You are here:
  1. Home
  2. News
  3. Blog
  4. Keep your papers under wraps for GDPR compliance

Keep your papers under wraps for GDPR compliance

31 July 2017
by 

Under the EU’s General Data Protection Regulation (GDPR), aggrieved data subjects can sue firms for failing to secure their personal data properly. New statistics from the Information Commissioner’s Office (ICO) showed that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter.


Processing personal data is an intrinsic part of legal work. If you can't guarantee the confidentiality, integrity and availability of that data, your professional standing – and your clients – could suffer, and you could fall foul of data protection legislation.

When the EU's GDPR supersedes the Data Protection Act 1998 (DPA 1998) on 25 May 2018, law firms as data controllers will face "effective, proportionate and dissuasive" administrative fines  between 2% to 4% of their annual global turnover or €20 million – whichever is greater – for breaches.

When you consider the scale of the new fines, the recent surge in data security incidents affecting law firms is sobering. The GDPR mandates that data breaches be reported to the supervisory authority – the ICO – within 72 hours of their discovery. Data subjects must also be informed if a breach represents a high risk to their rights and freedoms.

Information security, not just cyber security

Although most firms have embraced new technologies, the information handled by legal professionals is often held in hard copy rather than as encrypted digital files. This also needs to be appropriately secured and its confidentiality, integrity and availability maintained.

The ICO found that loss and theft of paperwork accounted for 26% of data security incidents in 2015/16. Data being posted or faxed to the incorrect recipient accounted for 17% of incidents. Make no mistake: these are data breaches, just as incidents caused by cyber- attacks are, and under the GDPR you'd be just as liable. Breaches of the 'integrity and confidentiality' principle, which mandates the use of appropriate security, incur fines at the upper end of the scale.

Cyber security measures, while extremely important, are only part of your compliance obligations: to secure hard copies appropriately, you need to extend your strategy to cover all forms of information – after all, even the best antivirus software can't prevent you from leaving a folder full of case notes in your car.

Information security: the holistic approach

Information security isn't just a job for the IT department: it's the responsibility of every single employee, from partners to trainees, from clerical staff to cleaners. Everyone who comes into any contact with information in any form must follow an agreed approach to ensuring its security. This is where a best-practice approach that covers people, processes and technology comes in, such as ISO/IEC 27001:2013 (aka ISO 27001).

ISO 27001 is the international standard for an information security management system (ISMS), against which you can achieve independently audited certification to demonstrate your commitment to securing your clients' information – and demonstrate your compliance with the GDPR.

Many leading law firms, including Clifford Chance, Allen & Overy and Linklaters, have already achieved certification to the Standard, but it is not just an approach for larger organisations. ISO 27001 sets out an approach based on regular risk assessment, which can – and, indeed, should – be tailored to each organisation's requirements, and is as suitable for smaller practices as it is for large city firms.

The GDPR mandates that data controllers implement "appropriate technical and organisational measures"; Annex A of the Standard lists 114 such measures – known as 'controls' – that you can use in order to address the risks you have identified. (You can also use other controls as part of your ISMS, but these must be checked against Annex A.)

Many of these controls are best-practice methods of securing hard copy data, which firms looking to avoid ruinous GDPR fines would be well advised to implement whether or not they seek to achieve certification to the Standard.

For example, from Annex A of ISO 27001:

  • A.8.3.2 Disposal of media – Media shall be disposed of securely when no longer required, using formal procedures. (This will help you fulfil the GDPR's principles of purpose limitation and storage limitation.)
  • A.8.3.3 Physical media transfer – Media containing information shall be protected against unauthorised access, misuse or corruption during transportation. (This will help you fulfil the GDPR's principles of accuracy, and integrity and confidentiality.)
  • A.11.2.6 Security of equipment and assets off-premises – Security shall be applied to off-site assets taking into account the different risks of working outside the organisation's premises. (This will help you comply with the GDPR's principles of storage limitation, and integrity and confidentiality.)
  • A.11.2.9 Clear desk and clear screen policy – A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (This will help you comply with the GDPR's principles of accuracy, and integrity and confidentiality.)

There are, of course, many other controls that have a bearing on hard copy information, including controls on information classification, access control, physical and environmental security, and the transfer of information.

You can find more information about ISO 27001, and how it can help you demonstrate compliance with the GDPR, on IT Governance's website

Buy the newest (2013) version of the international Standard for information security management systems (ISMSs)

Check our General Data Protection Regulation resources

Tags: knowledge management | risk

About the author

Neil Ford is website copywriter at IT Governance. Neil has worked for IT Governance since 2013. He writes about all IT governance, risk management and compliance issues. 

Follow IT Governance on Twitter

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Alex Barr | Alex Heshmaty | Alexandra Cardenas | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Ben Hollom | Bob Nightingale | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Ciaran Fenton | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Elizabeth Rimmer | Emily Miller | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Hayley Stewart | Ignasi Guardans | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Karen Jackson | Kate Adam | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Devine | Leah Glover and Julie Ashdown | LHS Solicitors | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matthew Still | Meena Toor | Melissa Hardee | Neil Ford | Nick Denys | Nick Podd | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sophia Adams Bhatti | Steve Deutsch | Steve Deutsche | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | Tom Ellen | Tony Roe Solicitors | Vanessa Friend

Tags

access to justice | anti-money laundering | apprenticeships | archive | artificial intelligence | Autumn Statement | bid process | brand | Brexit | British Bill of Rights | Budget | business | careers | centenary | charity | city | communication | Conservatives | conveyancing | court closures | court fees | courts | CPD | criminal legal aid | cyber security | David Cameron | development | Diversity Access Scheme | diversity and inclusion | education and training | elderly people | emotional resilience | employment law | equality | European Union | Excellence Awards | finance | George Osborne | human rights | human trafficking | immigration | in-house | International Womens Day | Investigatory Powers Bill | IT | Jeremy Corbyn | justice | knowledge management | Labour | law management | Law Society | leadership | legal aid | legal professional privilege | LGBT | Liberal Democrats | library | Liz Truss | Magna Carta | mass data retention | mediation | members | mention | mentoring | merger | modern slavery | morale | National Pro Bono Week | Parliament | party conferences | personal injury | Pii | politics | president | pro bono | productivity | professional indemnity insurance | represent | retweet | risk | rule of law | security | social media | social mobility | SRA | staff | strategy | stress | talent | tax | tax credits | team | technology | Theresa May | Time capture | training | Twitter | UKIP | value proposition | website | wellbeing | Westminster weekly update | wills