Following my recent blog posts Preparing your Law Firm for GDPR and GDPR Compliance for Law Firms: Just Where is your Confidential Data?, I have received a number of enquiries from law firms as to the ways in which they should be controlling access to their data, so today I thought it would be worth sharing some information on this important topic.
Securing your data in readiness for GDPR broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access). Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your law firm’s data, and forms an important part of preparing your firm’s information systems for GDPR compliance.
GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that personal data can be anything that identifies an EU citizen, which can be as simple as a name or email address, and it becomes apparent this is likely to cover the vast majority of a firm’s data.
Therefore, for each piece of data that you hold, it is important to understand, and have documented, who has access to that data and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to do their job. Allowing staff wider access puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats.
As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.
Appropriate password policies are also very important, since if policies allow passwords to remain unchanged indefinitely, or indeed allow staff to choose an easily guessable password, then there is a danger that data security will be compromised, which does not demonstrate the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down - and having passwords recorded on sticky notes certainly doesn't demonstrate due care of confidential data under GDPR!
Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your data. In this case this needs to be secured in just the same way, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.
Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the firm’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.
Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures any spreadsheets or databases that have been developed by an individual or department and which contain personal data.
Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for law firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email james.stratton@connexion.co.uk when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.
If you would like to read other articles in our series of informational resources for senior partners at Law firms, please visit our blog at http://legalsectorit.blogspot.co.uk/
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/
No comments:
Post a Comment