Solicitors’ practices and barristers’ chambers’ databases, by the very nature of what they do, contain highly sensitive information of a very personal nature on the lives of thousands of clients that must be protected at all times regardless of the regulatory environment.
Underpinning every relationship with a client is the belief that their information and their dealings are completely confidential and that information is only shared with those who absolutely need to know.
For the year or so prior to the introduction of GDPR, there was a lot of understandable anxiety in practices and chambers about the impact that the new regulations would have on working practices, secure sharing of information, and what constituted “compliant data”. Two months on from GDPR becoming law, there has been surprisingly little written or said about it since in printed and online trade publications.
However, that’s no reason to be complacent. Compliance with GDPR is particularly difficult for both legal and accounting firms where there is a wide range of personal and business information held on each client.
A data protection law breach at a legal firm or an accountancy practice has much wider reaching implications than the recent breach at Ticketmaster, for example. As distressing as the Ticketmaster breach is for those involved, Ticketmaster did not hold linked personal, professional, and financial information that may have been of significant value to others.
We’ve compiled a list of the top 10 things the legal sector needs to create policies and procedures for given the unique position you hold in the lives of your clients and the value of that information to bad actors and scammers.
GDPR has widened the scope of what is considered personal data
Whereas before there was a fair degree of separation between what was considered personal data and what was not, GDPR has changed all that.
Article 4 of GDPR states that “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The Information Commissioner’s Office goes further, stating that “by itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual…Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them”.
The room for margin of error in interpreting what is personal data and what is not is now so thin as to be non-existent, so…
Don’t store more data than you need
It is much safer to reduce the amount of data that you need to store on an individual. When analysing how your practice or chambers stores information, take care to acquire the minimum amount of data you need to carry out business in the first place. Safe data storage is also something that can be improved, our white paper on the subject can give you a few pointers.
Process personal data fairly and lawfully
With the data you collect, your processing of it should be fair and transparent. You need to let clients know exactly how the information they share with you will be used and how they can gain access to the information you hold on them if they want to see it.
Obtain and process data for lawful and specified purposes
When you’re collecting information from a client, outline the uses that it will be put to and, if questioned, inform the client why you need the information for the purposes for which you intend to use it. Make sure that you don’t collect any information that’s not needed nor do you use the information gathered for a reason beyond what you told the client.
Keep personal data up-to-date and accurate
Take care when collecting data from clients that you have taken every possible precaution to ensure that the data is accurate and that the process used to extract the details you need from client will lead to information which is reliable and dependable. If you have data whose quality and accuracy you’re no longer convinced of, you should delete it without delay.
Don’t keep data for longer than you need it
On the subject of deletion, you should get rid of any data when there is no longer a commercial need or advantage to hold onto it. You should look to audit your dataset as a whole once a month paying particular attention to information which has been accessed for a reasonable length of time by anyone within the company.
Understand data subjects’ rights
The person within your practice or chambers with responsibility for the data should understand in full the requirements of GDPR regarding processing making sure that general data access requests for personal information within the company respect individuals’ rights.
Keep data safe and secure at all times
Whether accessed within your place of work or by staff on the move, every precaution possible must be taken to protect the data you have from bad actors. Bad actors can be people within your organisation just as much as an anonymous cybercriminal who may be operating on the other side of the world.
Don’t transfer data outside the EEA
GDPR introduced safe harbour requirements for occasions when personal data is transferred outside the European Economic Area. If you are transferring data (including to public and remote private cloud networks), your data controller should satisfy themselves that the receiving centre has the required levels of protection need for data processing.
With more outside attacks from cybercriminals and instances of employee fraud continuing to rise, encryption should be a key priority for your practice or chambers. Someone with bad intentions could choose to download some or all of your files but, if the information is encrypted, there is no commercial value to them in trying to find a buyer for your data and your clients’ details remain protected.