If you work as part of an in-house legal department for a professional organisation, then your remit for protection is likely to be vast. Depending on the size and sector of the business, the legal work required will range from employment and contract negotiations, to commercial and marketing work. With so much compliance required to secure and safeguard companies against legal action, it is unsurprising that some protective measures fall through the cracks.
Somewhat inevitably, it is mostly digital security that is ignored, or at least misunderstood. In many cases, we have come across in-house lawyers who view digital protection as the domain of the IT department, having little understanding of how the company operates online, or the potential liabilities this can cause. For an industry that is so regimented by compliance, we find this an incredibly odd, and dangerous, practice.
As the legal representatives, you must be analysing every facet of the business, and asking what processes are in place to protect its interests. One valuable company resource that is so often taken for granted is data. A broad term in many ways, data can include confidential information about the company and the ways it is managed, as well as intimate client details that could be exploited in the wrong hands.
A legislative change that is likely to bring digital security to the forefront is the imminent General Data Protection Regulation (GDPR), sent to us courtesy of the European Union. These are a more robust set of rules that will replace the Data Protection Act and provide much stricter punishment for a data leak or system breach. Adequate protection of data will become mandatory, and enforced with a potential fine of 4% of your annual global turnover, or €20 million depending on which is greater.
You can find out more about GDPR and specifically its effect on the legal sector in our aptly named blog post; What is GDPR? And How Will It Affect the Legal Sector?
Understanding that the risk is real, and that it is the responsibility of the legal department to ensure compliance, is the first step. The next is to start asking questions. What security do you currently have in place? Who has access to your internal documents? Are they at a sufficient level to see the data they are accessing?
One of the biggest concerns for businesses over the past 12 months has been the rise of the insider threat. Put simply, this is internal sabotage, either through malicious intent, or ignorance, by members of your own team. One of the things you need to therefore consider is who controls your IT.
Presumably you will have a system administrator who can view all email correspondence and that manages storage of all documents. This is of course a HR concern, as they will be able to view employee contracts for example, something that is legally suspect. If there are no robust protocols in place that prevent your staff from accessing this same information, then you are really looking at a problem.
Thankfully, these sorts of protocols are simple to implement. By simply categorising members of you team in terms of their clearance to access certain documents and files, you can control how data is shared, and therefore protect more successfully against data leaks.
This should be the bare minimum that is expected in terms of digital security for an organisation that shares or stores data. There is a wealth of software and protocols that can be implemented to further guard against potential breaches, and subsequently fines when it comes to GDPR. If you would like any more information about what your organisation can do to comply, or guidance as to what you should be considering as an in-house legal department, then please don’t hesitate to get in touch.