Your IT risk assessments will be wrong from May 2018

Print This Post

14 July 2017


Posted by Nigel Wright, managing director of Legal Futures Associate ConvergeTS

Wright: key difference between the Data Protection Act and the GDPR

Law firm managers are well versed in carrying out risk assessments to justify and make decisions around IT spend. However, from May next year, risk assessments become more complex when the General Data Protection Regulation (GDPR) comes into force.

Article 32 of the GDPR states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Previously, risk assessments focused on risk to the business, for example the financial and reputational impact of a potential security breach. Now, firms must assess risk to the rights and freedoms of their data subjects.

This includes respect for private and family life, freedom of expression and information, freedom to conduct a business and the right to a fair trial. This crucial change means that your risk assessments are now likely to be incorrect and will need to be re-examined.

Article 32 also specifically references the “availability and resilience of processing systems and services” and “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.

Here is a key difference between the Data Protection Act and the GDPR. Not only is it important to protect personal data from unauthorised processing, loss or destruction, but you must also now consider the impact of lack of availability on the subject’s rights and freedoms.

This must be considered in relation to the nature and sensitivity of the data held, which means that, this change in legislation is particularly significant for law firms.

For example, when DLA Piper was the victim of an attack which took systems down for days, the firm was quick to release a statement to reassure clients that no data had been taken.

But the concern for such firms is that, under the GDPR, there does not need to be a breach of data confidentiality for this to be a legal issue. Timely access to files is vital for law firms and the lack of availability of systems in this scenario is likely to impact on the rights and freedoms of those the firm is representing.

Law firms must ensure that their risks are properly assessed against the new criteria to ensure they are compliant under the GDPR.

More from ConvergeTS’s blog series on GDPR:

GDPR and the rise of ‘datanapping’ – the new threat hitting the pockets of law firms

The five biggest IT threats to your firm’s GDPR compliance



Leave a comment

* Denotes required field

All comments will be moderated before posting. Please see our Terms and Conditions

Legal Futures Blog

Algorithms and the law

Jeremy Barnett

Our aim is to start a discussion in the legal profession on the legal impact of algorithms on firms, software developers, insurers, and lawyers. In a longer paper, we consider whether algorithms should have a legal personality, an issue which will likely provoke an intense debate between those who believe in regulation and those who believe that ‘code is law’. In law, companies have the rights and obligations of a person. Algorithms are rapidly emerging as artificial persons: a legal entity that is not a human being but for certain purposes is legally considered to be a natural person. Intelligent algorithms will increasingly require formal training, testing, verification, certification, regulation, insurance, and status in law.

August 22nd, 2017