Information management and security—regulatory requirements—law firms
Produced in partnership with DG Legal
Information management and security—regulatory requirements—law firms

The following Practice Compliance practice note produced in partnership with DG Legal provides comprehensive and up to date legal information covering:

  • Information management and security—regulatory requirements—law firms
  • SRA requirements
  • UK General Data Protection Regulation (UK GDPR)
  • The UK GDPR security principle
  • The data security principle in practice
  • Assessing data security risk
  • Computer Misuse Act 1990
  • Lexcel
  • ICO
  • ISO
  • More...

Information management and security—regulatory requirements—law firms

This document reflects the UK GDPR regime. References and links to the GDPR refer to the UK GDPR (Retained Regulation (EU) 2016/679) unless expressly stated otherwise.

This Practice Note explains the key regulatory and statutory provisions governing the management and security of information and data, referred to as information management and security.

SRA requirements

You must keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents—see subtopic: Confidentiality and disclosure.

The SRA expects you to identify, monitor and manage all material risks to your business. See subtopic: Identifying and evaluating risk across the business. Information security is likely to be an important risk for most law firms.

You are also under a duty to safeguard money and assets entrusted to you by clients and others—see subtopic: Client account withdrawals.

UK General Data Protection Regulation (UK GDPR)

The UK GDPR imposes extensive requirements around information security, record-keeping and general information management.

For more guidance, see Practice Note: Information security—data protection compliance and Precedent: Data protection compliance—self-audit—law firms.

The UK GDPR security principle

Data security is a cornerstone of the UK GDPR. You must process personal data in a manner that ensures appropriate security (using appropriate technical or organisational measures), including protection against:

  1. unauthorised or unlawful processing, and

  2. accidental loss, destruction or damage

The UK GDPR calls this the ‘integrity and confidentiality’ principle, although

Popular documents