In my previous blog, I talked about the need to understand where your law firm’s confidential data is actually being held. Once you have this understanding, the next step is to understand how you secure it. This broadly falls into two categories – access control (effective security for authorised users) and cyber security (protection against unauthorised access).
Today I am going to talk about the former, as having good access control systems lies at the heart of successfully protecting your law firm’s data, and forms an important part of preparing your firm’s information systems for GDPR compliance.
GDPR places accountability on law firms to have in place policies, procedures and documentation that demonstrates the personal data they hold is stored securely. Bearing in mind that the law firms and solicitors practices deal with a wealth of details relating to individuals’ financial transactions, legal cases and family matters, and it becomes apparent this is likely to cover the vast majority of a law firm’s data.
Therefore, for each of your computer systems, it is important to understand, and have documented, who has access to that system and what level of access they have. Bear in mind that it is best practice to give each user the minimum access they require to the system to do their job. Allowing staff wider access to systems puts you at greater risk of a data security breach, data corruption or data loss through incidents such as accidental deletion, a ransomware attack or malicious insider threats. As well as having SOPs in place to handle the IT access control requirements of new starters, it is also important that there are procedures in place to cover what happens when somebody leaves the company or changes role.
Nowadays, it is also likely that authorised external organisations and third parties will have access to some of your IT systems or data – consider for example outsourced HR and/or payroll providers, outsourced marketing resources or outsourced IT support providers to name but a few. In this case this needs to be secured in just the same way, so you are clear who has access to what parts of the system, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.
Mobile and remote working present a whole additional set of challenges to IT security, with the potential for copies of data or emails to be residing on all kinds of devices, both company owned and employee or third-party owned, which do not necessarily conform to the firm’s security standards. Developing policies around mobile working and ensuring there is not leakage of data or unauthorised access to data form a critical part of compliance nowadays. Policies and technologies also need to be implemented to protect against data breaches from mobile devices that are lost or stolen.
Finally, bear in mind that it is not just your main company-wide IT systems that fall under the GDPR. Any indexed system that contains personal data is subject to the legislation, so do make sure you are also including in your access control procedures all those little databases or spreadsheets that have been developed by an individual or department and which contain personal data.
I hope this has given you a useful insight into some of the key areas to consider around access control when preparing your law firm for GDPR. Should you need help on assessing your readiness for GDPR or advice on technology solutions that will assist with GDPR compliance, such as Epoq IT’s MySecurity service, which provides expert security management of all your systems for an affordable monthly fee, please do not hesitate to contact me on (01494) 444065 or email firstname.lastname@example.org.