Back to Blog
Why Your Firm Will Need to Re-assess its IT Risks article image

Why Your Firm Will Need to Re-assess its IT Risks

Post by |

From May 2018, it’s likely that your law firm’s risk assessments will be wrong. This is because GDPR comes into force which changes the way in which organisations should view risk.

Article 32 of the GDPR states:

"Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk".

IT managers are well versed in carrying out risk assessments to justify and make decisions around IT spend. However, this crucial change to the legislation increases the complexity of carrying out this type of review and means that it’s likely your IT risks will need to be re-examined.

Previously, risk assessments focused on risk to the business, for example the financial and reputational impact of a potential security breach. Now, firms must assess risk to the rights and freedoms of their data subjects. For example, respect for private and family life, freedom of expression and information, freedom to conduct a business and the right to a fair trial.

Article 32 also specifically references the "availability and resilience of processing systems and services" and "the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident".

This means that, under the GDPR, more importance is placed on availability - a key difference compared to the Data Protection Act. Not only is it imperative to protect personal data from unauthorised processing, loss or destruction, you must now consider the impact of lack of availability on the subject’s rights and freedoms. And this must be considered in relation to the nature and sensitivity of the data held, which means that this change is particularly significant for law firms.

For example, when DLA Piper was the victim of an attack which took systems down for days, they were quick to release a statement to reassure clients that no data had been taken. However, under the GDPR, there doesn’t need to be a breach of data confidentiality for this to be a legal issue. Timely access to files is vital for law firms and the lack of availability of systems in this type of scenario is likely to impact on the rights and freedoms of those the firm is representing.

To ensure compliance under GDPR, law firms must take steps to ensure their risks are properly assessed against the new criteria.

About the Author:

Managing Director and Founder of Converge Technology Specialists, Nigel has 18 years’ experience delivering technology services to the legal profession. Over the last 11 years, Nigel has built Converge into one of the leading hosting companies in the UK and the only provider dedicated to UK law firms. Clients range from top 100 to established regional firms. As an ISO 27001 accredited provider, utilising UK data centres, Converge has unrivalled experience of hosting sector specific applications and networks for a growing law firm client base across the UK and Ireland.

Well-known and respected within the sector, Nigel is often invited to speak at events and to advise industry bodies on the issues and opportunities facing law firms today.

| See all our contributors
Back to Blog