Law firms hold vast amounts of sensitive data on their clients. Should a data breach occur, the regulator, the Information Commissioner’s Office (ICO), can impose a fine of up to four per cent of global turnover or €20m, whichever is the higher.
Undertaking a thorough review of how you currently process and hold data should be a priority for every law firm right now, to ensure that you don’t fall foul of the new law. If you haven’t started yet – don’t panic. There is still time to plan and implement a compliance programme.
Mind the gap
A good starting point is to carry out a gap analysis to work out where existing compliance is good, and where there are likely to be difficulties in complying with the GDPR. Then your incremental compliance plan can be put together.
1 Review all existing contracts with your suppliers to see if they are handling personal data
2 Carry out an independent review of any insurance policies, to see what is and isn’t covered
- Do you have a cloud-based case management system? If so, what would happen if there were to be a data breach on that system? Would the supplier notify you, and would they help you to comply with the 72-hour breach notification requirement under article 33 of the GDPR?
- You may have a HR system that manages all your staff’s details – is that contract GDPR-compliant?
- Will your existing policies cover you for regulatory breaches?
- Will they cover you for a loss of turnover in the event of a data breach?
- Will they cover you for a subsequent loss of staff?
- If your credit rating is affected due to a data breach, are you covered for that?
3 Staff, from partner-level down, are fundamental to ensuring GDPR-readiness
Make staff aware that, in addition to the possibility of fines against their employer, criminal sanctions are available where employees, wilfully or negligently, are responsible for data breaches. All staff need to understand what the risks are, both to the firm and to them.
Some things to be aware of:
Both digital and hard-copy personal data needs to be protected.
- Consider the visibility of your offices from the street: are client details visible on computer screens?
- Are client cheques, with their account details on them, left on desks, and if so, are they visible from the outside?
The dangers of collaborative or agile working
- Public wifi. Consider the risks associated with working in public spaces using free public wifi. There are a number of privacy solutions for employees who work remotely. Employees should be encouraged to use only secure wifi at home or the office, and if travelling, to consider the use of a privacy screen on their device.
GDPR benefits for individuals
Compliance: an ongoing obligation
Neil Ford from IT Governance explains the compliance challenges: ‘With three months until the GDPR comes into effect, firms that haven't started their compliance project face a number of challenges. Some of the most important areas to address are data protection governance, risk management and information security management” (see IT Governance’s blog 10 things you must consider for GDPR compliance).
The Information Commissioner’s Office will want to see that a firm has considered the relevant risk or issue, can give reasons for its existence and evidence of the steps taken to address it. Oz Alashe explains: ‘While there has been lots of comment on the potential fines under the GDPR, in reality, if an organisation can demonstrate it has the technical and organisational controls in place to prevent a breach, the ICO is unlikely to impose a fine.’
Compliance should not be seen as a one-step process, but as a regular ongoing feature of a firm’s compliance framework. Having a proactive relationship with the ICO through regular communication can also pay dividends down the line, should a breach occur.
Do you need a data protection officer?
Article 37(1) of the GDPR requires a data protection officer (DPO) to be designated if the data processing activities of an organisation involve regular and systematic monitoring of data subjects on a large scale, or the processing of special categories of data on a large scale.
While some law firms may be required to appoint a DPO, even for those that don’t have to, it may still be worth making a voluntary appointment.
The Article 29 Working Party has further guidance on the appointment of a DPO. The Law Society will be also be issuing guidance shortly on DPOs. The guidance will be published as a work in progress and comments will be welcomed.
Information security management
Make sure all your data is encrypted. Secure all devices, including printers, by changing passwords. If all else fails, review how you are exchanging information with your client, and consider buying an off-the-shelf product that allows a secure, encrypted exchange of information. The Law Society Cyber Security Toolkit provides further guidance.
Views expressed in our blogs are those of the authors and do not necessarily reflect those of the Law Society. At the time of publishing CybSafe and IT Governance were Law Society cybersecurity partners.
The Law Society’s dedicated cybersecurity and scam prevention page where you can sign up to the cybersecurity news digest relevant to the legal sector, information on endorsed cybersecurity providers, and relevant Law Society training, events and guidance
Solicitors Regulation Authority on cybersecurity
Look at the ICO’s ‘12 steps to take now’ checklist, as well as its other online resources and details of monetary penalty notices and assessments