Policies and plans every legal business must have in the digital age

Changes to the rules covering the use of technology could leave firms – and clients- vulnerable. So, what policies and plans should every legal business have in place to ensure compliance in a digital age?

Acceptable Use Policy

An Acceptable Use Policy (AUP) helps ensure that everyone knows what is and isn’t okay when it comes to using digital technology. This should cover things such as:

  • Use of email and web for personal purposes (including the amount of usage allowed and the types of sites that are forbidden)
  • Use of video/audio streaming (as this can hog bandwidth)
  • Restrictions on downloading files and installing applications without checking with IT
  • Policies for sending bulk emails (e.g. making sure staff use the BCC function, so client emails are not disclosed)
  • Guidance on logging off or locking devices when not in use
  • Guidance on physically storing mobile devices to minimise loss by theft.

You should also set out the process and potential consequences for any infringements of the AUP.

Social Media Policy

While some organisations include social media use in their AUP, because of its growing influence it is becoming increasingly popular to create a standalone document.

It’s important to note, however, that forbidding the use of social media doesn’t work; particularly as people can access it quickly and easily on their smartphones. In fact, today, staff should be encouraged to promote your business on social wherever possible.

You can, however, put rules in place which spell out the ethical standards you expect your employees to adhere to – especially where any negative behaviour could have a knock-on effect on your business. So, things like racist posts by an identifiable partner are a no-no!

Mobile Security Policy

Businesses are having to find new ways to meet a desire for new ways of working. Modern cloud-based technology, smartphones and enterprise mobility tools which help staff to remain permanently connected is one way firms are achieving this. But, while technology makes new things possible, it also creates new levels of risk.

To deal with this threat, it’s vital that legal businesses establish robust policies to ensure any device used in a business capacity has up-to-date and appropriate protection software. Or provide fully protected mobile devices to users, instead of allowing personally-owned tech to be used for work. Whatever approach you take, a mobile device management plan is crucial to protect your firm.

Password Policy

Human error is responsible for most data breaches in law firms. Despite this, too many legal businesses still haven’t implemented the most basic of security processes such as a secure password policy. Today, this can be easily enforced through technology. For example, a Windows Group Policy can make sure that all passwords are the required length, changed frequently, and are not repeated.

Privacy Impact Assessments

Your legal business should carry out a Privacy Impact Assessment (PIA) whenever you are planning to introduce an initiative which involves “high risk” data processing activities. For example, if you are deploying a new cloud-based CRM. A PIA allows a firm to thoroughly and scientifically analyse how a particular project or system will impact the privacy of the individuals involved.

Document Retention Policy

All too often we hold on to information we don’t need for too long. Let’s face it, we don’t need to keep the chain of 10 emails used to schedule one meeting. What’s more, under current regulations, if you keep certain data for longer than it is needed, you could violate the Data Protection Act.

A Document Retention Policy (DRP) helps firms to keep things simple and take out the digital trash. So, with a DRP, you keep the information you need to hold on to under the relevant legislation and remove the rest.

Data Protection Audit

Since the introduction of the General Data Protection Regulation (GDPR), it is more important than ever to conduct regular Data Protection Audits.

With a Data Protection Audit, you should review and document all the personal information you hold, establish where it comes from and what you do with it, and spell out who it is shared with. A Data Protection Audit will also help you ensure that any data held is up-to-date. To help to maintain compliance, carry out an audit at least once a year.

Privacy Notice

Your website must have an easily accessible privacy statement which states how information is acquired and how it will be used.

Incident Response Plan

If your business is faced with a security compromise such as a data breach, it pays to have an established response plan in place. Crucially, under the GDPR, firms will need to make a notification of any breach within 72 hours of discovering it. Businesses should also have steps to help identify what data was leaked, why the failure occurred, what happened, who was responsible, who and what was affected, and to what extent.

Disaster Recovery Plan

Once the initial catastrophe is over, restoring business continuity is vital. In this plan, you should set out the steps needed to restore your IT systems to a state in which they can support the business after a disaster.