Given the vast amount of confidential information handled by law firms every day, it is essential to remain compliant with ever-changing data privacy and security regulations.

It’s also essential to keep in mind how regulations align with data security: it’s about protecting individuals’ data. Humanizing the subject will highlight its importance to people’s lives.

Here are the three Ps of best practices in data privacy and security: policies, procedures and people.

Policies

There is no one-size-fits-all policy approach. Companies should examine the specifics of their business and tailor their privacy and data security policies to their specific needs.

Privacy Policy

This must specify the personal data collected, the reasons for the collection and the intended use of the data.

You can also provide details of the data retention period and any third parties with whom the data may be shared.

Records retention policy

This describes the duration for which the data will be kept (beyond just personal data). The GDPR states that data should not be kept for longer than necessary.

Record of processing activities

Commonly known as an Article 30 registration, this document describes the types of data you hold and the purposes for retaining it, as well as the name and contact details of the data controller.

Workplace Policies

This should aim to help mitigate any risk associated with activities that could result in data loss.

Examples include policies on “clear desk,” “remote work,” and “acceptable use of IT.”

Procedures

Data Breach Procedure

A data breach response procedure should define how and when the plan is activated, alongside the core team managing any response, as well as the key activities and when they should be undertaken.

Secure storage procedure

Security needs are determined by the types of data you store and the sensitivity of that data.

Aim for a level of security appropriate to the data risk, taking into account whether it is physical or electronic data.

Destruction procedure

Sensitive information remains vulnerable as long as the physical source remains intact.

We recommend destruction to ensure that data is irretrievably destroyed.

The shredded paper can then be baled and recycled, while the metal from hard drives etc. is reused in new products.

People

Reducing human error is key to maintaining compliance, with more than a third (38%) of all data breaches cited in the Shred-it survey resulting from employee errors.

Typical violations may involve misdirected emails, lost laptops, and improperly deleted documents.

Training

Law firms should provide specific compliance training to high-risk departments, as generic sessions may be insufficient.

Training must take place during integration and be supplemented by refresher courses.

*Shred-it, recorded data 2023