Your IT risk assessments will be wrong from May 2018

Print This Post

14 July 2017

Posted by Nigel Wright, managing director of Legal Futures Associate ConvergeTS

Wright: key difference between the Data Protection Act and the GDPR

Law firm managers are well versed in carrying out risk assessments to justify and make decisions around IT spend. However, from May next year, risk assessments become more complex when the General Data Protection Regulation (GDPR) comes into force.

Article 32 of the GDPR states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Previously, risk assessments focused on risk to the business, for example the financial and reputational impact of a potential security breach. Now, firms must assess risk to the rights and freedoms of their data subjects.

This includes respect for private and family life, freedom of expression and information, freedom to conduct a business and the right to a fair trial. This crucial change means that your risk assessments are now likely to be incorrect and will need to be re-examined.

Article 32 also specifically references the “availability and resilience of processing systems and services” and “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.

Here is a key difference between the Data Protection Act and the GDPR. Not only is it important to protect personal data from unauthorised processing, loss or destruction, but you must also now consider the impact of lack of availability on the subject’s rights and freedoms.

This must be considered in relation to the nature and sensitivity of the data held, which means that, this change in legislation is particularly significant for law firms.

For example, when DLA Piper was the victim of an attack which took systems down for days, the firm was quick to release a statement to reassure clients that no data had been taken.

But the concern for such firms is that, under the GDPR, there does not need to be a breach of data confidentiality for this to be a legal issue. Timely access to files is vital for law firms and the lack of availability of systems in this scenario is likely to impact on the rights and freedoms of those the firm is representing.

Law firms must ensure that their risks are properly assessed against the new criteria to ensure they are compliant under the GDPR.

More from ConvergeTS’s blog series on GDPR:

GDPR and the rise of ‘datanapping’ – the new threat hitting the pockets of law firms

The five biggest IT threats to your firm’s GDPR compliance

Leave a comment

* Denotes required field

All comments will be moderated before posting. Please see our Terms and Conditions

Legal Futures Blog

Woebots and robots

Nadia chatbot

The chances are that you may not be entirely sure what a bot or a chatbot is. So, the news that, “starting today, DoNotPay is opening up so that anyone can create legal bots for free (with no technical knowledge)” may be a bit opaque. But bots have their devotees. The picture is of Nadia, an Australian bot being developed to give information on disability benefits with the voice of Cate Blanchett. The editor of Chatbots Magazine (OK, no neutral source) is pretty clear about their future. He writes articles with titles like ‘How bots will completely kill websites and mobile apps’. Joshua Browder, the creator of the DoNotPay parking ticket challenger, is behind what he hopes will be this major expansion of legal bots.

July 21st, 2017