Case Study – Legal

By: | September 28, 2018 | Tags: ,

Back Ground

i-Secured had been put in touch with a firm of solicitors, circa 250 employees and turnover of £12 Million who were looking to get a head start in their preparations for the change in data protection law and make sure their information security position was robust.

What was different about this firm to many of the law firms we have dealt with in the past is that it is run by a business person and not lawyers and they have a very clear picture from a risk and compliance perspective where they think their issues lay.

As a firm of solicitors, they recognized three things. They are not specialist in data protection or information security, the necessity for impartiality without the need to sell a “shiny silver bullet that will cure everything” and trying to do a gap analysis internally without the knowledge and time would have been daunting and cost them significantly more in lost fees.

What were we asked to do?

Our remit was to review the business against the mandatory obligations of the General Data Protection Regulation (GDPR) and to identify gaps between both GDPR and where their business is currently and an information security framework. Once complete to put together a simple set of actions which could be followed.

What we found

Data Protection

An understanding of some of the very basics in terms of confidentiality, the concept of retention time frames and the necessity to have good security of processing. For a very well-run firm with excellent Lexcel results, there were 40 points to action to achieve the mandatory evidence and actions to deliver it along with the change in their approach to data privacy. One of which was in their supply chain through the supplier of the case management software.

Information Security

Technically robust, an excellent inhouse IT team. Although there was no formal information risk assessment done they knew where the risks were and what needed to be done.

Their biggest challenge’s?

Internal documentation or the lack of it that meets the requirements of the regulation and good information security practices

As a business changing the culture to support a privacy agenda by doing what they say they will do and when they say they will do it.

Keep everything relating to clients in the case management software and not in multiple network drives also.

Recognize the impact their supply chain can have on them, do sufficient due diligence so they are happy with the remaining risk.

The outcome

By utilizing i-Secured they have a very clear picture of where they were, what needed to be done and why, where their risks were and how to close the gaps.

Internal documentation has been drafted, security certification is underway and the change in culture is happening although it will take a while.

A positive outcome to date and a recognition that there is more to do to maintain it.