Data Security Compliance is no trifling affair and, as a lawyer, you no doubt take your own compliance obligations very, very seriously. But are you fully up to speed when it comes to the cloud?This is an issue that catches many people in the legal profession off guard. After all, your cloud-based tools are a tech issue – an IT issue – far removed from the day-to-day priorities of case work and serving your clients. But that’s not how the Solicitors Regulation Authority (SRA) sees it.
In fact, the SRA rules are pretty clear on how lawyers comply with data regulations in the cloud.
Outcome 7.10 (b) of the SRA Code of Conduct 2011 states:
“Where you outsource legal activities or any operational functions that are critical to the delivery of legal activities, you ensure such outsourcing… is subject to contractual arrangements that enable the SRA or its agent to obtain information from, inspect the records (including electronic records) of, or enter the premises of, the third party, in relation to the outsourced activities or functions.”
In other words, if you’re a UK lawyer, you need to be able to demonstrate that any sensitive data you’re storing on behalf of your clients is accessible by the SRA when they need it. That they are bound by UK law. Crucially, that your data is not just safe and secure, but safely and securely retained within UK borders and jurisdiction at all times.
This is where things get a bit hazy for many cloud service providers.
The point of the cloud is that data is stored remotely, away from your physical location. This is great because it frees you up for mobile working, because it’s far easier to back up and restore in an emergency, and because a physical disaster like a flood or a fire can’t eliminate years of paperwork in one fell swoop.
The trouble is, this information is stored somewhere. It’s ultimately held in servers in a data centre – and that is in a physical location.
So where exactly is your data being stored? Do you know?
If you’re going to stay compliant when you move to the cloud, it is absolutely essential that the cloud service provider can assure you that your client data will be hosted on servers within the EU, where it’s subject to the same data laws and regulations that bind your business.
It’s absolutely essential that they can assure you, without exception, that neither they, nor any of their technical providers and partners, will ever shift your data, even temporarily, to servers located outside of the region, whether as part of their file hosting and storage, backups or secure file sharing solutions.
How lawyers comply with data regulations in the cloud is likely to keep changing and evolving over the coming years. Hackers are getting smarter, loopholes are getting tighter, and you need to have a strong, future-proofed solution that allows you to open up your data and records to the authorities when they need it, but keeps the same data thoroughly encrypted and secure the rest of the time.
These are not considerations that every cloud provider is equipped to deal with. Many consumer-grade outfits, or even business-focused providers whose clients have fewer compliance requirements, will simply not have built these issues into the fabric of their business model.
If you want to make sure that you are in line with all your legal obligations, you need to find a cloud service provider that speaks your language, that specializes in serving clients in your field, and is savvy enough to know what you need from a tech compliance perspective, before you even know it yourself.
We have a number of legal clients on our cloud platform, some for years, so we understand the concerns and needs of business like yours.
Have more questions or want to learn more about growing your firm in the cloud while staying compliant? Click here to get in touch.