Presenter: Neil Partridge - PDA Legal

Masterclass: Supporting regulatory compliance through the Lexcel framework

For legal practices and in-house departments Developed and Authored by PDA Legal

Presenter: Neil Partridge

LinkedIn: https://uk.linkedin.com/in/neilpartridge

Email: [email protected]

Telephone: +44 (0) 1372 879343

https://uk.linkedin.com/in/neilpartridge



mailto:[email protected]

http://www.pda-legal.com/

PDA Legal is a trading name of PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780

2. Schedule for today

Approximate timing

• 9:45 – 10:00 Welcome and Introduction

• 10:00 – 1040 Session segment 1: Lexcel update

• 10:40 – 11:15 Session segment 2: Data Protection controls

• 11:15 – 11:35 Comfort break

• 11:35 – 12:05 Session segment 3: Application of SRA ‘StaRs’

• 12:05 – 12:15 Session segment 4: AML and financial crime

• 12:15 – 12:30 Session segment 5: Q&A, final remarks and close


3. Outcomes from today’s session

Learning points to take back to your practice or department:

• Identification of the relationships between new regulations and their (close)

links to the Lexcel Standard. (‘A measure of reassurance’.)

• Gathering evidence that will support dealing with enquiries from the SRA and

other regulators (to demonstrate compliance).

• Achieving a healthy position to proactively measure compliance with

essentials, such as the GDPR and AML 2017.

• Operate in an environment that promotes a cohesive and collaborative

approach to risk management, client care and strategic growth.

• Enjoy a meshed net approach to identifying, monitoring, mitigating and

managing risk.

4. About the presenter

Neil Partridge: Operations Director, PDA Legal and Lexcel assessor

• >500 visits to legal sector organisations.

• Conducted the training for all Lexcel assessors on the new version of Lexcel.

• Speaker at Law Society 2018 and 2019 Annual Conferences.

• Presenter of Law Society webinars on risk, data protection and Lexcel v6.1.

• Author of articles on data protection, cyber security and Lexcel for the Law Society.


5. About the presenter

• Founded in 1998, by one of the first Lexcel assessors.

• Independent of assessment units and the Law Society.

• Conducted more than >2000 legal sector visits.

• Consulting and training on GDPR, cyber security,

AML, risk and Lexcel.

• File review services and compliance trend analysis.

• Information management/security audits.

• Preparation of registers, plans, policies and procedures.

FOUNDER SUPPORTER

Have you seen our file

review & monitoring service?

www.pda-legal.co.uk

Further information about our work can be found at our website: www.pda-legal.co.uk

PDA Legal

http://www.guildofentrepreneurs.org/

https://pda-legal.co.uk/gdpr-bespoke-assistance

https://pda-legal.co.uk/pda-cyber-checked

https://pda-legal.co.uk/file-review-service

https://pda-legal.co.uk/

http://www.pda-legal.co.uk/


6. New regulations in recent times

Pressure points:

• The General Data Protection Regulation 2016 and Data Protection Act 2018

• The Money Laundering, Terrorist Financing and Transfer of Funds

(Information on the Payer) Regulations 2017

• The Criminal Finances Act 2017; and

• The European Union Financial Sanctions (Amendment of Information

Provisions) Regulations 2017

• SRA 2019 Code of Conduct; Standards and Regulations (‘StaRs’)


7. Lexcel Masterclass

Session segment 1 Lexcel update



Lexcel update and hot-topics

• 1.3: Business continuity plan; ‘contagion’ and ‘IT Failure’

• 3.1a: The appointment of a data protection leader*

• 3.1b: Register of personal data processed by the firm*

• 3.1c: Handling Subject Access Requests*

• 3.1f: Data Protection Impact Assessments (data protection by design and

default)*

• 3.2h: Register of ALL software used by the firm

• 3.4: Website management policy (esp. Cookies!)

• 3.7: Out of date references to other regulations

• 3.7: Updating to reflect SRA STaRs 2019 (also in 6.2)*



Lexcel update and hot-topics (continued)

Lexcel includes:

3.7: ‘… a register of each plan, policy and procedure that is contained in

the Lexcel Standard …’

Glossary, page 5 of Lexcel Standard [brochure] for Legal Practices v6.1:

‘…A ‘procedure’ is a written description of how an activity will occur within the

practice. A procedure describes the steps that personnel are required to follow in

order to complete an activity.

At an assessment, a procedure can only be said to be complied with if the

assessor can observe that the procedure contained in the practice’s

documentation is in effective operation…’

And, one person (only): “All procedures must have a named person who is

responsible for the procedure.”




The 2019 SRA Standards and Regulations require:

SRA StaR 2.1: “You have effective governance structures, arrangements,

systems and controls in place that ensure: (a) you comply with all

the SRA's regulatory arrangements, as well as with other regulatory and

legislative requirements, which apply to you;…”

SRA StaR 2.2: “You keep and maintain records to demonstrate compliance…”

SRA StaR 3.1: “You keep up to date with and follow the law and regulation

governing the way you work.”




• Significant changes to recent regulation; changes to procedures.

• Reliance on outdated or on templated procedures are leaving gaping holes.

• The infamous phrase: ‘…we have procedures for…;

• (3.2e) secure configuration of network devices,

• (3.2f) management of user accounts,

• (3.2j) [policy for] training for personnel on information security,

• Interviewed staff voice different ‘perspectives’ on the [unwritten] ‘procedures’.

• Write down what you’re doing.

• Train staff on the requirements.




• 5.1a: Compliance plans

• 5.1b: Risk registers

• 5.8b: Training on conflict of interest

• 5.11c: Complete records of file reviews

• 5.11f: Records of file review trend analysis

• 5.13a&h: AML controls and reviews*

• 5.18i: Risk data analysis; personal data

• 6.1c: Client care policy, prospective clients and new Data Subjects

• 7.5d/e: Up-to-date records of experts and counsel



Session segment 2 Data protection controls

PDA Projects Ltd, Maple House, Manor Green Road, Epsom, Surrey KT19 8RN Registered in England no. 6813329 VAT reg: 945459780

14. Session segment 2: Data protection controls

The myth:

“Our only significant risks are money laundering, losing a public funding

contract or a claim for professional negligence; everything else is tick-boxing;

right?”

Director of a legal practice

The reality; how would you be able answer this question?

“If there was a breach or concern about a potential breach in my practice, how

would I go about evidencing my position in the face of queries from the ICO,

the SRA and my insurer?”


Question

Where data protection planning is concerned, where might there be

touchpoints with other parts of the Lexcel Standard?



Answer: Data protection touchpoints with the Lexcel Standard

• Section 1: Strategic planning and business continuity.

• Section 2: Financial controls.

• Section 3: Email, internet usage, social media.

• Section 4: Equality & Diversity, learning & development, role profiles,

recruitment and progression, inductions, cessation of employment,

performance management & whistleblowing.

• Section 5: Compliance plan, risk register, outsourcing, generic risks.

• Section 6: Client care, initial information to the client.

• Section 7: Use of counsel and experts, file closure/ conflict checks.



Important points to keep in mind

• GDPR is ‘principles’ and ‘outcomes’ based.

• One size does not fit all; beware of templates.

• An ‘IT solution’ is not the solution.

• Organise your GDPR controls on an individual basis.

• Far in excess of 90% of personal data is held electronically.

• Staff are most likely the source of breaches, but also the first defence.

• The vast majority of data breaches are as a result of human error.



Lexcel 3.1a

Documented requirements of a Data Protection Officer (‘DPO’) but still

expected of any Data Protection Lead/Manger:

• Ensure and monitor compliance with GDPR.

• Provide advice and guidance to colleagues.

• Training and awareness raising.

• Conduct audits.

• Provide advice around Data Privacy Impact Assessments.

• Co-operate with the ICO (or relevant Supervisory Authority).

• Must not be conflicted with other roles [in the firm]. (Article 38(6)).

• Keep your information up to date; client care letters and website.




3.1b: ‘…keeping appropriate records of processing activities and

additionally, the lawful basis for processing categories of data,…’

• Mapping incomplete in almost 100% of Practices/Departments.

• 29: The average number of hours Practices spend mapping their data.

• Incomplete mapping;

• is contrary to SRA StaRs, Lexcel and Article 30 of the GDPR, and;

• hampers dealing with/mitigation of breaches, and,

• hampers dealing with Data Subject Access Request responses.

• Justification for retention not checked or correct.

• ‘Stashes’ of personal data in staff notebooks not recorded.


How much data does a ‘small high street’ Practice process?



• An identifier/unique reference/name

• A description of the data

• Why it is being processed

• The legal basis for processing the data

• Is it ‘sensitive’ (Article 9)?

• The date collected and created

• Where and how the data is held

(including locally and globally)

• The format (e.g. word document,

notebook, emails, CMS entry, diary.)

• The volume of the data

• The frequency it is to be updated

• The date it was last modified

• The status of the data and risk level

• The author

• The users’ rights (view, copy, redistribute)

• Internal and external sharing permissions

• Retention period

• Destruction date, and

• Date disposed

An effective Article 30 record will include the following for each type of data

(Along the X Axis)


Be clear as to why you are processing and on what legal basis

(Down the Y Axis)

• Marketing and promotional plans, databases and resources.

• Business/strategic/referral relationships (eg. estate agents).

• Payroll, recruitment (successful and unsuccessful and prospective and past)

appraisals, training records, next of kin, disciplinary matters, E&D, pensions,

diet/intolerances/healthcare, disability.

• Archiving, cost drafting, shredding. Registers of counsel and experts. Third

party witnesses and reports. IT/technology. Cleaners. Contractors.

• Current clients. Prospective clients. Archived matters. Case management

system. Complaints records. Undertaking records. Billing. Opponents or ‘other

side’. Beneficiaries.


Bear in mind

• ‘Legitimate Interests’ is only rarely applicable or limited in its appropriateness.

• You will need to have conducted a LIA to justify the use of LI versus any

other legal basis.

• Example: Live conveyancing matters have at least three different types and

reasons for processing.

• ‘Staff/HR data’ has multiple types; with different retention periods, permissions

and controls.

• You must know at as to where all data is held at all times; no surprises!




Lexcel 3.1b (achieving an appropriate Article 30 record)

SRA StaR 2.1: “You have effective governance structures, arrangements,

systems and controls in place that ensure: (a) you comply with all

the SRA's regulatory arrangements, as well as with other regulatory and

legislative requirements, which apply to you;…”

SRA StaR 2.2:“You keep and maintain records to demonstrate compliance…”

• Be clear on the purposes and legal basis for processing.

• Know where ALL of it is kept.

• Know who has access to it.

• Know how long you will keep it.


Lexcel 3.1c: Handling Data Subject Access Requests (‘DSAR’)

SRA StaR: 3.6: “You ensure that the individuals you manage are competent to

carry out their role, and keep their profession knowledge and skills, as well as

understanding of their legal, ethical and regulatory obligations, up to date.”

• DSARs cannot usually be charged for and do not have to be in writing.

• Be alert! A DSAR can come in multiple guises, including; email, phone call, text

message, in person, in writing, etc.

• Be aware! Many such requests will not include the language ‘Data’ or ‘Subject’ or

‘Access’ or ‘Request’.

• Ask questions! If in any doubt, speak to your supervisor.

• Act fast! Report the DSAR to the Data Protection Lead without delay so that they

can make necessary decisions.

• The firm must deal with DSARs within 30 days. (Check spam email.)



Lexcel 3.1f: Data Protection Impact Assessments (data protection by

design and default)

SRA StaR 2.5: “You identify, monitor and manage all material risks to your

business…”

• DPIA: Intended to chart the risk to data caused by processing activities.

• Outright absence of procedures in some cases, or;

• reliance on outdated template procedures.

• No procedure; no DPIA (will be conducted when one was in fact, merited).

• When a CMS is changed, a DPIA is going to need to be required.

• Some CMS providers offering ‘pre-packaged’ DPIAs. (Yes; really!)

• Potential for significant risk; without a leg to stand on if things go wrong.

• Article 35(7) of the GDPR sets out as to what ‘shall’ be included in a DPIA.




Comfort break



Session segment 3 Application of SRA ‘StaRs’

StaRs in your existing Lexcel framework

Undertakings procedure (1.3)

Equality and diversity policy: • 1.5 publishing

Diversity data • 6th principle

Financial management procedure: • 2.4 monitor

the financial stability of your firm and report to the SRA (3.6)

Risk management • 2.5 identify &

manage material risks

Development: • 3.1 Keep up-

to-date • 4.2 providing a

competent service

• 4.3 Ensure managers and employees are competent

Whistleblowing policy: • 3.11 & 3.12

Managing instructions • 4.1 client

instructions • 4.4 Supervise

client matters

Client care policy (broad): • 4.2 competent

service • 6.3

confidentiality • 7.1(b) referrals • Ethics (not

covered by Lexcel)

Generic risks: • 2.5 identifying

material risks to the business

Billing clients and handling financial transactions: • 5.1 accounting

for financial benefit

• Safeguard money and assets from clients and others

Conflicts: • 6.1, 6.2, 6.5,

7.1(c)

Policies and reviews: • 2.1, 2.2 & 2.3

Effective systems, controls & records

Management structure and accountability: • 2.1 Effective

structures and systems in place

• 8.1, 9.1, 9.2 Managers, COLPs & COFA responsibilities Informing the

client in writing: • 6.4 all material

info • 7.1(c) clear info • 8.10 & 8.11 how

you are regulated.

Costs info (8.7)

Website policy: • 7.1 (c) ensure

your publicity is not misleading

Strategic plan: • 7.1(c)

marketing your services

GDPR: • 3.1 keep up to

date with the law governing the way you work

• 2.1 effective systems to comply with regulatory and legislative requirements

Outsourced activities: • 2.3 Remain

accountable • 3.3 Ensure SRA

can inspect

Supervision and file reviews: 4.4

Complaints • 3.2 cooperate

with regulators • 7.1(c)

complaints

Accept or decline instructions (4.1)

Matter progress: • 4.2 service is

delivered in a timely manner

• 7.1(c) costs info

Structure and strategy

Financial Management

Information Management

People Management

Risk Management

Client Care File & Case Management

29. Session segment 3: Application of SRA ‘StaRs’

The Code of Conduct for firms requires:

8.4: “You ensure that when clients have made a complaint to you, if this has not been resolved to the client’s satisfaction within 8 weeks following the making of a complaint they are informed, in writing: a) of any right they have to complain to the

Legal Ombudsman … the time frame for doing so and …how to contact […]; and

b) If a complaint has been brought and your complaints procedure has been exhausted:

i. That you cannot settle the complaint; ii. The name and website address of an

alternative dispute resolution approved body which would be competent to deal with the complaint; and

iii. Whether you agree to use the scheme operated by that body. ”

The Lexcel standard v6.1 requires: 6.5: “Practices must operate a written complaints handling procedure, including: […] e) Once a complaint has been made, the

person complaining is informed in writing:

I. How the complaint will be handled; and II. In what time they will be given an initial

and/or substantive response…”

Lexcel 6.5: Complaints procedures


Follow through the touchpoints 8.4 of the SRA Code for Solicitors and 6.5 Lexcel standard v6.1: complaints handling

Complaints

Finance

• Bill disputed

Information management

• Data protection

• Website

• Review of complaints policy

People

• E&D complaints

• L&D for complaints Partner

• L&D for all staff

Risk Management

• Risk register

• Complaints re outsourced providers

• New enquiries

• File reviews and supervision

• Inactivity

• Closing risk assessment

• Risk review – complaints trends and client feedback

• Deadlines to respond to complaints

• LeO updates

Client care

• Policy

• Retainer letter / CCL

• Regular costs information

• Complaints policy

• Client satisfaction policy

File & Case management

• Matter progress

• File closing procedures


The Code of Conduct for Solicitors, RELs and RFLs requires:

3.5: “Where you supervise or manage others providing legal services: (a) You remain accountable for the work

carried out through them; and (b) You effectively supervise work being

done for clients.”

3.6: “You ensure that the individuals you manage are competent to carry out their role, and keep their professional knowledge and skills, as well as understanding of their legal, ethical and regulatory obligations, up to date.”

The Lexcel standard v6.1 requires:

5.9: “Practices must have a procedure to ensure that all personnel [...] are actively supervised. Such procedures must include…” 4.8: “Practices must have a performance management policy, which must include: a. the practice’s approach to performance

management b. performance review periods and

timescales.”

Risk management; Supervision


The Code of Conduct for firms requires:

3.11: “You do not attempt to prevent anyone from providing information to the SRA or any other body exercising regulatory, supervisory, investigatory or prosecutor functions in the public interest.” 3.12: “You do not subject any person to detrimental treatment for making or proposing to make a report or providing, or proposing to provide, information based on a reasonably held belief […] irrespective of whether he SRA or another approved regulator subsequently investigates or takes any action…”


4.9: “Practices must have a whistleblowing policy.”

Reporting to the regulator


The Code of Conduct for Solicitors, RELs and RFLs requires:

3.2: “You ensure that the service you provide to clients is competent and delivered in a timely manner.” 3.3: “You maintain your competence to carry out your role and keep your professional knowledge and skills up to date.” 7.1: “You keep up to date with and follow the law and regulation governing the way you work.”


4.3: “Practices must have a learning and development policy, which must include: a. Ensuring the appropriate training is

provided to personnel with the practice b. Ensuring that all supervisors and

managers receive appropriate training c. Evaluate training. d. A learning and development plan for all

personnel.”

Please also note the following training requirements: 4.2 d: “on equality and diversity requirements”, 5.8 b: “to identify conflicts.”, 3.1 e: “regular data protection training.”, 3.2 i: “on information security.”

Training and development


Training

Learning & development

• 4.3 Lexcel v6.1 - Appropriate training provided to personnel.

• All supervisors and managers receive appropriate training.

• A learning and development plan for all personnel.

SRA Code of conduct

• Maintain competence and keep up to date (all employees)

• Specific roles (COLP, COFA, Complaints partner)

Induction

• 4.6 Lexcel v6.1 - "appropriate induction for all personnel, including those transferring roles.. and must cover: a) the management structure and the individual's responsibilities...c) immediate training requirements

Lists of work the practice will and will not undertake

Managing high risk matters

Generic risks & causes of claims associated with areas of work

• 5.5 Lexcel

• 5.4 Lexcel

• 5.6 Lexcel

GDPR

• 3.1 (e) Lexcel v6.1 - "regular data protection training for all staff."

Information management & security

• 3.2 (i) Lexcel v6.1 - "training for personnel on information security"

Equality & Diversity

• 4.2 (d) Lexcel v6.1 - "training of all personnel on compliance with equality and diversity requirements"

Conflicts

• 5.8 (b) Lexcel v6.1 - "training for all relevant personnel to identify conflicts"

• NEW in StaRs – identify who you are acting for.

AML

• 5.13 (e) Lexcel v6.1 - "a plan for the training of personnel."

What learning and development to be provided under StaRs and Lexcel




Session segment 4 AML and financial crime


Lexcel 5.13: AML

a) a documented, risk assessment that identifies and assesses the risks of money

laundering and terrorist financing to which the practice is subject

SRA StaR 2.5: “You identify, monitor and manage all material risks to your

business…”

• Completion of the Regulation 18 Risk Assessment.

• A detailed breakdown of risks and controls across the firm (very helpful).

• Review of risk data (Lexcel 5.18) to inform and test systems.

• Reports. Breaches. Near misses.

• Identify associated controls set out in the Risk Register (Lexcel 5.1b).

• Consider monitoring through file reviews (Lexcel 5.11).

37. Session segment 4: AML and financial crime


Lexcel 5.13: AML (continued)

h) where appropriate with regard to the size and nature of the practice:

ii) carry out screening of relevant employees

See Page 33 of the Legal Sector Affinity Group AML guidance:

Screening relevant employees prior to and during the course of their

employment in relation to their skills and knowledge and their conduct and

integrity.

SRA StaR: 3.6: “You ensure that the individuals you manage are competent to

carry out their role, and keep their profession knowledge and skills, as well as

understanding of their legal, ethical and regulatory obligations, up to date.”




h) where appropriate with regard to the size and nature of the practice:

iii) establish an independent audit function to evaluate, monitor

compliance with and improve the effectiveness of the practice’s AML

policies, controls and procedures

• Does not have to be external to the practice but must be independent of the

specific function being reviewed.

• You should take a risk-based approach to determining how frequently an

independent audit should take place.

• An independent audit will not necessarily need to be carried out annually,

but should occur following material changes to your risk assessment.

• Monitoring outcomes of annual risk data analysis (Lexcel 5.18).




h(iv) Otherwise, practices must document why 5.13h (i-iii) are not appropriate.

SRA StaR 2.2: “You keep and maintain records to demonstrate compliance…”

• Consider the outcome of the documented firm-wide risk assessment (Lexcel

5.13a)

SRA StaR 3.1: “You keep up to date with and follow the law and regulation

governing the way you work.”

• Consider outcomes of annual risk data analysis (Lexcel 5.18).

• Keep the situation under review and document consideration.




Session segment 5 Q&A and closing remarks

Presenter: Neil Partridge

LinkedIn: https://uk.linkedin.com/in/neilpartridge

Email: [email protected]

Telephone: +44 (0) 1372 879343

Download a copy of this deck at:

www.pda-legal.co.uk/lexcel-re-mar2020

Thank you for your participation




mailto:[email protected]

http://www.pda-legal.com/

Presenter: Neil Partridge - PDA Legal

Documents

Transcript of Presenter: Neil Partridge - PDA Legal