GDPR and law firms, are you the worst-shod shoemaker?

The General Data Protection Regulation, a hot topic for all companies in the European Union since May 2018. Under the supervision of the CNIL, the purpose of this set of rules is to strengthen and unify the protection of personal data. By "personal data" we mean "any information relating to an identified or identifiable natural person" (Article 4 of the GDPR).

The GDPR is based on 5 main principles:

• The purpose principle: personal data can only be stored and used if it can be shown that it is for a specific, legal and legitimate purpose.
• The principle of proportionality and relevance: only adequate, relevant and necessary data for the purpose of use may be stored.
• The principle of a limited retention period: a maximum storage period for data files must be set, defined according to the purpose of use.
• The principle of security and confidentiality: we must be able to guarantee the confidentiality of the data we hold. No person not authorized to consult this information must have access to it.
• Respect for the rights of individuals.

It is understandable that compliance with these requirements can be a real headache. Today, there are many firms specialized in RGPD to assist companies in their compliance and in the production of all the necessary documents to do so.
Some lawyers have also chosen to specialize in this field and offer this type of support to their clients. But how can law firms themselves ensure that they are compliant with this regulation, particularly in terms of data protection?
Indeed, lawyers are required to record and archive a large amount of personal data of their clients, often sensitive data. We know today that the legal profession is increasingly digitalized, therefore it is essential for lawyers to be able to guarantee the security of the information stored and exchanged via their computers, especially since cyber attacks are multiplying and regularly cause damage that can jeopardize the activity, especially for small structures that are poorly equipped.

A simple solution to comply with the regulation is to use an appropriate management tool that complies with Privacy by Design requirements. When choosing your management tool, make sure it has the following features and functionality:

• A secure storage space (EDM) with document access control, a versioning system, but also log tracking and audit trail. The objective is to be able to say at any time who did what on each file.
• A secure connection with double authentication to avoid appropriation of personal accounts.
• Encrypted messaging and videoconferencing to ensure the confidentiality of your exchanges with your customers and partners.
• A time-limited and defined archiving, in compliance with the regulations.
• Data life cycle management.

The last piece of advice is to avoid multiplying the software. Why? Because they don't necessarily all have the same level of security, so beware of leaks...
For the last word, bet on the all-in-one!