Access Legal: Law firms must review compliance gaps, as many firms choose hybrid long-term
Law firms have a duty to make sure compliance is watertight. There has been a lot of disruption and change in the past 18 months to the way firms work and we know time has always been a constraint for legal practitioners and those who look after compliance within a law firm.
But the SRA won’t accept a lack of time as an excuse for any firm found with gaps in their compliance – and with almost 85% of firms planning to continue hybrid working long-term, now is the time to make sure compliance is up-to-date.
At Access Legal we carried out research into law firms’ compliance practices, and the impact of hybrid working on them. From our recent survey of law firms we found gaps across a number of sensitive areas that they have to be on top of.
Our research revealed that 22% of firms negated to review their health and safety assessments following teams moving to work from home in March 2020. When it comes to cyber security, the number increases, with 43% of firms failing to fully update their cybersecurity policies since switching to remote working. And despite the SRA recently focussing on compliance around money laundering legislation, 40% of firms had not reviewed or updated their AML Practice Wide Risk Assessments.
Nearly half, 49%, of firms said they had not carried out a Data Protection Impact Assessment (DPIA) once their firm had moved to remote working. And with law firms holding lots of sensitive data, in an age where cybercrime is on the rise, keeping it secure is more important than ever.
Compliance Concerns
The research uncovers many concerns that law firms will be looking to address in the coming months. Although some firms are on top of their compliance, those who aren’t now need to adjust policies in line with new ways of working.
As an employer, firms have the same responsibilities over employees working at home as those who work in the office. In response to our survey, I have outlined some key considerations firms need to take action on to bring compliance up-to-date.
Health & safety assessments
For health and safety, when someone is working from home, permanently or temporarily, an employer should consider the following:
- How will they keep in touch with them?
- What work activity will they be doing (and for how long)?
- Can it be done safely?
- Does the firm need to put control measures in place to protect them?
It is apparent from the survey data that nearly a quarter of firms have not been meeting their health and safety obligations.
For staff working at home on a long-term basis, the risks associated with using display screen equipment must be controlled; this includes them doing workstation assessments at home. Home working can also cause work-related stress and affect people’s mental health, with being away from managers and colleagues making it difficult to get proper support. Firms need to put procedures in place so they can keep in direct contact with home workers and recognise signs of stress as early as possible. Making sure health and safety assessments reflect the true nature of how a firm operates, is a must.
AML practice wide risk assessments (PWRA)
As mentioned, money laundering is a big focus for the SRA. It was therefore very surprising to see that nearly 40 per cent of firms had not reviewed or updated their PWRA, especially as there is a requirement to note reviews even where no updating is found to be necessary.
It is highly likely that the SRA would expect to see updates made to a firm’s PWRA as a consequence of Covid-19 and the government-initiated lockdowns, especially when considering the requirements for training, policy, control and procedure updates, supervision, and ongoing monitoring of employees. Other areas of the PWRA are likely to have required reviewing and updating as a consequence of changes made in response to Covid-19.
Data protection impact assessment (DPIA)
One of the biggest concerns found in our research is that nearly half (49%) of firms surveyed said they had not carried out a Data Protection Impact Assessment (DPIA) when moving to remote working.
A DPIA is a process designed to help firms systematically analyse, identify and minimise the data protection risks of a project or plan; moving to a complete or near complete remote working operation is likely to fall within that criteria.
Ultimately, it’s up to each firm to decide whether processing is of a type likely to result in high risk, taking into account the nature, scope, context and purposes of the processing. If in any doubt, the ICO would always recommend that you do a DPIA to ensure compliance and encourage best practice.
The fact that nearly half of firms did not carry out a DPIA when moving to remote working means that client data could be at high risk from cybercrime and data loss, especially if this data is being accessed and stored using an employee’s personal IT equipment that may not have appropriate security software installed and is accessible by other members of the family.
Firms should ensure that when they move to their post-lockdown working arrangements, they carry out a DPIA so they can identify potential risks to data and mitigate these where possible; firms that fail to assess and mitigate data risks could face action from both the SRA and the Information Commissioner’s Office, with professional indemnity insurers likely to take an interest should data be lost, and negligence claims made as a consequence.
Time to take action
Although most firms appear to be doing the right things, there are quite a few that are placing themselves, their staff and their clients at significant risk. We urge these firms to take urgent action to ensure they seek help to address the gaps highlighted.
As well as the compliance issues, there were also evident disparities in competency and supervision arrangements, policies and procedures and Business Continuity Plans. With the vast majority of firms looking to make a permanent switch to hybrid working, now is the time to carefully review compliance procedures and ensure that your requirements as an employer are being met.
