Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1480787
70 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | F A L L 2 0 2 2 itself vulnerable to attack. The point to note is that this negligence included breaching Article 5(1)(e) of the UK's Data Protection Act 2018, which requires personal data to be kept in a form that permits the identification of data subjects "for no longer than is necessary for the purposes for which the personal data is processed." In other words, Tuckers had hung on to this data for too long. The ICO felt the breach was sufficiently serious to warrant enforcement action, and the firm was fined 3.2% of its gross annual income. Privacy legislation As you know, the UK Data Protection Act – the UK's version of the EU's General Data Protection Regulation (GDPR) – is only one of many newish pieces of legislation created to safeguard the privacy of personal data (often called PII for Personally Identifiable Information). Canada has its Anti-Spam Legislation (CASL). In lieu of federal regulation, the US is set to have an increasingly complicated maze of state legislation. As of July 2022, California, Colorado, Utah, Virginia and Connecticut had already signed state data privacy legislation into law and a further five north eastern states had draft legislation in committee. 2 In respect of data retention and disposition, law firms will almost always hold some PII data, including dates of birth, addresses, social security numbers and banking information, in anything from property deeds to due diligence on directors done in the commission of M&A work. The net result is that this new legislation is driving firms in both Europe and North America to recognize they need to have policies and processes in place, or they run the risk of non-compliance and fines – for holding data they shouldn't, for holding data too long, and for failing to respond quickly enough to data subject access requests. Nor are data privacy regulations the only type of compliance that firms call fall foul of. In the US, Sarbanes- Oxley Act 2002 (SOX or Sarbox) covers financial reporting, but also record keeping. This asks for organizations to retain financial information for set periods of time and in some cases indefinitely. SOX has sensitized corporate America at board level to the importance of data retention and disposition. A final motivation for getting to grips with data retention and disposition is simply because there's a cost to spending too long searching for information because you have so much to wade through. There's also a cost to recreating documents that can't be found. And in some circumstances, there may well be fines if things are never found or not found quickly enough, as Cushman & Wakefield plc, a real estate services firm in Chicago, has discovered. In July 2022 Cushman & Wakefield was held in contempt of court for failing to comply with subpoenas to produce documents relating to an investigation by the New York State attorney-general into the financial practices of longtime client Donald Trump and the Trump "Nor are data privacy regulations the only type of compliance that firms call fall foul of." Q 3 W H I T E P A P E R S