The UK General Data Protection Regulation (UK GDPR) is a critical compliance issue for all legal practices, however large or small those firms may be and whichever categories of law they offer to clients.
Lawyers are acutely aware of their obligation to keep their clients’ affairs confidential under the SRA Standards and Regulations 2019 and associated Codes of Conduct.
However, there is an additional duty to ensure that any personal data they collect from the client or in relation to the client is kept private. Legal firms sometimes forget that they owe a similar duty of privacy to their staff.
A salutary reminder of this is the recent case where the Information Commissioner’s Office (ICO) issued a fine of £4.4 million to Interserve Group Limited for failing to keep people’s personal data safe.
“The ICO found that the company failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email”
“The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information”.
John Edwards, UK Information Commissioner, said:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office”
So, can your firm afford to be complacent given the level of these fines?
Don’t assume that such a cyber-hack can’t happen in the legal sector as can be seen from the following article
Don’t be found by the ICO to have been “complacent”. Cpm21 can help you with the following:
- Training staff and raising awareness of Cyber Threats
- Implementing robust Information Management Policies and Procedures
- Drafting Privacy Policies for Clients and Staff
- Drafting internal breach reporting and incident management procedures
- Providing guidance on reporting breaches to the ICO within strict time limits
- Training your Data Protection Officer/Manager in their duties under the Data Protection Act 2018 (as amended)
- Explaining the implications of the changes that have occurred following BREXIT.
- Encouraging you to apply for Cyber Essentials
Don’t be complacent. Let Cpm21 review your UK GDPR systems and risk mitigations today.
It is likely to be a lot cheaper than a potentially large fine from the ICO and of course the resultant reputational damage.