You are here:
  1. Home
  2. News
  3. Blog
  4. Keep your papers under wraps for GDPR compliance

Keep your papers under wraps for GDPR compliance

31 July 2017

Under the EU’s General Data Protection Regulation (GDPR), aggrieved data subjects can sue firms for failing to secure their personal data properly. New statistics from the Information Commissioner’s Office (ICO) showed that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter.

Processing personal data is an intrinsic part of legal work. If you can't guarantee the confidentiality, integrity and availability of that data, your professional standing – and your clients – could suffer, and you could fall foul of data protection legislation.

When the EU's GDPR supersedes the Data Protection Act 1998 (DPA 1998) on 25 May 2018, law firms as data controllers will face "effective, proportionate and dissuasive" administrative fines  between 2% to 4% of their annual global turnover or €20 million – whichever is greater – for breaches.

When you consider the scale of the new fines, the recent surge in data security incidents affecting law firms is sobering. The GDPR mandates that data breaches be reported to the supervisory authority – the ICO – within 72 hours of their discovery. Data subjects must also be informed if a breach represents a high risk to their rights and freedoms.

Information security, not just cyber security

Although most firms have embraced new technologies, the information handled by legal professionals is often held in hard copy rather than as encrypted digital files. This also needs to be appropriately secured and its confidentiality, integrity and availability maintained.

The ICO found that loss and theft of paperwork accounted for 26% of data security incidents in 2015/16. Data being posted or faxed to the incorrect recipient accounted for 17% of incidents. Make no mistake: these are data breaches, just as incidents caused by cyber- attacks are, and under the GDPR you'd be just as liable. Breaches of the 'integrity and confidentiality' principle, which mandates the use of appropriate security, incur fines at the upper end of the scale.

Cyber security measures, while extremely important, are only part of your compliance obligations: to secure hard copies appropriately, you need to extend your strategy to cover all forms of information – after all, even the best antivirus software can't prevent you from leaving a folder full of case notes in your car.

Information security: the holistic approach

Information security isn't just a job for the IT department: it's the responsibility of every single employee, from partners to trainees, from clerical staff to cleaners. Everyone who comes into any contact with information in any form must follow an agreed approach to ensuring its security. This is where a best-practice approach that covers people, processes and technology comes in, such as ISO/IEC 27001:2013 (aka ISO 27001).

ISO 27001 is the international standard for an information security management system (ISMS), against which you can achieve independently audited certification to demonstrate your commitment to securing your clients' information – and demonstrate your compliance with the GDPR.

Many leading law firms, including Clifford Chance, Allen & Overy and Linklaters, have already achieved certification to the Standard, but it is not just an approach for larger organisations. ISO 27001 sets out an approach based on regular risk assessment, which can – and, indeed, should – be tailored to each organisation's requirements, and is as suitable for smaller practices as it is for large city firms.

The GDPR mandates that data controllers implement "appropriate technical and organisational measures"; Annex A of the Standard lists 114 such measures – known as 'controls' – that you can use in order to address the risks you have identified. (You can also use other controls as part of your ISMS, but these must be checked against Annex A.)

Many of these controls are best-practice methods of securing hard copy data, which firms looking to avoid ruinous GDPR fines would be well advised to implement whether or not they seek to achieve certification to the Standard.

For example, from Annex A of ISO 27001:

  • A.8.3.2 Disposal of media – Media shall be disposed of securely when no longer required, using formal procedures. (This will help you fulfil the GDPR's principles of purpose limitation and storage limitation.)
  • A.8.3.3 Physical media transfer – Media containing information shall be protected against unauthorised access, misuse or corruption during transportation. (This will help you fulfil the GDPR's principles of accuracy, and integrity and confidentiality.)
  • A.11.2.6 Security of equipment and assets off-premises – Security shall be applied to off-site assets taking into account the different risks of working outside the organisation's premises. (This will help you comply with the GDPR's principles of storage limitation, and integrity and confidentiality.)
  • A.11.2.9 Clear desk and clear screen policy – A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (This will help you comply with the GDPR's principles of accuracy, and integrity and confidentiality.)

There are, of course, many other controls that have a bearing on hard copy information, including controls on information classification, access control, physical and environmental security, and the transfer of information.

You can find more information about ISO 27001, and how it can help you demonstrate compliance with the GDPR, on IT Governance's website

Buy the newest (2013) version of the international Standard for information security management systems (ISMSs)

Check our General Data Protection Regulation resources

Tags: knowledge management | risk

About the author

Neil Ford is website copywriter at IT Governance. Neil has worked for IT Governance since 2013. He writes about all IT governance, risk management and compliance issues. 

Follow IT Governance on Twitter

  • Share this page:

Abigail Bright | Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alan East | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | Coral Hill | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Eloise Skinner | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Greg Treverton-Jones | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Law Gazette Jobs | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt O'Brien | Matt Oliver | Matthew Still | Max Rossiter | Melinda Giles | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nigel West | Nikki Alderson | Oz Alashe | Paris Theodorou | Patrick Wolfe | Paul Bennett | Paul Rogerson | Paul Wilson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Rebecca Atkinson | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robert Forman | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susa | Susan Acland-Hood | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney | Zoë Paton-Crockett