In my recent blog, Preparing your Law Firm for GDPR, I outlined 6 key steps that law firms need to be taking to ready themselves for GDPR. Today I wanted to talk about another hot topic in the legal sector: remote working, and specifically how this sits in relation to GDPR compliance.
In recent years, remote working has become increasingly popular and necessary for law firms, who see the many productivity benefits it offers, as well as the flexibility to be able to work from any location at any time. I noticed in a recent survey by PwC that 70% of law firms have now either embraced or are in the throes of implementing remote or mobile working, and this comes as no surprise to me as it is one of the most popular solutions that we are working with solicitors’ practices to implement these days.
However, there is no doubt that remote working opens up a whole new set of challenges to address around data security. Protecting your data when it is all contained within the safe boundaries of your in-house network is one thing; protecting your data when there are copies on laptops, smartphones and tablets which may be anywhere in the world is quite another.
Preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and copies of data sometimes being copied to USB sticks or held on laptops or home computers to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen.
Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop/home PC/smartphone and may be unwittingly backing up or synchronising confidential company data to an unsuitable or insecure location, or even outside the European Economic Area. Those of you who read my blog “Just Where is your Law Firm’s Confidential Data?” may recall that I cited the example of a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer. These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online. This example helps to demonstrate just how easily and unwittingly a data breach can occur.
Since the GDPR obliges firms to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’ (article 32), it is very important that policies and controls around remote working are put in place that will minimise the risks of a data breach.
So, can and should law firms be using remote working technology, or, given the plethora of highly confidential information that they are privy to – so much of which identifies an individual and therefore falls under the scope of the GDPR – should they be banning the use of such technology altogether?
It’s an interesting question, and I hear a complete mix of views when I talk to law firms – varying from those who are embracing the technology wholeheartedly, but perhaps are sometimes not fully understanding the associated risks – through to those who are regressing from use of email back to the fax machine, as there is just so much fear and uncertainty around data security.
The reality is, that with the right controls, technologies and processes in place, secure remote working is achievable, and there are ways that law firms can demonstrate that they are implementing appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk, as the GDPR demands.
This is about a lot more than passwords and anti-virus software though. As soon as you allow your staff to be making copies of data onto their own PCs, laptops or tablets, then you need to consider how you secure those devices as you would any other device on your internal network. And this is where life becomes very complicated, because on the in-house network you have certain policies around security, anti-virus software, website access, what applications run on each PC, what users are allowed to download and how PCs get updated with security fixes from vendors like Microsoft and a whole raft of other controls. As soon as you start moving data onto computers that do not have these controls, then you are potentially making your data and your firm very vulnerable.
It’s for this reason that when we are working with law firms to implement remote access to their systems, we always use technology which allows their data to stay residing centrally on their in-house servers, or at their data centre, and a copy does not get made onto the end user’s computer, laptop or device. Effectively the end user device is just a window into the central system, and as such has no confidential data stored on it. This means that only the central data repository needs to be kept secured – a much easier task than trying to secure data that is widely distributed.
There are further safeguards which we also put in place for staff who are working remotely – for example “two factor authentication”, whereby when you logon from outside the office you get a one-time code sent to your mobile phone which you need to enter in addition to your password.
Smartphones are another challenging area to secure, as these days so many of us have our company email and calendar replicated onto our mobile phone for convenience. There is an obvious danger here if a device gets lost, stolen or compromised. However, there are now technologies available that will allow company data to be remotely wiped from a phone in such a situation, as well as technology to separate company data that is held on a smartphone from the owner’s personal photos, emails etc and to implement extra layers of security to protect the company data.
So in summary, law firms can and should be making the most of the commercial advantages and flexibility that remote working can offer them, but it is imperative that in conjunction with this firms are implementing a cohesive set of controls, technologies, business processes and policies that will ensure that they are safeguarding their data, and their firm’s reputation, and demonstrating GDPR compliance.
Connexion have been working with law firms for over 2 decades to help them implement technology to create real value to their firm, whilst carefully managing the associated risks through a highly structured and managed approach to delivering IT. If your firm would like to explore secure remote working solutions, or you are concerned that your current remote working solution may not be fully GDPR compliant, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help. _________________________________________________________________________________ Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/
