Only law firms should be lead service providers when ensuring you comply with the law (like data protection laws). Consultants, auditors, audit firms and even information security or IT governance consultants cannot provide the legal protection and privilege offered by law firms. Lawyers must be your main entry point, even if they engage non-lawyers as sub-contractors. You must ensure that every communication goes through your lawyers.
Powers to search and seize
Authorities or regulators (like the Information Regulator) may obtain a search warrant, and enter and search your offices and premises. The regulator’s staff may seize and remove whatever they regard as evidence. (section 82 of POPIA)
But your communications with your professional legal adviser are exempt. (see definition and section 86) The regulator cannot search or seize them. All your communications, including assessments, gap analysis, audits and opinions should be part of the communications. You will enjoy a huge advantage and avoid enormous risks.
An example of what could happen with your compliance project
Just imagine – a consultant assesses your compliance with data protection law and provides a gap analysis. There are bound to be many gaps because at this stage it is highly unlikely that anyone complies fully with data protection law. The regulator believes you are not complying and visits your offices with a search warrant and demands your gap analysis. There is no better evidence to prove that you are not complying with data protection law.
Audit firms and other consultancies are not professional legal advisers. Even though they may engage the services of professional legal advisers, they themselves do not provide legal privilege and protection. Only in very limited instances would communications between you and those consultancies be protected under legal privilege.
Professional legal advisers
You need us to help you to comply and implement data protection compliance in your organisation. We are professional legal advisers and provide you with independent legal advice that is confidential, privileged and protected. This is why we mark all communications to our clients as a communication between a professional legal adviser and a client, which is privileged.
We do not suggest we have all the skills to implement data protection law practically and cost-effectively. For your benefit, we adopt a multi-disciplinary approach and strong protected relationships exist with other professionals (like strategic management consultants, ICT management consultants, IT governance professionals, information security specialists, and consultants). Together we are able to offer you specific and often unique skills, knowledge and experience.