You are here:
  1. Home
  2. News
  3. Blog
  4. Keep your papers under wraps for GDPR compliance

Keep your papers under wraps for GDPR compliance

31 July 2017

Under the EU’s General Data Protection Regulation (GDPR), aggrieved data subjects can sue firms for failing to secure their personal data properly. New statistics from the Information Commissioner’s Office (ICO) showed that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter.

Processing personal data is an intrinsic part of legal work. If you can't guarantee the confidentiality, integrity and availability of that data, your professional standing – and your clients – could suffer, and you could fall foul of data protection legislation.

When the EU's GDPR supersedes the Data Protection Act 1998 (DPA 1998) on 25 May 2018, law firms as data controllers will face "effective, proportionate and dissuasive" administrative fines  between 2% to 4% of their annual global turnover or €20 million – whichever is greater – for breaches.

When you consider the scale of the new fines, the recent surge in data security incidents affecting law firms is sobering. The GDPR mandates that data breaches be reported to the supervisory authority – the ICO – within 72 hours of their discovery. Data subjects must also be informed if a breach represents a high risk to their rights and freedoms.

Information security, not just cyber security

Although most firms have embraced new technologies, the information handled by legal professionals is often held in hard copy rather than as encrypted digital files. This also needs to be appropriately secured and its confidentiality, integrity and availability maintained.

The ICO found that loss and theft of paperwork accounted for 26% of data security incidents in 2015/16. Data being posted or faxed to the incorrect recipient accounted for 17% of incidents. Make no mistake: these are data breaches, just as incidents caused by cyber- attacks are, and under the GDPR you'd be just as liable. Breaches of the 'integrity and confidentiality' principle, which mandates the use of appropriate security, incur fines at the upper end of the scale.

Cyber security measures, while extremely important, are only part of your compliance obligations: to secure hard copies appropriately, you need to extend your strategy to cover all forms of information – after all, even the best antivirus software can't prevent you from leaving a folder full of case notes in your car.

Information security: the holistic approach

Information security isn't just a job for the IT department: it's the responsibility of every single employee, from partners to trainees, from clerical staff to cleaners. Everyone who comes into any contact with information in any form must follow an agreed approach to ensuring its security. This is where a best-practice approach that covers people, processes and technology comes in, such as ISO/IEC 27001:2013 (aka ISO 27001).

ISO 27001 is the international standard for an information security management system (ISMS), against which you can achieve independently audited certification to demonstrate your commitment to securing your clients' information – and demonstrate your compliance with the GDPR.

Many leading law firms, including Clifford Chance, Allen & Overy and Linklaters, have already achieved certification to the Standard, but it is not just an approach for larger organisations. ISO 27001 sets out an approach based on regular risk assessment, which can – and, indeed, should – be tailored to each organisation's requirements, and is as suitable for smaller practices as it is for large city firms.

The GDPR mandates that data controllers implement "appropriate technical and organisational measures"; Annex A of the Standard lists 114 such measures – known as 'controls' – that you can use in order to address the risks you have identified. (You can also use other controls as part of your ISMS, but these must be checked against Annex A.)

Many of these controls are best-practice methods of securing hard copy data, which firms looking to avoid ruinous GDPR fines would be well advised to implement whether or not they seek to achieve certification to the Standard.

For example, from Annex A of ISO 27001:

  • A.8.3.2 Disposal of media – Media shall be disposed of securely when no longer required, using formal procedures. (This will help you fulfil the GDPR's principles of purpose limitation and storage limitation.)
  • A.8.3.3 Physical media transfer – Media containing information shall be protected against unauthorised access, misuse or corruption during transportation. (This will help you fulfil the GDPR's principles of accuracy, and integrity and confidentiality.)
  • A.11.2.6 Security of equipment and assets off-premises – Security shall be applied to off-site assets taking into account the different risks of working outside the organisation's premises. (This will help you comply with the GDPR's principles of storage limitation, and integrity and confidentiality.)
  • A.11.2.9 Clear desk and clear screen policy – A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (This will help you comply with the GDPR's principles of accuracy, and integrity and confidentiality.)

There are, of course, many other controls that have a bearing on hard copy information, including controls on information classification, access control, physical and environmental security, and the transfer of information.

You can find more information about ISO 27001, and how it can help you demonstrate compliance with the GDPR, on IT Governance's website

Buy the newest (2013) version of the international Standard for information security management systems (ISMSs)

Check our General Data Protection Regulation resources

Tags: knowledge management | risk

About the author

Neil Ford is website copywriter at IT Governance. Neil has worked for IT Governance since 2013. He writes about all IT governance, risk management and compliance issues. 

Follow IT Governance on Twitter

  • Share this page:

Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bob Nightingale | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Eduardo Reyes | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Gustavo Bussmann | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Leah Glover and Julie Ashdown | Leanne Yendell | LHS Solicitors | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matt Oliver | Matthew Still | Melissa Hardee | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nikki Alderson | Oz Alashe | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Ellen | Tony Roe Solicitors | Umar Kankiya | Vanessa Friend | William Li