Estimated read time:
5 minutes
Most people are familiar with working from home (WFH) and the advantages it brings. If you have decided to make the leap into joining a New Model Law Firm (NMLF) in 2025, you need to be clear about the compliance requirements around cybersecurity and data protection. In 2022, the ICO fined a law firm £98,000 for failing to secure sensitive court bundles that were later published on the dark web and made subject to a ransomware attack. That same year, the enforcement agency fined a construction firm £4.4 million because it did not protect its employees’ data from cyberattacks. This illustrates that the ICO takes data protection seriously and you must ensure you comply with the UK GDPR and Data Protection Act 2018 regardless of how and where you run your practice.
What are the principles under the UK GDPR?
There are six UK GDPR principles listed under Article 5(1) which states that personal data must be processed:
1. lawfully, fairly, and in a transparent manner
2. for specified, explicit, and legitimate purposes only
3. in a manner that is adequate, relevant, and limited to what is necessary
4. accurately and where required, kept up to date
5. regarding storage, data should only be kept as long as necessary
6. in a way that protects it from unlawful or unauthorised processing, loss, damage, or destruction
Article 5(2) provides for the accountability requirement (some argue that this is the seventh principle). The accountability principle states that the Controller (this point also applies to Processors) is not only responsible for complying with the six principles, they also must be able to demonstrate compliance.
You need to be constantly alive to whether you are meeting the accountability principle by recording what you are doing to meet the other six. It comes down to asking yourself, if the ICO launched an investigation today, would you be able to present a detailed record of your data protection compliance?
What steps should I take to ensure cybersecurity and
data compliance?
1. Map your data – the first step to cybersecurity and data protection is to understand where your firm’s personal data is stored, who has access, and how fast it can be retrieved in the case of a breach or Subject Access Request (SAR). If your law firm is under a NMLF umbrella with multiple staff working from home, it is crucial you can answer the following regarding a person’s data:
a. Who has access to the data;
b. Where the data is held and how it moves around the firm;
c. Why is the data being retained;
d. When was the data last updated;
e. What is the legitimate reason for keeping and processing the data;
f. How the data can be quickly retrieved.
2. Undertake a risk assessment – this involves identifying and analysing the risks involved in processing and holding personal data. You must examine the security measures you have in place and whether they are adequate, what third parties have access to the data (for example, an external payroll company), and what data falls under the scope of ‘sensitive’ data that requires extra protection. Make sure your risk assessment findings are documented.
3. Put in place risk management policies and procedures – once the risks have been identified, you must put in place risk elimination or risk mitigation strategies. For example, undertaking staff training on how to spot potential cyber attacks, configuring firewalls, and encrypting sensitive data.
4. Test and evaluate – it is best practice to regularly test and evaluate the cyber security and data protection measures you have put in place. Cyber criminals move incredibly fast, and you need to be constantly checking and refining your measures. You may want to appoint someone internally to stay up to date with the latest cyber security and data protection news and technical solutions and get them to present relevant information and run training sessions.
What does the SRA say about data protection and GDPR
compliance?
Ensure you comply with the SRA’s Code of Conduct – as well as the UK GDPR and Data Protection Act 2018, you need to ensure you comply with certain provisions of the SRA’s Code of Conduct for Firms. The ICO has specifically noted the following paragraphs including the following paragraphs:
– 2.1a (the need for effective governance structures, arrangements, systems, and
controls for compliance with regulation and law)
– 2.5 (identify, monitor, and manage all material risks to your business)
– 3.1 (keep up to date with and follow law and regulation)
– 5.2 (safeguard money and assets [including documents] entrusted to you by clients and others)
The failure to meet the above standards could be regarded as an aggravating factor if enforcement action is taken.
Wrapping up
Regardless of where your team is based, you must ensure they have the tools, knowledge, and regular training to ensure data protection compliance and cybersecurity.
If you are thinking of launching your own legal practice in 2025, please give us a call. We would love to hear about your commercial ambitions and tell you how we can support them, including safeguarding your clients’ and employees’ data.
Schedule a call on +44 (0)3300 24 24 20 or fill in our contact form.
We look forward to celebrating your success.
