A report by managed services provider CenturyLink Emea, shows that despite the threat of up to €20m fines or 4% of annual global turnover for serious data protection failings, only 25% of more than 150 legal sector IT decision-makers said their firms were GDPR ready.

Why Not?

If any sector looks likely to be prepared for the introduction of GDPR next year, you could be forgiven for thinking that the legal sector would be at the forefront, given that companies and individuals will be seeking the advice, help and services of law firms with compliance and enforcement matters.

According to the report, however, the legal sector is saying that three quarters of law companies are not ready, and not achieving higher levels of privacy and data security because of challenges relating to human mistakes (50%), dedicated cyber attacks e.g. distributed denial of service (DDoS) attacks and ransomware or SQL injection (45%), and lost documentation and devices (36%).

The report shows, for example, that 1 in 5 law firms have experienced an attempted cyber attack in the past month, and less than one-third (31%) of IT directors believe their firm is compliant with cyber-security legislation.

Shadow IT Worries

One other interesting area of confusion for law firms appears to be Shadow IT. This term describes the apps and services that employees bring in to company systems without going through the approved channels, and how employees use them in their own way to solve specific work problems. Many companies see it as a threat to control, security and the strategy of the business as well as being strength in some situations.

The CenturyLink Emea report shows that 11% of law firms have no shadow IT policies at all, and although one-third (33%) of firms don’t officially permit bring your own device (BYOD) or bring your own apps (BYOA), in reality 43% of IT decision-makers at law firms trust their IT teams to “do the right thing” for their business.

Not The First Negative GDPR Report

This is certainly not the first GDPR report with less than positive news. Only last month, a study by DMA group (formerly the Direct Marketing Association) revealed that more than 40% of UK marketers said their business is not ready for changes in the forthcoming General Data Protection Regulation (GDPR). One of the main issues highlighted in that report was confusion over issues of consent in GDPR. Some commentators have said that focusing too much on consent as a basis for data collection could mean that companies miss other options and issues, and end up not being ready and compliant in time.

What Does This Mean For Your Business?

The findings of this report are surprising in some ways, partly because in September last year, media reports indicated that the legal profession was already preparing itself for the introduction of GDPR in terms of how to build a market for litigation as well as ensuring that they fully understand the many different aspects of the Regulation and its implications. It appears, however, that legal firms are experiencing the same challenges many other companies in other sectors. To some extent, the news that law firms are apparently not up to speed with GDPR is likely to be somewhat of a relief to many businesses.

Law companies also face an added risk to their reputation e.g. if they are hacked and there is a data breach due to non compliance. This is the reason why many law firms and other companies are now taking steps towards greater security by moving away from legacy, on-premise IT systems to private or public managed cloud arrangements. Outsourcing IT infrastructure to providers can offer a secure environment to support digital transformation initiatives, and managed services can minimise the risk posed by external attacks, and free up internal resources to focus on innovative IT and business initiatives.

With GDPR, one of the key challenges for all companies in addition to getting an understanding of consent issues is making sure the technology is in place to help deal with data in a compliant way. Some technology products are now available to help deal effectively with data, and many tech commentators believe that developments in AI and machine pattern learning / deep learning technologies will be able to be used by companies in the near future to help with GDPR compliant practices.

At this late stage, legal firms and those in other sectors clearly need to press on quickly with, and get to grips with GDPR and its implications. Ordinarily, one piece of advice for companies would be to seek professional advice to at least highlight which areas are most legally pressing, but in the light of this report, it seems that some law firms may be struggling to see how GDPR applies to themselves, let alone their customers.