A refresher in data security

15 Mar 2016News

How can your organisation ensure compliance ahead of the introduction of new data protection legislation, asks John Michael

The new General Data Protection Regulation (GDPR) aims to create strong data protection laws in Europe and is set to replace the outdated patchwork of national rules that have only allowed for small fines in cases of data breach violations. While there are opinions that there is a lot of red tape around the regulations, it has generally been welcomed as what should be an advanced and all-encompassing data protection framework.

Loss of client data is a major risk to any law firm, and the stakes are only getting higher. Firms already have obligations under the Solicitors Regulation Authority's (SRA) Code of Conduct to keep client information confidential and to maintain effective systems and controls to mitigate risks to confidentiality. In addition to this there are separate obligations under the Data Protection Act (DPA) in relation to the personal data they hold.

In 2018, when the GDPR looks set to replace the DPA, the consequences of failing to protect the personal data of clients will become much greater. For example, the maximum fine for DPA breaches is currently £500,000, but this will increase to € 20m or 4 per cent of global turnover. It will also become mandatory for organisations to report most personal data losses, both to the Information Commissioner's Office and to the affected individuals.

How can your organisation ensure compliance ahead of the new legislation's execution in 2018?

Update policies: this should demonstrate the new obligations and ensure that any reporting systems are outlined;
Appoint a data protection officer: this is mandatory for all organisations with more than 250 employees;
Report effectively: a system should be put in place that ensures any breaches of unencrypted data are reported within 72 hours;
Encrypt everything: defend against a breach by making data unreadable or in an inaccessible state using unbreakable encryption;
Keep records: data controllers should keep internal records as to how data is processed as evidence and to monitor compliance;
Obtain written consent: the parent/guardian of any child under the age of 16 should be notified and consent given before processing personal data; and
Respond quickly: ensure that any requests from individuals in relation to the handling of their personal data are dealt with efficiently and pro-actively.

Feedback from our legal
clients suggests that most
data losses arise from human error rather than deliberate contravention or a lack of internal compliance effort. While these will never be completely eliminated, the shift in emphasis to pro-active self-review and analysis is likely to result in fewer data losses over time. The increase in financial risk from
the new penalties will also see greater investment in encryption technology and tools to reduce the risks arising from the human element. SJ

John Michael is CEO of iStorage

Getting service of a claim right in litigation

Emma Lowe explains why proper service of a claim is crucial in litigation and how to avoid common pitfalls that can derail a case.

Failing survivors: what is going wrong in tackling violence against women and girls

Sasha Rozansky, a Partner at Deighton Pierce Glynn, takes a look at the disappointing findings set out in the National Audit Office’s report on tackling violence against women and girls and asks whether the failings may lead to a breach of the public sector equality duty