Perspective in Practice: Faking It (Even if You Didn’t Really Mean To)
Whilst waiting for a train last week, I overheard a (loud) telephone conversation where a legal service provider was discussing their imminent change of Case Management System (‘CMS’). (I’ll put aside the faux pas of broadcasting confidential information in a public space for another day, although I’m grateful to that individual because I did find what I heard thoroughly interesting!)
Changes of CMS provider/software are not unusual in the legal sector; indeed, I speak with perhaps four organisations per month, that are going through this process.
On this particular occasion however, I overheard a mooting that the CMS supplier was going to furnish that legal service provider with a ready-made Data Protection Impact Assessment (‘DPIA’) in respect of the installation of the new CMS.
Surely, that couldn’t be true!
Could it really be that a CMS provider was going to hand over a few pieces of paper and try to pass this off as an appropriate and complete DPIA? And, was the legal organisation actually going to accept this as such?
Or, had the legal organisation misinterpreted the intention of the CMS provider? Perhaps the CMS provider was simply going to provide a schedule of the intended works, including a statement about risk (which would be appropriate).
If it was the former, the CMS provider’s claim to provide adequate documentation was, as politely as I can possibly put it, ‘misleading’.
But, either way, the need for a dedicated Data Protection Impact Assessment had been misunderstood by the legal organisation.
This stirred a chilling echo of a similar situation I had encountered in discussion with another legal services provider a year or so ago, where a new computer network was being installed in their premises and their computer network provider/installer had, allegedly, as part of the deal, offered to ‘throw in all of the paperwork they needed’ for Cyber Essentials accreditation!
As part of the installation project, the computer network supplier was apparently going to provide a set of generic policies and procedures that they said would ‘tick the box’ for Cyber Essentials accreditation, with no further effort required by their client.
In reality, other than setting out some reasonably good practice for information security, those documents would likely bear only a passing resemblance to the way in which the legal services provider was actually managing their information network.
In other words, if used for the purposes that had been described to me, such documents would be, and again, I’m going to be as polite as I can, ‘economical with the whole truth’. They were blatantly fabricated in order to support an application for a quality standard which clients and others may come to accept or rely upon as a measure of the effectiveness of the legal service provider’s information security controls; controls that the legal service provider was not actually going to implement.
The first situation, the DPIA, has multiple troubling implications, not least the potential for regulatory challenge as well as direct risk to personal data.
The second situation, the fabrication of inappropriate policies and procedures in pursuance of achieving a quality standard, highlighted not only a lack of appreciation of the risk on the part of a legal services provider who accepted such documents, but also how such occurrences, if they came to being, would undermine the credibility and effectiveness of quality standards.
In both cases, the legal service providers concerned could get caught out.
There is no doubt that it is often helpful to consider information from a variety of credible sources when One is assessing risk or drafting important documents. Such sources might, on occasion, include the perusal of a template document, merely as a catalyst for your own, individual, preparations/drafting.
But, relying on templates alone, no matter what the source, is far from best practice; it’s downright risky.
At PDA, we are frequently asked for templates that include actual procedural content. We decline to provide these, in every case.
Over the years and through hundreds of visits to legal service providers we have observed, without exception, that for plans, policies or procedures, or any other governance documents to be as valid and effective as they need to be, they must be measured to suit the individual needs and aims of one organisation only.
I often make the remark that you are more likely to find a completely unrelated stranger, living on the other side of the planet, who is an exact DNA match with you, than you are to find any two organisations in the UK that conduct their activity in an identical manner. Taking into account the near limitless permutations of the ‘business cocktail’ (including, use/type of information, clients served, location, staff skills/experience, software and systems used, etc) the risk profiles are as unique as fingerprints.
Of course, it is recognised that all organisations operating in a heavily regulated environment/sector will share a number of reporting or working requirements; some of these will be universal and the procedures for conducting them could be very similar. But, even then, the way in which these are carried out, by whom, when, how, with which resources, can and does vary between organisations.
The above situations might have raised some immediate questions, but there are a few remarks I can offer here, that I hope might be useful as food-for-thought.
Where DPIAs are concerned, ensure that you are familiar with, amongst others, Article 35 of the GDPR. The opening three paragraphs of this Article provide an indication as to the types of activity that might benefit from or actually require a Data Protection Impact Assessment to take place and of the decision-making that would be required in the circumstances. Paragraph 7 sets out as to what a DPIA shall contain.
It becomes clear when reading Article 35, that a project to change a Case Management System is likely indeed to require a DPIA. And, that to be meaningful, the DPIA needs to be led and understood by the legal service provider themselves so as to adequately chart the extent of the risk, ramifications, planning and mitigation unique to them and that is necessary for such a project; ultimately, for which they are responsible for.
The data protection leader of a legal service provider (or any other organisation, for that matter) should have a working knowledge of data protection regulation and associated processes, and can of course, seek guidance from expert organisations if necessary so as to progress a DPIA to a satisfactory extent. But, in the interests of objectivity, such guidance would be better placed coming from somewhere other than solely the CMS provider.
Cyber Essentials accreditation, just like other accreditations, can provide a wealth of benefits for organisations that pursue them. For those that make the most of the opportunity, the benefits realised could include; strategic, risk management, client/customer care, efficiencies of operation and regulatory compliance, to name but a few.
As a starting point, I would suggest that organisations considering an accreditation should conduct a gap analysis of their own present situation/policies/procedures versus that which is required by the quality standard itself.
Having identified the gaps (and the alignments that are already in place) the organisation can then adapt either is existing documents or adopt and adapt new ones.
PDA supports organisations in decision-making, risk assessments, gap analysis and implementation for data protection regulation, cybersecurity accreditation and legal sector accreditations, amongst others. If you’d like to know more, please get in touch.