Organisations processing data must have appropriate technical and organisational measures in relation to personal data held in paper files and stored digitally. The main difference is that data stored digitally can be held in larger quantities and, therefore, can present more risks if lost or misused. However, the loss of paper files still attracts fines from the Information Commissioner’s Office (ICO) on a regular basis and many solicitors still work with large amounts of paperwork.
The same obligation existed under the Data Protection Act 1998 but the GDPR has provided more detail about what is expected, particularly in relation to digital data, taking into account advances in technology and the risk of cyber-attacks.
Considerations in relation to security of processing
In order to minimise the risk of personal data being misused, access controls should be in place to restrict the access of individuals to personal data on a ‘need to know’ basis.
If you are introducing a new processing system, then you should consider carrying out a data protection impact assessment. These are not covered in this guide but the ICO website has guidance.
In relation to cyber security, the GDPR states that in deciding what security measures are appropriate, organisations should take into account the costs of implementation and the nature, scope, context and purposes of processing in relation to security. This means, in practice, that the level of security that an organisation is expected to take will depend on the technology and the resources available to the organisation. The organisation should evaluate the inherent risks in the processing and implement measure to mitigate those risks.
In addition, the GDPR also states that this assessment should take into account the likelihood and severity of any impact on the data subjects if personal data was lost or stolen etc, and that the security measures should be appropriate to the risk. The risks to be considered are those which could lead to physical, material or non-material damage and, in particular, this refers to discrimination, identify fraud or theft, financial loss, damage to reputation, loss of confidentiality where the information is protected by professional secrecy and any other significant economic or social disadvantage. Particular care must be taken over the data identified as special category.
Pseudonymisation and anonymisation
Pseudonymised data is data which has had the personally identifiable features removed but which can be combined with other data to re-identify the individual. This is a new term under the GDPR and pseudonymised data can reduce the risk of personal data being lost or unlawfully accessed if the additional information for attributing the data is kept separately.
Encryption
The ICO encourages making sure that any personal data being transferred digitally, whether by email or on a removable device, including laptops, is encrypted. This will reduce the likelihood of it being accessed if it is lost or stolen and may mean that there is no requirement to report the loss of such items.
Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems
At the moment, the ICO recommends the following basic requirements in relation to cyber security and more information is available in the Law Society of Scotland’s guide to cyber security:
- Install a firewall and virus-checking software on your computers
- Ensure that your operating system is set up to receive automatic updates
- Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities
- Do not let staff share passwords
- Securely remove all personal information before disposing of old computers
- Consider installing an anti-spyware tool
The ability to restore the availability of data in a timely manner
All organisations are vulnerable to cyber-attacks. In particular, the use of ransomware attacks has increased, meaning any business that relies on technology can be a target. The most common example is where malicious software gets into your IT system and encrypts the server. This could be through an email or the use or unsafe removable devices. A ransom is then sought from the business before its data is returned.
The ICO’s advice is to have a robust data backup strategy in place to protect against disasters such as fire and flood but also malware, such as ransomware. Backups should not be stored in a way that makes them permanently visible to the rest of the network. If they are visible, they can be encrypted by malware or the files could be lost. At least one of your backups should be offsite.
Have a process for testing security measures regularly
Regular vulnerability scans and penetration tests should be carried out on your systems for known vulnerabilities and to make sure that any issues identified are addressed.
Staff training
- People are the weakest security link and staff should be trained in relation to data protection and security. Training should cover:
- What is expected of you in relation to data security
- Being wary of people who may try to trick you into giving out personal details
- Staff can be prosecuted if they deliberately give out personal details without permission
- The use of strong passwords
- Being wary of emails that appear to come from your bank and that ask for your account, credit card details or your password (a bank would never ask for this information in this way)
- Spam emails and not opening them, even to unsubscribe or ask for no more mailings
GDPR guide for law firms
Our guide looks at the regulation and the Data Protection Act from the perspective of a legal practice.
- Law firms as data controllers
- Create a record of data processing
- Client confidentiality, legal privilege and limited exemptions
- Data retention
- Sharing data with third parties
- Data protection officers
- Security
- Reporting personal data breaches
- Requests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy
- Appendix 3 - Background to the GDPR changes
