There’s no avoiding it: the world of work has changed beyond all recognition in recent months. Centralised offices seem like a distant memory, along with face to face consultations, paper signatures, and coffee breaks with colleagues.
The legal industry has faced unprecedented challenges in the wake of Covid-19, with legal news websites reporting how the UK courts are at breaking point as the backlog of cases continues to grow, and independent law firms feeling the pressure of the economic downturn.
But perhaps one of the most insidious issues affecting legal professionals is the data risks associated with working from home, rather than the office. This new way of working has put a new onus on individual employees to be GDPR compliant, with lawyers up and down the country now tasked with the complicated job of protecting their clients’ personal data.
With more opportunities than ever before to offer legal services online, law firms must recognise how their working practices have changed. In the dawn of the home office, our IT infrastructures have had to adapt, triggering new, unfamiliar data risks to those experienced before the pandemic.
To understand what this means for law firms, it is worth reminding ourselves of the recent history of GDPR.
What does GDPR mean for law firms?
Until 2018, UK data law had been constructed around the Data Protection Act 1998. This act was designed to protect peoples’ personal data stored on computers or in paper filing systems, and being from the 90s was seriously underequipped to handle the data explosion of post-internet Britain.
GDPR was introduced to bridge this gap. From May 25th, 2018, any company or organisation that collected, stored, or used an individual’s personal data became subject to GDPR. For law firms, this meant:
Greater accountability to keep accurate records of the data held, plus evidence that the methods used to collect it were legal.
Firms must also be able to show that they are managing personal data according to the new regulations. This means being able to supply details about what data they collect, how they store it, and what they used it for. Officials can request proof of this at any point.
Anyone using a law firm website must be given a choice about whether you collect their data, and what you use it for. These options must be laid out clearly and unambiguously.
Law firms must establish their lawful basis for processing personal data and keep records of this.
The new regulations enshrined a firm’s responsibility for the data it collects, with fines for non-compliance raised to a whopping 4% of a company’s annual turnover. With the responsibility firmly on the shoulders of individual law firms, let’s take a look at what your firm should be doing to keep personal data safe.
Refresh your cybersecurity policy
Your cybersecurity policy should explain to your workforce exactly what they need to do to protect the data you collect. If you don’t have a policy in place then creating one should be a priority. If you haven’t updated your firm’s policy since employees began working from home, then chances are there will be areas that need updating.
Your policy doesn’t need to be a complicated document. In fact, your employees are more likely to stick to it if it is written in simple terms. When drafting your guidelines, consider:
How does your new environment affect the level of risk?
What safeguards should be in place to limit the impact of a security breach?
What systems are in place to detect a cybersecurity incident? Are they sufficient?
What is your containment plan if a breach occurs?
How will you restore any capabilities or services damaged by the attack?
Make your policy readily available
Having a comprehensive cybersecurity policy will also help establish trust with clients. Manchester based law firm Shafi Solicitors has worked on several high profile criminal law cases, and so knows the importance of protecting personal data. The document is written in plain English and is easily accessible via the company website.
In the opening section of the policy, Shafi Solicitors state: “As lawyers, we have always held personal data about our clients, staff, suppliers and others. We collect personal information about people who wish us to act for them (our clients) because we need to use that information to progress their work.
For example, the type of personal data we normally need might be a client’s name, address, email address, identity documents, details of any allegation or conviction and bank details for processing payments.”
This helps contextualise what the company means by data and makes clear how the policy affects the client.
Encrypt all data
Ensuring personal data is encrypted is an easier task in an office with a dedicated cybersecurity team. That being said, there are simple ways you can make sure data remains encrypted while working from home.
All computer equipment and drives should be encrypted before an employee takes them home. You can do this through your computer settings on iOS, macOS, and Windows.
Secure your connections
If your firm isn’t using a corporate VPN then now is the time to invest. VPN software limits access to your sensitive information by encrypting data as it moves between your employees home machine and your company server.
Think of it like wearing a virtual hard hat! It won’t affect your ability to work, but it will keep your data safe should an attack arise.