The ICO’s recent finding of negligent security practices and resulting £98,000 fine of Tuckers Solicitors, should alert all businesses, but especially those in the legal profession, to the need to comply with their legal obligations imposed by UK GDPR for the security of all personal data they hold and process.
So here is a short reminder of some basic legal obligations.
1. The business must undertake a cybersecurity risk assessment – that is, an assessment/analysis of the security risks involved in the holding and use of any personal data. It must cover many elements – the security of your technology, the way it is accessed, where data is held and how it moves around the business, the nature and sensitivity of the data concerned, the people using it, the third parties who you allow to access/process it, the security policies in place (or not), and much more.
Doing this will of course include technical assessments. But it also needs to identify all vulnerabilities, not just technical ones and give you visibility of your risks. And because of point 5 below, your risk assessment should be documented. It is a specialist job – and different to IT support. In respect of the technical side, the ICO says “This is a complex technical area that is constantly evolving, with new threats and vulnerabilities emerging.” Which is why, to understand where the risks are, the risk assessment needs to be undertaken by someone with genuine cyber risk management experience, who is up to speed on the current methods of attack and knows how to defend against them.