Legal Sector IT: August 2017

Friday 18 August 2017

GDPR Compliance for Law Firms: Controlling Access to Your Data

Following my recent blog posts Preparing your Law Firm for GDPR and GDPR Compliance for Law Firms: Just Where is your Confidential Data?, I have received a number of enquiries from law firms as to the ways in which they should be controlling access to their data, so today I thought it would be worth sharing some information on this important topic.

Securing your data in readiness for GDPR broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access). Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your law firm’s data, and forms an important part of preparing your firm’s information systems for GDPR compliance.

GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that personal data can be anything that identifies an EU citizen, which can be as simple as a name or email address, and it becomes apparent this is likely to cover the vast majority of a firm’s data.

Therefore, for each piece of data that you hold, it is important to understand, and have documented, who has access to that data and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to do their job. Allowing staff wider access puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats.

As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Appropriate password policies are also very important, since if policies allow passwords to remain unchanged indefinitely, or indeed allow staff to choose an easily guessable password, then there is a danger that data security will be compromised, which does not demonstrate the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your data. In this case this needs to be secured in just the same way, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the firm’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures any spreadsheets or databases that have been developed by an individual or department and which contain personal data.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

_________________________________________________________________________________

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Friday 4 August 2017

GDPR Compliance for Law Firms: Just Where is your Confidential Data?

This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really? And does it matter?

Any business's data is precious, but none more so than that of law firms who are privy to so much confidential information and who must meet their SRA regulatory obligations to maintain client confidentiality.

Not only do law firms hold much personal data, which is governed by the Data Protection Act and forthcoming GDPR legislation, they also hold a wealth of commercially confidential details ranging from large financial transactions, to trade secrets, through to the personal affairs of high-profile clients.

But in the globalised world in which we now operate, with increasing demands for remote working, there is a real danger that your precious business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?

And then there’s data that has been shared with business partners and other third-party organisations. And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs. The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications. Understanding which of these your firm is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data to countries outside the European Economic Area that do not have equivalently strong data protection standards. Indeed, aside from GDPR, data residency is a major concern for law firms from a jurisdiction point of view as well.

There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which is copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone. Indeed many of you may have read about a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. Under GDPR, the financial and reputational consequences for such a breach could be crippling, so it is imperative that law firms have a real understanding of where their data is.

In general terms, the more widespread and less controlled your data is, the more vulnerable you leave your law firm to a security breach. So understanding what data you hold, where it is stored and who has access to it, is absolutely critical. This in turn needs to be documented, both so that the Senior Partners have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts firms back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/

-------------------------------------------------------------------------------------------------------------------------

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

About Me

Welcome to my blog, Legal Sector IT.

I'm James Stratton, the Managing Director of Connexion Ltd, an IT support and IT services company based in Reading, Berkshire and serving the whole of the UK.

Connexion has a particular specialism in working with highly regulated industries and as a result over the years I’ve worked with many law firms, solicitors and legal services businesses, helping them to transform their IT so that it delivers real business value.

With most law firms I work with sharing key concerns around SRA compliance, GDPR compliance, cyber security issues such as data leakage, identity theft, fraud and money laundering, I wanted to create this blog where I could share best
practice, discuss common challenges and highlight the strategies required to successfully leverage technology to both address these concerns but also to really add value to the practice. I hope you find it informative and thought provoking.

If you would like to discuss any element of IT in law firms with me, or you need some assistance with your IT strategy, IT compliance or your IT support, then please do not hesitate to contact me.

I look forward to hearing from you.

James Stratton
Connexion Ltd
t: 0118 920 9600
e: jstratton@connexion.co.uk
w: http://www.connexion.co.uk/law/