Data privacy and data security compliance essentials: the three Ps

An independent data protection survey for Shred-it* revealed that 42% of business leaders surveyed said their company had experienced a data breach. James Lane and Gareth Venables share their best practice guidance for data security compliance.

Given the vast amount of confidential information managed by law firms every day, staying compliant with ever-changing data privacy and security regulations is vital.

It's also critical to remember how regulations align with data security – it's about protecting individuals' data. Humanising the topic will emphasise its importance to people’s lives.

Here are the three Ps for best practice in data privacy and data security: policies, procedures and people.

Policies

There’s no one-size-fits-all approach to policies. Companies must look at the specifics of their business and adapt to their data privacy and security policies to their specific needs.

Privacy policy

This should specify the personal data collected, the reasons for collection, and the intended use of the data.

You can also provide details on the data retention period and any third parties with whom the data might be shared.

Record retention policy

This outlines the duration that data will be kept (beyond just personal data). The GDPR states that data should not be retained for longer than necessary.

Record of processing activities

Commonly referred to as an article 30 record, this document outlines the types of data you hold and the purposes for holding it, along with the name and contact information of the data controller.

Workplace policies

This should aim to help mitigate any risk attached to the activities where data loss may occur.

Examples include policies on a ‘clear desk’, ‘remote working’ and ‘IT acceptable use’.

Procedures

Data breach procedure

A data breach response procedure should set out how and when the plan is activated, alongside the core team managing any response, and the key activities and when they should be undertaken.

Secure storage procedure

Security needs are determined by the types of data you’re storing and the sensitivity of that data.

Aim for a level of security that’s appropriate to the risk attached to the data, with consideration given to whether it is physical or electronic data.

Destruction procedure

Sensitive information is still vulnerable as long as the physical source remains intact.

We recommend destruction to ensure the data is irreparably destroyed.

Shredded paper can then be baled and recycled, while metal from hard drives and so on is repurposed into new products.

People

Reducing human errors is pivotal to maintaining compliance, with over a third (38%) of all data breaches in the Shred-it survey resulting from employee mistakes.

Typical breaches may involve misaddressed emails, lost laptops and improperly discarded documents.

Training

Law firms must provide high-risk departments with specific compliance training, as generic sessions can be insufficient.

Training should occur during induction and be complemented by refresher courses.

*Shred-it, Data on File 2023

Find out more

Shred-it has created an e-guide that sets out the practical steps you can take to protect your data.

Download the guide for quick, practical advice (PDF 512 KB)

Discover how you can save 10% on Shred-it's secure and sustainable services.

Maximise your Law Society membership with My LS

Sign up