Under the General Data Protection Regulation (GDPR) you must process personal data securely. Personal data is information that can be used to identify people. All solicitors hold personal data.
You must protect personal data against:
- unauthorised or unlawful processing
- accidental loss
You must consider data protection:
- at the start of any processing activity
- during the processing
Systems that handle personal data must comply with data protection by design and default. We recommend following these principles for all data processing purposes.
Data protection by design
You must consider privacy and data protection issues at the design phase of any system and throughout data processing.
This could be, for example, when you:
- develop new IT systems
- use personal data for new purposes
- create processes that may affect the privacy of data
Read more on data protection by design
Privacy enhancing technologies (PETs) can help you apply ‘data protection by design’ in your firm. PETs protect privacy by minimising personal data use and maximising data security. They also empower data subjects by giving them the ability to manage and protect their personal data.
Read ENISA’s research reports on PETs
Read the Royal Society’s report on protecting privacy in practice (PDF 2.8 MB)
Data protection by default
To comply with the GDPR, you must only process data which is ‘necessary’ for your specific purpose.
Before the processing starts, data protection by default means you need to:
- specify the data you’re using
- tell the data subjects
- only process the data you need for your purpose
You should also consider:
- using a ‘privacy-first’ approach for system settings
- giving data subjects enough choice and control over how their data is used
- not processing additional personal data unless the data subject agrees
- making sure personal data is not made publicly available unless the data subject agrees
Read more on data protection by default
Level of security
The level of security (or protection) you need for your data depends on the risks involved in your processing. To understand the risks, you should review how valuable, sensitive or confidential the data is.
You should also consider:
- risks with your firm’s computer systems
- how many staff can access personal data
- risks involved with personal data held or used by a processor acting on your behalf
Read more information on security
You must have an ‘appropriate’ level of security to protect data. To achieve this, you should follow the NCSC and the Information Commissioner’s Office (ICO) security outcomes.
The security outcomes should:
- manage security risk
- protect personal data against cyber attacks
- identify security events
- minimise the impact of a data breach
Reporting a personal data breach
After a cyber attack, you need to check if personal data has been lost. If it has, you may need to report the breach to the ICO.
You must report a personal data breach within 72 hours of first finding out – even if this is outside working hours.
Read about when to report a personal data breach
> Next section: Cloud computing
> Back to contents list