An acoustic masking installation directly supports the obligation under UK GDPR Article 32(1) to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Personal data discussed aloud is still personal data, and securing it against being overheard falls within the scope of Article 32. Where documented, auditable evidence is required, book the optional compliance survey: the resulting written report confirms that Confidential Privacy has been achieved in the receiving spaces and gives you specific technical-control evidence to present in an audit or a DPIA.
Information only, not legal advice; confirm interpretation with your legal team.
The starting point for any firm is UK GDPR Article 32(1), which requires “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. In our interpretation, the FCA’s general systems-and-controls expectations (SYSC 4.1.1R and SYSC 6.1.1R) point the same way: a client-facing firm’s systems and controls should address the physical security of client discussions, not only digital security. A masking installation in the receiving spaces around client meeting rooms, supported by a written compliance-survey report, provides specific documented evidence of an organisational measure addressing the risk of unauthorised verbal disclosure of client-confidential information.
Information only, not legal advice; confirm interpretation with your legal team.
Paragraph 6.3 of both the SRA Code of Conduct for Solicitors and the SRA Code of Conduct for Firms provides: “You keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.” In our interpretation, keeping client affairs confidential includes guarding against client discussions being overheard in reception and corridor areas. A law firm that has conducted an acoustic assessment of those areas and has implemented masking where required has a documented, specific response to this risk, which is the standard expected in a practice management audit. The compliance survey is the recommended way to capture that evidence.
Information only, not legal advice; confirm interpretation with your legal team.
Still have a question?