Firms work to protect against breaches and attempt to keep up with a rapidly changing industry landscape; however, the ways they collect, store and destroy sensitive information is increasingly scrutinized. And inspection of data security practices intensified when the General Data Protection Regulation (GDPR) came into effect on May 25.
While many firms have taken steps to safeguard confidential information, many have not — which leaves their clients and employees at risk of identity theft and data breaches. GDPR, which affects organizations that collect or process data from residents of the European Union (EU), is forcing law firms to re-evaluate and restructure data security operations and procedures. To help all employees comply with new regulations, law firm leaders should consider the following recommendations.
CREATE AN INFORMATION SECURITY HANDBOOK
It’s helpful to create an all-encompassing security policy that can be used as a reference for all employees within the firm, especially when new legislation is in play. And with 25 percent of information breaches caused by employee error, it’s evident employees need a better understanding of information security best practices.
The handbook should be regularly updated to reflect new laws. As it relates to GDPR, the handbook should explain that any employee who obtains information from EU residents must keep a record of the category of data collected or received and document how long the data has been stored before being securely destroyed. Therefore, the guidelines should detail the safest information storage and disposal methods for both physical and digital data. Hard-copy documents that need to be stored should be kept in secure, locked filing cabinets. Documents that need to be discarded must be securely shredded first.
OFFER ONGOING TRAINING
As a first step, have accessible guidelines in place to create a culture committed to data security. When employees are facing regulation changes and policy alterations, it’s especially important that everyone has access to experts within the firm. Thus, offering in-person guidance and training gives employees the opportunity to ask questions that might not be answered in the security handbook and inform them about resources that are available.
Under GDPR, affected organizations with more than 250 employees must appoint a data protection officer (DPO) who is equipped with knowledge of data protection laws and procedures. However, law firms of any size should appoint someone to lead information security and act as the main point of contact. This representative would be responsible for monitoring the firm’s day-to-day operations to ensure all is functioning in accordance with data security standards set forth by GDPR and other regulations. Further, affected businesses must introduce Privacy Impact Assessments (PIAs) — a critical component of GDPR that provide ongoing evaluations and identify where an individual’s data could be at risk throughout its processing. While an organization is in the early stages of adjusting to GDPR, it’s helpful to consult with third-party counsel or information security specialists to ensure that any existing data protection gaps are closed.
DON’T FORGET ABOUT PHYSICAL DATA
GDPR requires appropriate measures to protect personal data, including what appears on physical documents. Identifying areas of the office that could pose a threat to physical data security is the first step toward creating a secure environment that is less susceptible to breach or theft.
The most vulnerable physical information is often found in unassuming places, from printers to messy desks to old storage bins to employee trash cans — and these access points are typically scattered and left unattended throughout the office. GDPR regulations determine how long to store documents, making the retention and accumulation of outdated documents riskier. Law firms must keep track of what sensitive materials they are storing and how they’re stored through a document management process, which will help employees determine the appropriate lifespan.
Ultimately, widespread damage resulting from noncompliant behavior can make or break a business. Beyond the associated costs — organizations that do not maintain GDPR compliance can face fines up to 4 percent of their global turnover — businesses that do not adhere will inevitably compromise their reputation, current and prospective clients, employees and revenue. They may even face legal consequences. Developing an environment that prioritizes data security is key to mitigating risk and ensuring that employees are equipped with the knowledge to maintain compliance, especially amid times of change.