The EU’s General Data Protection Regulations (GDPR), which were enacted into UK law by the Data Protection Act 2018 (DPA), place strict requirements on law firm data security.  While the GDPR relates to any business using personal data within the EU, given that law firms are required to handle often highly sensitive personal information, they must go the extra mile to mitigate any potential risk to their clients.


Data controllers vs data processors

Core to understanding law firm data security obligations in the context of the GDPR is interpreting the terminology used.  Firstly, both data controllers and data processors are required to adhere to GDPR.

law firm data securityAccording to the UK’s Information Commissioner’s Office (ICO), data controllers are defined as any “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.  And data processors are any “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.  In other words, the controller determines what information should be processed and for which purposes, whereas the processor undertakes the actual processing work.

As such, law firms may find themselves acting in both roles.  As confirmed by the law society, however, law firms assessing their law firm data security should not just assume they are acting in the role of data processor when they may not be.  For example, for a law firm undertaking electronic discovery in-house, it is likely they would need to conform to the GDPR rules for both controller and processor.  If discovery is being contracted to a third party, it is likely the external entity would be classed a processor and the law firm would be the controller.  The European Data Protection Board provides some useful information to make this decision.


Seeking assurances from third party data processors

When assessing law firm data security risks where third parties are used to process data on behalf of the controller, it is essential to ensure that the processor is able to comply with their legal obligations under GDPR – this should not just be assumed.  Failure to verify this could lead to a ‘supply chain compromise’ whereby the third party fails to adequately secure the IT systems that hold your (and your clients) data.

The National Cyber Security Centre (NCSC) states that a vulnerable data supply chain can be avoided by adhering to its principles, under the following categories:

  • Understanding the risks
  • Establishing control
  • Checking your arrangements
  • Continuous improvement


For example, the NCSC recommend that where necessary, data controllers may wish to use the Centre for Protection of National Infrastructure (CPNI’s) Personnel Security Maturity Model to assess the effectiveness of their people security arrangements.  While this may seem onerous, to fully ensure law firm data security, it may be the only way to mitigate any risks fully.


Wrapping up

It is critical then that law firms take their responsibilities seriously, especially considering the financial penalties and reputational damage which may be levied for non-compliance.

To prevent “supply chain compromise” ensure you work with organisations who have a similarly transparent and compliant approach to data protection and proactively demonstrate this to you, providing you with full assurance for your law firm and your clients.


The Cashroom understands the potential pitfalls of data security. We take data security and protection seriously. To find out more about our approach to data security have a read of our recent blog here.

We’re happy to share our experience with our clients and our own data protection policy is available online here.

The Cashroom helps law firms stay on the right side of compliance, whether it be GDPR, data security and SRA or Law Society of Scotland Accounts rules.

We bring our extensive experience in the legal sector to you, whether you are looking for outsourced cashiering, help with the production of management accounts, or support with your payroll.

For an introductory discussion please contact a member of our team.


If you are regulated within the English and Welsh markets, then please contact:
Alex Holt E: T: 07817 420 466


If you are regulated by the Law Society of Scotland, please contact:
Gregor Angus E: T: 07875 598 593