Under the EU’s General Data Protection Regulation (GDPR), aggrieved data subjects can sue firms for failing to secure their personal data properly. New statistics from the Information Commissioner’s Office (ICO) showed that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter.
Processing personal data is an intrinsic part of professional services work. If you can’t guarantee the confidentiality, integrity and availability of that data, your professional standing – and your clients – could suffer, and you could fall foul of data protection legislation.
When the GDPR supersedes the Data Protection Act 1998 (DPA 1998) on 25 May 2018, professional services firms as data controllers will face “effective, proportionate and dissuasive” administrative fines of up to 4% of their annual global turnover or €20 million – whichever is greater – for breaches.
When you consider the scale of the new fines, the recent surge in data security incidents affecting professional services firms is sobering. The GDPR mandates that data breaches be reported to the supervisory authority – the ICO – within 72 hours of their discovery. Data subjects must also be informed if a breach represents a high risk to their rights and freedoms.
Information security, not just cyber security
Although most organisations have embraced new technologies and follow some cyber security procedures, the information handled by professional services professionals is often held in hard copy rather than as encrypted digital files. This also needs to be appropriately secured and its confidentiality, integrity and availability maintained.
The ICO found that loss and theft of paperwork accounted for almost 14% of data security incidents in 2017 and data being posted or faxed to the incorrect recipient accounted for a further 13% of incidents (Data security incident trends by sector and type 2017/18). It’s important to remember that these are data breaches, just as incidents caused by cyber attacks are, and under the GDPR you’d be just as liable. Breaches of the ‘integrity and confidentiality’ principle, which mandates the use of appropriate security, incur fines at the upper end of the scale.
Cyber security measures, while extremely important, are only part of your compliance obligations: to secure hard copies appropriately, you need to extend your strategy to cover all forms of information – after all, even the best antivirus software can’t prevent you from leaving a folder full of case notes in your car.
Information security: the holistic approach
Information security isn’t just a job for the IT department: it’s the responsibility of every single member of the firm, from partners to trainees, from administrative staff to cleaners. Everyone who comes into any contact with information in any form must follow an agreed approach to ensuring its security. This is where a best-practice approach that covers people, processes and technology comes in, such as ISO/IEC 27001:2013 (aka ISO 27001).
ISO 27001 is the international standard for an information security management system (ISMS), against which you can achieve independently audited certification to demonstrate your commitment to securing your clients’ information – and demonstrate your compliance with the GDPR.
Many leading professional services firms, including law firms Clifford Chance, Allen & Overy and Linklaters, have already achieved certification to the Standard, but it is not just an approach for larger firms. ISO 27001 sets out an approach based on regular risk assessment, which can – and, indeed, should – be tailored to each organisation’s requirements, and is as suitable for smaller organisations as it is for large ones.
The GDPR mandates that data controllers implement “appropriate technical and organisational measures”; Annex A of the Standard lists 114 such measures – known as ‘controls’ – that you can use in order to address the risks you have identified. (You can also use other controls as part of your ISMS, but these must be checked against Annex A.)
Many of these controls are best-practice methods of securing hard copy data, which firms looking to avoid ruinous GDPR fines would be well advised to implement whether or not they seek to achieve certification to the Standard.
- A.8.3.2 Disposal of media – Media shall be disposed of securely when no longer required, using formal procedures. (This will help you fulfil the GDPR’s principles of purpose limitation and storage limitation.)
- A.8.3.3 Physical media transfer – Media containing information shall be protected against unauthorised access, misuse or corruption during transportation. (This will help you fulfil the GDPR’s principles of accuracy, and integrity and confidentiality.)
- A.11.2.6 Security of equipment and assets off-premises – Security shall be applied to off-site assets taking into account the different risks of working outside the organisation’s premises. (This will help you comply with the GDPR’s principles of storage limitation, and integrity and confidentiality.)
- A.11.2.9 Clear desk and clear screen policy – A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. (This will help you comply with the GDPR’s principles of accuracy, and integrity and confidentiality.)
There are, of course, many other controls that have a bearing on hard copy information, including controls on information classification, access control, physical and environmental security, and the transfer of information.
IT Governance is at the forefront of helping organisations globally to address the challenges of GDPR compliance. Our GDPR experts can help your firm with a variety of best-practice solutions, from evaluating your GDPR compliance position and developing a remediation roadmap, through to implementing a best-fit privacy compliance framework.
We offer comprehensive solutions, services and expertise to help you meet your GDPR compliance objectives, including training courses, books, compliance toolkits and software, staff awareness training and consultancy services.
Contact our experts here or call us on +44 (0)333 800 7000 to discuss your firm’s GDPR requirements.
More information on our GDPR solutions can also be found on our website. Find out more >>