How can ISO 27001 help law firms comply with new GDPR legislation?

23 Aug, 2017

In the countdown to the EU’s General Data Protection Regulation (GDPR), the Law Society has released unprecedented guidance to law firms to consider adopting ISO 27001 Information Security to assist them with compliance. Usually a ‘closed-shop’ when it comes to recommending certifications, the Law Society must feel there is good reason to recommend ISO 27001.

In their article, the Law Society quotes statistics from the Information Commissioner’s Office (ICO) stating that there was a 173% increase in data security incidents in the legal sector in Q4 2017 compared with the previous quarter.  Given that processing highly confidential personal data is a core part of legal work, it’s easy to see how law firms could be in danger of falling foul of the new legislation.  Add to that the new fines for breaches under GDPR which can be between 2-4% of global annual turnover or €20 million (whichever the greater) and it’s a grim outlook.

Whilst it’s fair to say that the majority of law firms are tech savvy nowadays, embracing new technologies and backup systems, the majority of law firms still operate a largely paper based office.   This brings with it any number of potential issues; files left open on desks, files left in communal meeting rooms, faxes being sent to the wrong numbers, staff taking files home and working on trains where documents can be seen by other passengers to name but a few.  As the Law Society warns “make no mistake: these are data breaches, just as incidents caused by cyber-attacks are, and under the GDPR you’d be just as liable.”

Some of the top players in the legal market have already been proactive when it comes to dealing with this.  Clifford Chance, Allen & Overy and Linklaters have already taken the plunge and achieved ISO 27001 certification.  But it’s not just for the big boys.  ISO 27001 is a perfect fit for firms of all sizes.

So what have they and the Law Society seen in ISO 27001 that has prompted this decision?   Well, many of controls within ISO 27001 are great best practice for complying with GDPR including disposal of media, physical transfer of media, security of equipment and assets off-premises and clear desk/screen policy.

But there are other benefits to having ISO 27001.

BENEFITS TO YOU

• Cost reductions due to avoiding incidents
• Smoother running of operations as responsibilities and processes are clearly defined
• Improved business image in the marketplace – clients have peace of mind that the company is trustworthy

BENFITS TO YOUR CLIENTS

• Working with a trustworthy provider maintains the their own integrity to the safeguarding of its data
• It instils confidence further down the supply chain resulting in stronger client/supplier relationships
• Having appropriate access controls in place lowers the risk of accidental exposure to employees of confidential/sensitive information

BENEFITS TO YOUR STAFF

• Reassurance that their employer is meeting data handling security guidelines
• Defines clearly and precisely roles and responsibilities therefore job satisfaction and productivity is increased.

At ISO Quality Services Limited, we have already been taking enquiries from law firms keen to steal a march on both GDPR and their competitors.   Interestingly, many are looking at not just ISO 27001 but ISO 9001 Quality Management System to boost their position in the market.   One of the many questions we get asked is how difficult and time consuming is the process?  We can reassure firms that we make the process to certification to both standards simple and straightforward.  Further, we aim to get you certified within 6-8 weeks leaving you free to get on with your job of serving your clients.

If you would like to find our more by having a free no obligation conversation about what is involved in achieving either ISO 27001, ISO 9001 or both then please call our office on 01905 670303 or e-mail clientservices@isoqsltd.com