GDPR and Security in the legal sector
In insight / By Lydia Cooper / 04 June 2018
As we’re nearing the GDPR go-live date, we thought it would be a good time to reach out to a few industry experts about what they are seeing and hearing in the legal sector around GDPR.
“We started looking critically at GDPR in early 2017,” says Joanna Kingston-Davies, COO at the Jackson Lees Group. “In the legal sector, it’s less of a challenge because all of our client and employee relationships are covered by contracts detailing how we manage their data.”
Some commenters, however, thought that not enough was being done across the sector to address GDPR, and noted a willingness to leave the responsibility for achieving GDPR compliance to the IT department.
“I think there is still a lot of complacency in the market around GDPR and there are lots of firms who need to wake up to what they need to do before the GDPR go-live date,” commented Bill Kirby, Director at legal consultancy specialist, Professional Choice Consultancy. “What I’m saying to legal management today is, ‘don’t just rely on asking your IT department whether you’re on track with your GDPR commitments’. You need to go beyond just IT; staff need to be compliant in their day to day work, and training needs to be delivered to ensure employees understand how to protect your data. There’s no point spending lots of money on security technology, then giving away the passwords.”
We’re hearing lots of queries from customers around what they need to do with their IT to comply with the GDPR, so we’re trying to make the process as simple as possible to avoid GDPR-overwhelm.
“The topic of GDPR comes up in almost every conversation I have with technology leaders in the legal sector,” says Nigel Redwood, CEO at Nasstar. “There’s a lot of hype in the industry and supposed experts, but this can become overwhelming for many organisations. What we’re saying to our customers is to think about the next achievable step towards achieving increased data protection and GDPR compliance. Break it down into a simple next step, rather than trying to tackle GDPR compliance all at once.”
However, for the legal sector, ongoing regulatory compliance commitments mean the jump to achieving GDPR compliance should be less challenging than for other sectors.
“For many firms,” adds Nigel, “they will already have been adhering to many areas of the GDPR regulation as every UK law firm is already heavily regulated and used to following stringent compliance processes. For those already complying with existing data protection policies, it will likely be a small change to become GDPR compliant.”
Marketing and prospecting under the GDPR
A key point raised in a number of conversations we had with experts was around how marketing and sales outreach activities will be impacted by the GDPR.
“Something all firms will need to look at is how to handle prospect data from marketing activities as a contract won’t be in place before the prospect becomes a formal customer,” says Joanna Kingston-Davies.
Yet, despite already adhering to current data management and client confidentiality requirements, many firms are still not getting the basics right when it comes to ensuring their IT is properly secured and ready for the GDPR enforcement date.
“Surprisingly there are still some firms using Dropbox to share files, despite the US Patriot Act implications and security issues,” comments Bill Kirby. “Insecure and non-compliant technology just cannot be risked. Firms need to review their technology, policies and staff training to understand where the security gaps are – and this is the responsibility of partners and directors, not just the IT department.”
Working with an external provider, like Nasstar, whose day job it is to continually review security processes across customer IT environments and to stay ahead of the game when it comes to security and data protection requirements, can make the process simpler for law firms.
“In terms of our overall IT, we selected a provider like Nasstar who we could be confident would handle our data securely so that we are ready for the GDPR and other regulations as they are introduced,” says Joanna Kingston-Davies, COO at the Jackson Lees Group.
And for those firms who are worried about the security of moving their data out of their own data centres, it is often the safest choice to work with a tech partner who has dedicated security teams in-house.
“It’s more secure to move your data and IT to a specialist and compliant technology supplier who can manage and monitor your security for you, with around-the-clock support from dedicated experts,” adds Bill Kirby. *“Keeping data and IT in-house is now no longer the ‘safe’ option that people once perceived it to be.”
Thank you to our contributors for this article: