Are Law Firms Doing Enough to Comply with GDPR?

In the last few weeks, the Information Commissioner’s Office (ICO) announced that both British Airways and Marriott International would be subject to fines of £183m and £99m respectively. It is clear that the regulator is not pulling any punches anymore when it comes to reprimanding companies that are not complying. For law firms, which regularly handle sensitive customer or client information, it is vital to know how compliance can be met or risk the impact of the ICO.

Knowing the facts

Client data is an essential part of day-to-day operations in the legal sector, and it can seem that it is too much information to fully protect.

Firstly, law firms need to know the regulation inside out. In short, transparency is the underlying principle of GDPR. It encourages firms to present a clear data trail and remove specific data if requested to do so by a client. Businesses also have to receive explicit consent from clients in order to collect their data and must tell them how that data will be stored and used. GDPR also compels firms to ensure that any client data is stored in a secure way.  It is these kind of failures in protecting customer information which have led to the recent fines from the ICO.

Client data is an essential part of day-to-day operations in the legal sector, and it can seem that it is too much information to fully protect. However, there exist clear and relatively easy to implement solutions which can ensure firms comply with GDPR and protect themselves from fines.

Suring up defences

Compliance begins with the basics steps of ensuring all IT systems and firewalls are secure and up to date, making sure two-factor authentication is in place and following IT security best practices or frameworks, such as cyber essentials. While systems and processes can be handled by in-house or third-party IT support, partner-level buy-in is essential to properly secure a firm and its clients’ information. Boardroom battles will more often than not lead to a data breach, so agreement among key decision makers is essential for the implementation of proper controls.

The rise of agile and remote working has also led to sensitive data being transferred onto unsecured devices, such as personal tablets, laptops and phones.

Email is still a significant threat vector for law firms. The number of threats and complexity of breaches is only rising, and too many firms are still relying on basic email systems and manual methods of controlling risks. A number of firms are dealing with threats through recipient checking systems, client portals, secure messaging, and other solutions, but many are still just relying on human controls.

Encouraging employee awareness

The rise of agile and remote working has also led to sensitive data being transferred onto unsecured devices, such as personal tablets, laptops and phones. If client data is stored on a device that isn’t controlled centrally, the risk of data loss to the firm increases significantly. While company policies need to be considered to deal with this issue, data leak prevention solutions may also be appropriate.

Encryption is generally an excellent strategy for firms looking to protect client data. In many breach situations, encrypted databases can stop embarrassing and costly situations to the business. When data is more vulnerable – such as if it is in transit or held on a personal device – encryption becomes even more vital.

The only truly effective way to manage data security is to have a structure for doing so.

However, even with these processes in place, there is always a risk that a breach can occur. Whether it’s through lack of understanding or an inherent day-one flaw in a piece a software, firms need to be prepared. If a breach does happen, and data is stolen, firms must notify the ICO within 72 hours, and must also alert the clients that may be affected.

Having the mindset

While these contingencies should be in place for the worst-case scenario, the key to GDPR compliance is for firms to take a proactive approach to data protection. Rather than assuming the current security measures are adequate, firms need to proactively review their practices to make sure everyone is prepared. As previous scenarios have shown, many businesses only implement suitable practices after the breach has occurred. However, the legal industry does not have this luxury. One data breach could forever tarnish the company and the subsequent fines prove more than a firm can handle.

It’s now a little over a year since GDPR came into force, yet many firms are still running the gauntlet when it comes to protecting their clients’ data.

The only truly effective way to manage data security is to have a structure for doing so. The best way to manage this is to implement the ISO 27001 standard. This will ensure that the threats to a firm are identified and constantly controlled. There are some management costs involved, but this is a small sum compared to the cost of a breach, both in terms of monetary value to the ICO and reputational damage to the firm. The ICO and SRA are also more likely to be lenient in a leak situation if firms have tried to understand and control the risks to their assets.

It’s now a little over a year since GDPR came into force, yet many firms are still running the gauntlet when it comes to protecting their clients’ data. Once they understand the regulation, it’s essential to take action and ensure safeguards are in place. The ICO is beginning to flex its muscles, and few firms could absorb a fine of tens of millions of pounds. It will require investment in enhanced procedures, processes, and protections, but failing to recognise the need for such an outlay would be a serious mistake with potentially serious consequences for UK law firms of all sizes.

Written by Robert Rutherford, CEO of IT consultancy QuoStar