SRA Steal Your Data Today?: There are fears that SRA requirements are allowing third parties access to consumers’ data

January 22, 2020

2 min read

Sign up to our mailing list! 👇

What's going on here?

Sole practitioner George Gardiner from London firm Gardiner & Co. has challenged the Solicitor Regulation Authority (SRA) on its mandatory kitemark (“digital badge”) that all firms must display.

What does this mean?

In November 2018 the SRA announced that all firms must be compliant with their regulations by having the digital badge displayed on their website. The badge, when clicked, takes site visitors to an SRA page which vouches that the firm is regulated by the SRA and that the visitor therefore has a degree of protection if the firm acts poorly and causes them financial loss. They gave a deadline of 25th November 2019 to firms, with the assurance that action may be taken if firms did not comply. Mr Gardiner has objected since 2018, stating the badge breaches data protection law as well as having a total implementation cost of roughly £20m, a sum far higher than the roughly £65,000 SSL certificate solution he proposes.

What's the big picture effect?

Mr Gardiner’s challenge could be viewed as rather inconsequential; a £20m cost across all SRA regulated firms (10,400) equates to roughly £2500 per firm; a negligible cost for most corporate law firms. However, the challenge Mr Gardiner has raised, and the complaint he filed with the Information Commissioner’s Office, could have far reaching effects for firms. This is because the badge allows the company Yoshki (the ones who run the digital badge) to data harvest from visitors to firms displaying the badge. Mr Gardiner says this information can then be passed on to Google for the purposes of targeted advertising. Data Protection laws require that users must be able to consent to the processing of their data, but the way in which the badge works means that the processing is immediate, and visitors cannot give their informed consent.

As the law also requires firms to conduct their own data protection impact assessments, and not simply “comply”, firms who have displayed the badge could be subject to penalties from the ICO according to Mr Gardiner. The penalties the ICO is empowered to impose range from criminal prosecution and non-criminal enforcement through to monetary penalties. Mr Gardiner also alleges that the badge itself is easily “spoofable” and therefore roundly fails the SRA’s goal of providing certainty to the public of a firm’s standards.

The SRA has, in the wake of these challenges, announced on 14th November 2019 that google analytics would be turned off. The future of this digital badge is therefore in the ICO’s hands.

Report written by Hari Majumdar

If you’d like to write for LittleLaw, click here!

Share this now!