When the EU’s General Data Protection Regulations (GDPR) come into force on May 25, 2018, they may not make too much difference to law firms. This is because the profession’s standards of confidentiality are so rigorous that most practices are probably a long way down the line to compliance already.
However, one of the characteristics of the Regulations is that they formalise and give teeth to some data protection principles that are not necessarily backed by the force of law. For example, concepts such as ‘privacy by design’, which requires firms to design data protection into the fabric of a system, rather than running it as an add-on, will now become a legal requirement.
Carelessness with client data has never been sensible; from May next year it will be dangerous, exposing firms to the risk of fines and serious reputational damage.
It should be noted at this point that Brexit should not be seen as a get-out-of-regulation card. The Regulations affect all organisations conducting business with Europe and European citizens and, in any case, Britain will still be part of the Union when they come into force. Even after Brexit, it’s likely that the Government will need to harmonise the UK’s data protection laws with those of its European trading partners. One way or the other, compliance with the GDPR is unavoidable.
One of the most complex aspects of compliance is the question of business mobility. With the advent of smartphones, tablets and ubiquitous Wi-Fi, the law is practiced on the move as often as it is in the office. While this increases efficiency and improves service to clients, it also increases the risk of a significant security breach.
Designing and enforcing an effective mobile security system is further complicated by the proliferation of different devices, operating systems and applications employed by users. Most of the firms we deal with these days operate a mix of practice-owned devices, and personally-owned devices that are authorised to connect to the corporate network.
Even practice-owned devices can be compromised if they are not adequately protected, and the risks around allowing personal devices to access client data are obvious. Notwithstanding the profession’s venerable tradition of discretion and absolute confidentiality, even the most well-intentioned user must be viewed as a significant vulnerability. After all, an understanding of the finer points of mobile security cannot be the first priority of a busy lawyer.
It therefore falls to the practice IT team to maintain the firm’s security posture, using enterprise mobility management software to push policies and updates out to devices, with minimal intervention by the user.
Technologies such as BlackBerry® Unified Endpoint Management (UEM) allow IT teams to control diverse mobile estates within a single enterprise mobility management (EMM) deployment. This means that Apple® devices, with various versions of iOS, can be managed alongside Samsung and other devices running different flavours of Android™, including the latest BlackBerry smartphones. Older BlackBerry devices, running BlackBerry 10, can also be managed within the same system.
Things can get still more complex for legal IT managers when you consider the array of applications that are used routinely, including some specialist apps such as iManage Work. Applications like the Rubus iManage Work Connector for Mobile help to bridge the gap between specialist apps and the native smartphone user experience. Functions such as ‘send and file’, and ‘file from inbox’ can be used from within the familiar email client, without compromising security.
A user-centric approach of this kind forms a vital part of an effective security system. By designing policies and apps that are closely aligned with the user’s existing habits and working practices, IT teams can reduce the risk of a user making a mistake that either breaches security or stops the device from working properly.
One of the primary objectives for the GDPR is to protect and empower individuals, giving them greater control over how their data is collected, stored and used. We can expect to see companies being held publicly accountable for any misuse of customer data, which will make it still more important to demonstrate compliance.
If a client accuses a firm of failure to comply with the Regulations, then the ability to present an audit trail of the way the data was handled will be invaluable.
And this, perhaps, is where the biggest risks around mobility can be identified. A device left on a train, or connecting to an insecure public Wi-Fi network, could allow a disastrous theft of client data if the system is not secure from end-to-end.
On a personally-owned device, client data and all matter-related files must be containerised and kept separate from personal content and apps. Where personal use of practice-owned devices is allowed, then the separation of work data and life-related data is equally important.
Most EMM solutions allow policies such as ‘COPE’ (corporate-owned, personally-enabled) to be enforced, once again reducing the reliance on the user to adapt their behaviour in line with the demands of the technology. Effective containerisation also means that confidential work-related data and files can be wiped remotely as soon as a device is reported lost or stolen.
With defences such as these in place, legal IT managers will be in a position to look the most severe of EU regulators in the eye and show that all possible steps have been taken to comply with the GDPR.
But more importantly, the right level of mobile security will mean that lawyers can look clients in the eye and reassure them that their data is safe. In a data protection climate that looks set to become prodigiously litigious, this will make effective and demonstrable security more than just a sensible precation. It will be a source of distinct competitive advantage and client satisfaction.