Sales: 0208 732 5656

Preparing for GDPR: Securing your Law Firm’s Data – Part 1

Preparing for GDPR: Securing your Law Firm’s Data – Part 1

In my previous blog, Cyber Security for Law Firms…. 8 Top Tips to Keep Your Firm Safe, I gave some pointers to help law firms safeguard their confidential client data.

Since then, many of you have been in touch asking for more information on this topic, especially in light of the imminent enforcement of GDPR (If you missed my blog on GDPR and what it means for law firms, you can read it here). Therefore today I thought it would be useful to share some more information about the specifics of securing your firm’s data. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).

Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your law firm’s data, and forms an important part of preparing your firm’s information systems for GDPR compliance.

GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that personal data can be anything that identifies an EU citizen, which can be as simple as a name or email address, and it becomes apparent this is likely to cover the vast majority of a firm’s data.

Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system to do their job. Allowing staff wider access to systems puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the firm’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.

Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures any spreadsheets or databases that have been developed by an individual or department and which contain personal data.

If you would like to discuss ways in which Xara Computers can help you secure your law firm’s data, and prepare for GDPR compliance, please do not hesitate to contact myself, or my colleague Andrew Banning, on 0208 732 5656 or email us on mk@xc360.co.uk or ab@xc360.co.uk when we will be happy to help.

Xara Computers flagship product, the XC360 for Law Firms private cloud platform, provides law firms and solicitors with a fully managed, highly secure, UK based remote desktop running all their own firm’s software. This allows fee earners to work and collaborate in real-time, from any location, using any computer, laptop or tablet, safe in the knowledge that their confidential client data is centralized and secure. For more information please do not hesitate to contact me on 0208 732 5656 or email mk@xc360.co.uk

Powered by WPeMatico

No Comments

Sorry, the comment form is closed at this time.