In light of Brexit, it’s good news indeed that the EU has acknowledged the UK’s adequacy for data transfers to the nation as a third country, both under the GDPR and the Law Enforcement Directive. Whilst we remain optimistic that this adequacy will be ratified within the coming weeks there are two further hurdles to jump – a non-binding EDPB (European Data Protection Board) advisory and all Member States to agree with the EU’s decision.
Eventually, while legally, Brexit may not pose challenges for GDPR and data transfer, the perception of law firms’ ability to handle client data could still potentially be a major business issue. Today, it’s highly likely that many global law firms have just one instance of their document management system and in a data centre that is probably located in the UK. Say, a significant global client of a law firm (for whatever reason) decides in the autumn of this year that they don’t want their data to be located outside the EU – i.e., in the UK.
Would this law firm have the capability to relocate the client’s data? The answer would be “yes” only if the firm has built and adopted an ‘agile’ approach to data storage as part of its overall cloud computing strategy.
Therefore, regardless of the UK being declared an adequate nation for data transfers, operationally it’s vital that firms have the flexibility and agility to jurisdictionally position/re-position data per client preferences.
Here are some things for law firms to think about when developing an agile approach to data storage and transfer, as part of their cloud strategy:
A considerable amount of thought needs to go into the planning of your agile data model. Some food for thought – if your firm’s lawyers who are working on a particular matter are physically split across four different jurisdictions, in which region should data pertaining to that case reside? What implications would the decision to locate the data in X jurisdiction have on the lawyers’ ability to effectively collaborate? This is the kind of thought process that your firm must delve into to devise a suitable data policy.
The architecture of your data model must allow your firm the ability to move data relatively quickly. For instance, if your client demands relocation of their data, how flexible is your data storage model? Or if a third country is challenged in the courts due to over-reaching surveillance law, does your cloud strategy allow you to quickly reposition data in another jurisdiction? And what does ‘quickly’ mean – is it days, weeks, or months? It’s important to understand your capability so that you can set expectations with clients should such situations arise.
When planning your data model, consider its impact on the associated functionality of your document management application – things like impact of data transfer-related changes on lawyers’ ability to search data, the resulting effect on the application’s performance, the changes needed to the firm’s data back-up processes, and so on.
You must be a 100 per cent confident of the physical and technical security of the datacentres you use for client data. Simultaneously, seriously investigate the privacy measures surrounding the data itself too. So, investigate things like where the data is at rest, where is it backed up to, and crucially, where it is being supported from. If your document management application’s support team is in the wrong location, you may have a situation where data is crossing borders, which in turn would have data transfer-related implications.
Not many firms may query this, but ask your application and cloud services vendor, what data they use in their product development processes – i.e., do they use dummy data or do they anonymise the data when testing new versions of their offerings. This will provide your clients confidence that their data will not be snap-shotted and used for development purposes. This is important as if real client data is used, they may inadvertently fall foul of the data storage policies if the location of the information falls outside of their preferred jurisdictions.
An agile data model is much easier to adopt in the cloud than it is on-premises. Imagine what a law firm with 30 data servers in the UK would need to do to action a request from a client to relocate its data to an EU jurisdiction?
The pandemic has undoubtedly made the case for a ‘cloud-first’ approach to technology adoption. So, firms that are already in the cloud, will do well to revisit their cloud data strategy to build in agility and flexibility so that they are able to evolve as the regulatory, business, and economic environment changes. For those firms that are looking to embark on their cloud journey, this is the best time to plan their data model and architecture so that it is future proof right from the start.