is unlikely that this will be the case in an employer-employee relationship. Consent can also always be withdrawn. There will normally be other justification for your processing employees’ personal data. You should ensure you update your records to ensure that the lawful basis on which you process such data is GDPR compliant.

In most cases, being open and frank with what you are going to use the personal data for is a requirement of GDPR and this is normally carried out by providing a Privacy Notice. The starting point of a Privacy Notice should be to tell people who you are, what you are going to do with their information and who it will be shared with.

In brief, you have to show that you comply with the data protection principles i.e. that personal data is processed lawfully, fairly and in a transparent manner. Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with that purpose, for example being sold on to data mining companies. The collection of personal data must be adequate, relevant and limited to what is necessary, be accurate and kept up to date. It must not be kept for any longer than is necessary and it must be kept secure. The GDPR also requires you to be able to demonstrate that you have complied with these requirements. You should therefore have adequate data processing records.

Further extra care must be taken with what used to be called sensitive personal data and is now to be known as “Special Categories of Personal Data” i.e. someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life, sexual orientation, genetic data and biometric data. To keep this personal data you will need the explicit consent of the data subject and show that the holding of such data is necessary to protect the vital interests of the data subject. Where employees are concerned you can hold this data if it is necessary for you to carry out obligations arising under their employment contract. As with data processing general consent it is highly doubtful that it can be relied on as a basis for processing this type of personal data.

This guidance note is not intended to give legal advice and should not be relied on as such. If you require any further information or guidance you should contact your solicitor.

Further details on getting ready for the GDPR can be found on the Information Commissioner’s website at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/