GDPR doesn’t have to get in the way of digital transformation for law firms Chris Labrey is Managing Director of Econocom UK & IRL If the year 2018 is to be defined by anything in the legal industry, it will undoubtedly be the impact of the General Data Protection Regulation (GDPR). Come May 25th 2018, it will be compulsory for all law firms in the UK to comply by the GDPR guidelines, which will involve taking stricter approaches to the way personal data is handled, managed and used by others. The legal sector has always had an obligation to handle client data with care and consideration under the previous Data Protection Act 1998, but GDPR takes this to the next level, with an increased emphasis on ensuring transparency and accountability relating to data. The Information Commissioner’s Office’s Guide to the General Data Protection Regulation (GDPR) separates those affected into two categories: data processors, and data controllers. For data processors, GDPR will introduce a number of steps that must be adhered to, for example, ‘you are required to maintain records of personal data and processing activities, [and] will have legal liability if you are responsible for a breach’. For data controllers, meanwhile, ‘you are not relieved of your obligations where a processor is involved — the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.’ While all this will undoubtedly affect firms across the board, it will have an additional impact on those looking to invest in major digital transformation. If firms want to adopt new mobile devices for their partners and employees, for example, these will equal extra work from a GDPR compliance perspective. Every device needs to be properly managed and monitored to ensure all data stored on them is handled in a compliant manner — this stays the same no matter whether you’ve purchased the devices outright or you’re renting them through a third-party digital services provider. But no matter how much of an obstacle to progress GDPR might feel like to your company, it doesn’t have to get in the way of your digital transformation plans. In fact, by taking proactive preparations now before the May deadline, law firms can tie these new processes into their plans to ensure they continue to be at the cutting edge of their industry, all while remaining compliant. Properly deleting all device data One of the most important — and perhaps most overlooked — aspects of GDPR compliance is ensuring that any data is properly deleted once it is no longer needed, or once a client asks that their data be removed entirely from a businesses’ systems. Perhaps unsurprisingly, this requires something more comprehensive than a simply factory reset. Ideally, when firms are looking to upgrade their digital assets, or simply delete all the data off an existing device for whatever reason, they should be using industry-standard wiping tools to do so. These will ensure that once data has been deleted, there is no possible way for individuals to restore or retrieve that data from any location. In the run-up to the GDPR deadline, it might prove beneficial to work closely with a third-party provider to make sure data is properly deleted (naturally, this is something that businesses who purchase their assets from a third-party company using payment-over-time models will already benefit from). These providers will be able to deliver the reassurance and peace of mind that all companies are looking for, and will often be able to provide valuable evidence of this in the form of a certification. The consequences of not handling and deleting data to the required standards can be damaging for any law firm, regardless of GDPR. There have been many cases where companies have hastily wiped the data from their laptops and tablets in preparation for an upgrade, only for someone else to subsequently discover that there is still personal, confidential data stored within several of the devices. This risk can be mitigated entirely through working with trusted third-party providers. Efficient management with Apple DEP For large firms that have multiple offices scattered across countries or even continents, GDPR compliance is a more complicated issue than most. With so many digital assets scattered across these locations, it can be a logistical nightmare to check that each and every device is handling data correctly and operating in alignment with the compliance guidelines. Sending IT teams to each location and having them check the devices one by one can also prove to be extremely time-consuming. These is where Apple’s Device Enrollment Programme (DEP) can prove its worth as an incredibly useful tool for achieving compliance quickly and efficiently. The DEP allows any organisation that uses Apple devices such as iPads, iPhones and Mac PCs to remotely monitor and manage each device without the need for IT teams to be involved. While the DEP itself is not GDPR compliant, it connects all the devices to a remote management system, which can then be used to secure and encrypt all the devices from a central location, rapidly speeding up the compliance journey. The Apple DEP is a tool that is somewhat overlooked by many businesses, and yet it will only become more valuable as we get closer to the May deadline. It’s also something that certain third-party digital services providers can offer to their customers as standard and help them set-up, which satisfies the GDPR’s requirement for organisations to take all possible technical and organisational measures to ensure the confidentiality and security of all personally identifiable data. Conclusion Successfully determining the steps required to achieve GDPR compliance in time for the May deadline can be a challenge for any company, but ultimately it all comes down to security and confidentiality. Personally identifiable data must be handled with care, and both data controllers and data processors must work to ensure they are operating within these new guidelines. With so many devices and digital assets, ensuring compliancy across the board can seem like an overwhelming task in the face of successful digital transformation. But by working with trusted third-party digital services providers to ensure data is properly stored, deleted and encrypted through the use of tools such as Apple’s DEP, law firms can enjoy the peace of mind that comes with knowing they have taken every possible step to achieve compliance.
The consequences of not handling and deleting data to the required standards can be damaging for any law firm, regardless of GDPR