Risk Management in Law Firms: Cyber Essentials and GDPR

Following on from my last blog, “Preparing your law firm for GDPR: Just what is an “appropriate” level of IT security?” and with less than a month until GDPR comes into force, many of our contacts at law firms have been asking me whether it is a requirement under GDPR for them to attain the government’s Cyber Essentials certification.

For those who are not aware, Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber-attacks.  Whilst by no means protecting against every possible threat, the cyber essentials scheme does provide a framework for good practice around cyber security, covering five technical controls:

• Secure Configuration – setting up systems securely
• Boundary Firewalls – preventing unauthorised external access
• Access Control Management – restricting authorised access to the level needed
• Patch Management – keeping systems up to date with security fixes
• Malware Protection – protecting against threats like ransomware

The Information Commissioners Office has published guidance on the “security principle” of the GDPR, which states that firms should process personal data securely by means of ‘appropriate technical and organisational measures’. These measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them. However the GDPR does not give specific advice on what these measures should be, since for one thing the cyber security landscape is constantly changing, and additionally the chosen measures must be appropriate both to your firm’s circumstances and the level of risk your data processing poses.

As such, there is not a legal obligation under GDPR to attain Cyber Essentials certification, however many law firms we work with are choosing to implement Cyber Essentials for a number of reasons:-

• To demonstrate to the ICO that they have in place basic security controls as per the established framework that Cyber Essentials lays down.  Indeed, the ICO have suggested in their checklist guidance document on the GDPR security principle, a copy of which can be found here, that putting in place security controls in line with Cyber Essentials or a similar framework would be a good starting point.
• To demonstrate to clients and prospective clients that they have taken the necessary precautions to minimise cyber security risks.
• To demonstrate SRA compliance around principle 8 and outcome 4.1.
• To reduce risk and therefore benefit from reduced insurance premiums.
• To be able to bid for government contracts that involve the handling of certain sensitive and personal information.

The ICO’s guidance notes also clearly state that technical measures over and above Cyber Essentials may be required depending on the individual organisation’s circumstances and the type of personal data that they process. Given that law firms are at particular risk with the wealth of confidential material they are dealing with, ranging from personal data, to large financial transactions through to the personal affairs of high profile clients, I would advise law firms that they should also be considering a range of technologies, processes and procedures over and above the baseline that Cyber Essentials certification establishes.

I hope this has given you a useful insight into the correlation between cyber essentials certification and the GDPR security principle. Should you need help with assessing your current level of security in readiness for GDPR, or you would like a ready-made Cyber Essentials compliant security solution, please do not hesitate to contact me on (01494) 444065 or email dwills@epoq-it.co.uk when I will be happy to arrange a no obligation conference call to discuss ways that Epoq IT can help.

This blog forms part of our series of informational resources for senior partners, practice managers and compliance officers at law firms. To read more articles, please visit my blog, IT in Law Firms.

For more information about our GDPR services please visit http://epoq-it.co.uk/gdpr/

For more information about Epoq IT’s MySecurity service, a suite of technologies and procedures able to fulfil all the 5 key controls needed for Cyber Essentials Certification, please go to http://epoq-it.co.uk/service-and-support/mysecurity/