Law firms and EU GDPR – four major headaches your practice may face

  • Posted by: Alexander Daniels
  • 31 January 2018

Source –

Law firms and EU GDPR is the hot topic of the moment. On the 25th of May 2018, the new regulations will come into force and that leaves little time to prepare.

Two earlier articles on this subject looked at what the regulations mean and how you can prepare in terms of policies and procedures. This article focuses on four potential practice management headaches that, if not handled correctly, could put you in breach of the regulations and incur fines:

Antiquated software,
Security protocols and
Disaster recovery planning.

Let’s take a look at each one in turn.


First of all, cyber-security There has been much in the press recently about cyber-attacks and ransomware. The threat is not one to take too lightly.
Criminals target law firms specifically because they regard them as a “soft touch”. This fact has increased the frequency of cyber-attacks on the legal profession. The next stage for the criminals is not only to demand payment for unlocking encrypted data but also to start selling the data online. In fact, this is already happening.
GDPR will usher in increased fines for instances where client data becomes compromised. So, what can you do to keep your data safe? It all starts with staff training. Keep your employees up-to-date about ransomware and phishing attacks. Make sure they know how to identify suspicious emails and how to deal with them.
Training goes hand-in-hand with strong security measures. Your staff are only human and humans eventually get caught out. Install the latest email security and web filtering technology and make sure you keep it up to date. You can find out more about these from your IT specialists.

Antiquated software.

Outdated software is probably the key vulnerability that lets cyber criminals gain access to your systems and files. The most extreme manifestation of this is software that is so old that the supplier no longer supports it. When updates and security patches are no longer being provided, it really is time to replace the software.
From a GDPR standpoint, the correct way to go about things is clear. Firstly, eliminate all unsupported software and replace it. Secondly, regularly update all supported software.
If you have a case and practice management system housed on your own in-house servers, make sure updates and patches are applied immediately they become available. If you operate a cloud-based system, life is much simpler as all updates are automatically applied for you.

Security protocols.

Train crashes do happen – usually because systems and protocols become compromised due to laxity. The same is true when it comes to the security of your data. It’s one thing to have the systems in place but it is essential to make sure they are being adhered to.
A missed security patch or software update is often the key that opens the door to cyber-attacks. To prevent this, you can take several measures:

Appoint someone who has responsibility for ensuring the installation of updates.
Regularly test and audit your security protocols to ensure compliance.
Set clear file permissions for different users of your systems to restrict access to only those areas needed by individual users.
Have your systems tested by external IT specialists.
Insist that system users change their passwords regularly.

And on the subject of passwords, use strong ones – no matter how inconvenient many people find this. The disruption caused as a result of a breach of security and the fines under GDPR will be costlier than this minor inconvenience.

Disaster recovery planning.

Disaster recovery planning begins with backups. Perform these at regular intervals and store backup media somewhere fire-proof and preferably off-site.
Properly orchestrated disaster recovery allows you to get back to where you were in the shortest space of time possible. Time is the key factor. If your recovery and data restoration options mean your systems could be down for several days, perhaps it’s time for a rethink. The continuity and well-being of your business are just as important as the security of your data.

Let your PMS lend a hand.

If downtime becomes a critical factor in your disaster recovery analysis, there is an alternative. Cloud-based practice management systems are updated and patched instantly. Backups take place many times each day – and usually in triplicate. Essentially, this means that you don’t have to worry about lengthy data recovery times. You just move seamlessly to a secondary environment which is a carbon copy of the original.

To get a fuller appreciation of the implications of EU GDPR, DLA Piper has produced a detailed report which you can view from the link below. In particular, Article 5 of the new regulations states that all personal data must be: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. You can find out more about this and other aspects of GDPR from the Information Commissioners Office by following the links below.