The data protection noose is tightening further
It is a well-known fact that building a good reputation takes years of hard work, yet it can easily be lost with one oversight or poor decision. Don’t let your law firm’s data governance be your Achilles heel, says Gemma Taylor, key account manager at LexisNexis Enterprise Solutions
With recent, and very public data breaches happening in and around the legal sector, it is worth noting that the UK’s data protection authority, The Information Commissioner’s Office (ICO), has the power to “name and shame” organisations against whom complaints have been made. Moreover, where historically the names of only those organisations were revealed who were sanctioned with fines, companies that are simply under investigation for data breaches and non-compliance, are now also publicly identified. Many feel that the authority is tightening the noose to ensure that organisations actively up their compliance efforts.
Likewise, a new set of proposals – the Data Protection and Digital Information (DPDI) Bill — to reform the UK GDPR regulations is expected to be passed as legislation in the spring of 2024. The bill, among other things, brings the Privacy and Electronic Communications Regulations (PECR) in line with the UK General Data Protection Regulation (GDPR) and Data Protection Act , whereby the ICO can issue fines up to 4% and 2% of a firm’s global turnover, depending upon the regulation breached under PECR. The proposed DPDI Act would take the UK even closer to the EU’s GDPR.
At the European level, a recent European Court of Justice (ECJ) ruling allows regulators to issue GDPR fines even if they cannot determine how a person’s actions caused a data breach. Additionally, companies could face action even if persons or organisations representing them violated data protection rules.
The message is clear — firms must take every possible precaution to ensure data protection and compliance are high on the priority list.
To delete or not to delete?
For law firms, owing to the confidential nature of the work undertaken, there is no doubt that data protection compliance is often challenging and onerous. Data held by legal practices contains all manner of sensitive information and is ordinarily spread across various data repositories. Thereafter, legal requirements for storing and deleting data, of course, vary, case by case, matter by matter. For example, the data retention requirements of a debt claim can be distinguished from a personal injury claim brought on behalf of a minor. Similarly, there may be differing legal requirements to store original documents such as wills and deeds for long periods.
Helpful resources
Nevertheless, there are resources out there. The ICO provides helpful information about storage limitations, as well as a self-assessment toolkit to aid with information handling and data protection compliance. What’s more, the Solicitors Regulation Authority has recently published its own records retention schedule designed to guide solicitors on how long to keep records, and what to do with them once they reach the end of their life. All of these can be used as a foundation to help you plan and manage your firm’s data handling and compliance, yet with no blanket, industry-wide ‘set guideline’ for data storage, it’s no wonder lawyers find data compliance a complex and thankless task.
Technology to the rescue
Aside from the risk of non-compliance, data security and business continuity, all equally pertinent risks, hackers actively target law firms for the sensitive data they hold.
Therefore, on the basis that firms must securely retain records for defined periods of time and of course continuing to meet information and subject access requests, whilst adhering to the principles of purpose limitation, data minimisation, and storage limitation, surely carefully automating the deletion of data past their legal retention requirement makes astute business sense. Not only does automating deletion ensure compliance, but it also reduces the lawyers’ burden of timely data management and helps to reduce the material storage cost of data too.
Lexis Visualfiles bulk deletion and file lifecycle management tool
But where should firms start? If you are a Lexis Visualfiles user, there’s a solution! The first step towards embedding compliance is rationalising all of the existing data residing in the case management system from a GDPR standpoint. Based on defined criteria set by your organisation, the bulk deletion capability offered by Visualfiles can identify all associated records ready to be deleted en masse, ensuring that data is retained or deleted in accordance with client, matter, and compliance needs.
Furthermore, to routinely maintain the upkeep of your data compliance, file lifecycle management functionality is incorporated into the tool, enabling you to set parameters and time frames (monthly, bi-monthly, quarterly), so that when the firm’s retention policy end date is reached, the tool will automatically alert and ask the designated individuals for permission to delete files.
Moving to the cloud?
If your firm is adopting a cloud-first strategy and looking to move your Visualfiles instance to a cloud environment, devising a data retention and deletion policy will ensure that only legally required and compliant data are migrated to the cloud, potentially saving the organisation an astronomical amount in cloud storage costs.
At LexisNexis, we fully support firms who need to rationalise data for GDPR compliance – from holding workshops to help define and configure the data retention and deletion policy, to implementation, testing, and ongoing enhancements.
