Posted by Nigel Wright, managing director of Legal Futures Associate ConvergeTS
Law firm managers are well versed in carrying out risk assessments to justify and make decisions around IT spend. However, from May next year, risk assessments become more complex when the General Data Protection Regulation (GDPR) comes into force.
Article 32 of the GDPR states: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Previously, risk assessments focused on risk to the business, for example the financial and reputational impact of a potential security breach. Now, firms must assess risk to the rights and freedoms of their data subjects.
This includes respect for private and family life, freedom of expression and information, freedom to conduct a business and the right to a fair trial. This crucial change means that your risk assessments are now likely to be incorrect and will need to be re-examined.
Article 32 also specifically references the “availability and resilience of processing systems and services” and “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
Here is a key difference between the Data Protection Act and the GDPR. Not only is it important to protect personal data from unauthorised processing, loss or destruction, but you must also now consider the impact of lack of availability on the subject’s rights and freedoms.
This must be considered in relation to the nature and sensitivity of the data held, which means that, this change in legislation is particularly significant for law firms.
For example, when DLA Piper was the victim of an attack which took systems down for days, the firm was quick to release a statement to reassure clients that no data had been taken.
But the concern for such firms is that, under the GDPR, there does not need to be a breach of data confidentiality for this to be a legal issue. Timely access to files is vital for law firms and the lack of availability of systems in this scenario is likely to impact on the rights and freedoms of those the firm is representing.
Law firms must ensure that their risks are properly assessed against the new criteria to ensure they are compliant under the GDPR.
More from ConvergeTS’s blog series on GDPR: