From May 2018, it’s likely that your law firm’s risk assessments will be wrong. This is because GDPR comes into force which changes the way in which organisations should view risk.
Article 32 of the GDPR states:
"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk".
IT managers are well versed in carrying out risk assessments to justify and make decisions around IT spend. However, this crucial change to the legislation increases the complexity of carrying out this type of review and means that it’s likely your IT risks will need to be re-examined.
Previously, risk assessments focused on risk to the business, for example the financial and reputational impact of a potential security breach. Now, firms must assess risk to the rights and freedoms of their data subjects. For example, respect for private and family life, freedom of expression and information, freedom to conduct a business and the right to a fair trial.
Article 32 also specifically references the "availability and resilience of processing systems and services" and "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident".
This means that, under the GDPR, more importance is placed on availability - a key difference compared to the Data Protection Act. Not only is it imperative to protect personal data from unauthorised processing, loss or destruction, you must now consider the impact of lack of availability on the subject’s rights and freedoms. And this must be considered in relation to the nature and sensitivity of the data held, which means that this change is particularly significant for law firms.
For example, when DLA Piper was the victim of an attack which took systems down for days, they were quick to release a statement to reassure clients that no data had been taken. However, under the GDPR, there doesn’t need to be a breach of data confidentiality for this to be a legal issue. Timely access to files is vital for law firms and the lack of availability of systems in this type of scenario is likely to impact on the rights and freedoms of those the firm is representing.
To ensure compliance under GDPR, law firms must take steps to ensure their risks are properly assessed against the new criteria.