Industry case study from Pulsant: Comply in the sky
This article was originally featured as an industry interview in the March 2018 issue of LPM. To read the issue in full, download LPM.
The headlines stamping the first quarter of 2018 reveal a world that’s both volatile and vulnerable – particularly within the digital sphere. Last January, for example, the head of the UK’s National Cyber Security Centre warned that a major cyberattack on the UK is imminent – and it’s not a matter of if it will happen, but when. That story doesn’t bode well for firms facing a regulatory landscape that will become much harsher after the implementation of the General Data Protection Regulation (GDPR).
James Letley, CEO at cloud-computing consultancy LayerV, which was acquired by Pulsant in August 2017, says that with just under three months to go, every law firm must consider its risk exposure and how that might impact compliance with the EU’s new data rules.
“Look at some of the legal industry specific breaches that have occurred over the past year, such as the DLA Piper ransomware attack or the leak of the Paradise Papers, and look at the leaks from some of the banks to the tax authorities. Data breach is a big risk for firms – it will be even more so after GDPR fines come into place – and it should be on the minds of everybody who has access to data at an administrative level.”
But Letley says that while managing GDPR compliance and mitigating risk might seem a bit like navigating increasingly stormy seas, law firms should be fine so long as they have the right equipment and know-how in place.
“Cloud computing, for example, can help legal businesses manage compliance because providers have to follow security standards and audits that a practice might not have the time or resources to meet. And if firms combine the benefits of technology with new and improved processes, they’ll likely never have to face the wrath of the ICO.”
Know your data
Given that the GDPR represents the greatest shift in data protection rules in 20 years, it likely features highly on firms’ risk and compliance lists this year – if they haven’t already started to tackle it.
Letley says that when firms come to implementing compliance, they should remember that they can’t begin to mitigate risk until they know what data they have, where it is stored and how it is used.
“Practices need to undergo a full data audit. Only once they’ve mapped their data can they determine where the risk lies and what you need to do to lock that down.
“We’ve done this for several law firms, and helped tackle the risk by identifying weak points and processes that need to change within the organisation.”
Letley adds that, in his experience, the biggest challenge in getting ready for the EU’s new legislation is getting staff to embrace the change and help mitigate risk wherever possible.
“Change management is a tricky process no matter the undertaking – it can be very hard to get people, and perhaps especially lawyers, to change the way they’ve been doing things for years. But it’s something we’ve had a lot of experience with, and while getting acceptance is challenging, it’s also essential for firms that want to stay compliant.”
But while GDPR risk management starts with the firm, says Letley, it doesn’t have to stop there, since practices can mitigate much of their data risk by moving their systems to a managed cloud-based infrastructure.
“Managing risk comes down to audits and checks to a large extent. Those checks can be automated within the public cloud using rules that check best practice for security and compliance.
“For example, one rule might check compliance next to ISO 17001 standards, and if it ever comes up with a scenario where the firm isn’t compliant, it can flag that up in a dashboard and send the warning through to engineers to investigate and resolve.”
He adds that another example of one of these automated rules is one that checks and flags whether any of a firm’s data is being stored in servers outside the EU.
“As you’re probably aware, the GDPR states that data must be held in countries with the same standard of data protection legislation as EU – so if data is stored on US servers, for example, that’s a breach. A rule on the public cloud could check for that and flag it up to a compliance or data protection officer.”
These are just two of hundreds of automated risk management rules that help maintain continuous GDPR compliance and risk management – and Letley says that having these in place delivers numerous advantages to law firms.“
Probably the greatest benefit firms can reap from having systems on the cloud and running these checks is they can maintain compliance even when no one is in the office. All these checks are carried out 24/7 and monitored by a full-time security team. Compliance reports are generated regularly and flagged to the right people.”
He adds that this capability delivers considerable efficiency and cost-saving benefits to firms that can be passed on to clients.
“While the GDPR is essentially a series of best practices and ultimately a good thing for clients, the time managers or fee earners might spend on it does detract from time that could be spent adding value to the client service. If firms use a managed IT infrastructure, however, they can stay fully compliant and free up their time to do what they’re best at – delivering high-quality legal services.”
While the implementation of the GDPR in three months might seem like a dreadful prospect for many firms, there’s still time to prepare. Those that audit their data, introduce the right processes and leverage the right technologies can comply in time – and save considerable time and money.