Just when you thought you were getting your head around GDPR along comes another awkward conundrum. Here’s the question:
If I comply with the new rules and delete files containing personal client data, will I invalidate my professional indemnity cover?
In this guide we do our best to untangle the issues and give you some clear guidance.
We recommend this guide is circulated to all Partners, Directors and Senior Managers for risk management purposes (and CPD, if applicable).
Professional services firms need to hold large quantities of sensitive personal data within their client records. Accurate record-keeping and file retention is a vital part of good business practice and risk management. It allows firms to defend themselves against claims of professional negligence and also allows them to present themselves as low-risk when obtaining and maintaining Professional Indemnity Insurance.
However, the new GDPR regulations would appear to call this best practice into question.
The new regulations make it clear that a business has no general right to hold and process personal data relating to its clients. What’s more, if a client demands that the business remove that data from their files, it would appear that the business must do as asked.
However, if the business goes along with this request and the client subsequently makes a claim against it for professional negligence, that makes it much harder for the business to present a robust defence. If the files have been deleted the business has no evidence with which to counter their claims. This makes it easy for the client to “get creative” with their version of events.
Most if not all professional indemnity policies make it a condition of cover that the insured party keep detailed records – precisely so the business and the insurer can make a strong defence case based on solid documentary evidence. Even if this condition is not made explicit in the small print the insurer may argue that the behaviour of the business has been prejudicial to a successful defence and that they will therefore not cover the costs and damages.
So, if a business deletes files containing personal information it is making it easier for clients to successfully sue them for negligence, as well as increasing the likelihood of their insurer refusing to accept the claim.
So, here is your dilemma. Do you continue to maintain and keep proper records but risk a fine from the UK’s Information Commissioner’s Office? Or do you delete existing files, and cease to keep detailed records of work you have done for clients, but leave yourself wide open to claims for professional negligence whilst at the same time possibly voiding your professional indemnity cover (or at the very least making it harder and more expensive to get cover going forward)?
The GDPR rules are written in such a way that a business may, under certain circumstance, be permitted to keep personal details and client files. Precisely because you need to keep proper and detailed records (for the reasons outlined above) this provides lawful justification for retaining personal client data within the terms of the GDPR regulations. The justification specifically relates to the following articles:
Article 6.1 (b) (Performance of a contract)
This article basically says that a business is allowed to process personal data if that data is required to perform its obligations under a contract. The fact that there is a contract gives you lawful right to process the client’s data.
Article 6.1 (e) (Task carried out in the public interest)
Under this article a business can legitimately argue it is in the public interest for the company to meet its responsibilities in the event of a client making a claim for professional negligence. If the business fails to remedy the financial consequences of bad advice or poor services delivery, because their professional indemnity insurance was void, this would be harmful to society as a whole. So, once again, this clause provides justification for retaining the personal data and files.
Article 6.1 (f) (Legitimate interests)
Under this clause the firm has a legitimate interest in holding and processing personal client data because it is entitled to defend itself against claims for professional negligence and requires the data in order to assess and defend any such a claim.
Provided you take a judicious approach to processing and storing personal data, bearing in mind the GDPR rules, you shouldn’t have any problems. Also, we all know by now that EU rules can change so the rules may look very different in a year or two, but once records are deleted you can’t get them back.
So this is still something of a grey area and it remains to be seen how the relevant authorities will respond when faced with a situation where a client asks for their personal details to be deleted but a business refuses.
If you are unsure about any of these issues and would like further advice, do not hesitate to get in touch with us – our experts will be very happy to assist.
This guidance note is intended for information purposes only. It is not and does not purport to be legal advice or specific insurance advice. Whilst all care has been taken to ensure the accuracy of the guidance note it is not to be regarded as a substitute for specific advice. If you require specific advice, call us on 0345 251 4000. This guidance note shall not be reproduced in any form without our prior permission. © All copyright is owned by Professional Indemnity Insurance Brokers Ltd.