Preparing your Law Firm for GDPR

The new EU general data protection regulation (GDPR) comes in to effect in May 2018 and represents the most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the changing use of data in the digital world in which we now live, and is designed to enable citizens to benefit from modern digital services, whilst providing sound, well formulated and properly enforced data protection safeguards to help mitigate risks and inspire public confidence in how their information is handled by businesses, third parties, the state and public service providers.

Failure to comply will have potentially catastrophic implications for companies, for two reasons:

1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.

2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the firm concerned highly exposed to brand damage and potential customer pay outs.

Whilst law firms already have onerous SRA compliance responsibilities to meet in relation to data protection, many may still need to broaden their security measures and precautions in order to meet GDPR, as well as ensuring that they have in place the necessary written SOP’s and can provide documentary evidence to demonstrate compliance.

So what do law firms need to be doing to prepare for GDPR?

Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:

1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name or email address. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.

2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if firms are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.

3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and hence the crippling fines and reputational damage that would be brought about by this.

4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.

5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection

6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your firm.

Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
-------------------------------------------------------------------------------------------------------------------------
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/

Secure Remote Working for Law Firms

Most law firms I speak to these days are keen to embrace the commercial benefits that remote working can deliver for their firm, allowing their fee earners to work from home or other remote locations, thus maximising their time and productivity as well as facilitating more flexible working practices.

However, given the wealth of highly confidential data that law firms are dealing with on a daily basis, there are naturally also concerns about the implications of providing remote access and whether this could compromise client confidentiality, SRA compliance or data protection.

There is no doubt that a myriad of risk management issues exist around cyber security, as those who read my previous blog Effective Cyber Security for Law Firms will have seen. 

However, there is much that can be done to mitigate these risks, and enjoy the best of both worlds, by deploying well designed, well managed, highly secure technologies that ensure that no data ever leaves the security of your law firm’s servers or data centre.

As an example of this, I’d like to share a recent implementation we have completed for a UK law firm, where there was a pressing business need to provide secure remote access to all their systems for their fee earners.  In this case, the solution designed allowed nominated staff to access their full computer desktop from any internet connected laptop or computer, at any location.   As well as the normal office suite of applications and email, the system provided fee earners with full access to their practice management software, dictation software and all their files.  They key here was that all data and applications remained at all times on the law firm’s highly secure, tightly managed back-end servers, with the end user device effectively just providing a “window” into that system.    In this manner data remained centralised, subject to the firm’s stringent security policies, safely backed up and never being transferred to individual fee earner’s personal devices.  A number of additional layers of security were also put in place, including 2 factor authentication via SMS message, which requires a logon from outside the office to be authenticated via a text message to the individual’s mobile phone, thus providing an additional level of security over and above a password alone. 
 

In other cases, where law firms are receiving emails on their personal smart phones, and thus copies of potentially confidential data has been transferred outside the secure environment of their servers, we work with their in-house IT department to implement robust mobile device management solutions.  These provide the firm with the control needed over corporate data that is on staff members’ own devices, but cleverly allow a separation of work and personal data on the smart phone so that the firm has all it needs to control data from a compliance perspective, but that control does not interfere with or extend to the user’s personal applications and data, such as photographs or personal emails.   As well as pin protecting company email, such solutions can be configured with a variety of policies that allow the network administrator to lock or wipe the corporate data from the device remotely and immediately in the event of an issue such as a device being mislaid or a staff member leaving.

So, whilst nothing in life is completely without risk, with the right advice, people, technology and structured processes in place, there are certainly effective ways that law firms can achieve mobility without compromising confidentiality or compliance.

Over coming blogs, I will be exploring in more depth some of the key issues around successful use of IT in law firms, including protecting both client confidentiality and the structural and financial stability of your law firm, through appropriate risk management. In the meantime, if you would like to know more about secure remote working solutions for law firms, please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.

Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/