Data protection for the 21st century: GDPR & Law Firms


In preparation for the General Data Protection Regulation (GDPR), our CEO, Craig Matthews, has set out a five-point plan to help law firms prepare for GDPR and the significant changes required to working practices

Given everything that’s been written about GDPR, it should come as no surprise to you that it comes into force on 25 May 2018. The fines for failing to comply are substantial – up to £17m or 4% of global annual turnover – and it’s vital that you do, since ignorance is not a defence for non-compliance. Even though we’re leaving the EU and the GDPR is an EU Directive it will still come into law in the UK, so every firm that controls or processes the data of EU citizens must adhere to the new regulation.

With around four months left there’s still time to act, although if you’re starting from scratch with GDPR then you’ve got some work to do. Like most things, though, if you break it down into manageable chunks you can still ensure that your firm is GDPR compliant before the 25 May deadline.


To help you achieve this, I’ve set out a five-point plan: –


1. Bring your partners on board

Being compliant with GDPR isn’t just a question of software. Software will play a major part but GDPR is also about considering privacy every time your firm processes personal data. You may find that some of your processes need to be reworked and that a broader understanding amongst your staff of how to manage data is needed. With your partners / leadership team on board you will have the necessary support to devise the new processes your firm will need and, working closely with your IT team, you’ll be able to implement these processes making the best use of the available technology.


2. Consider appointing a DPO

Some firms are obliged to appoint a Data Protection Officer. For other firms it may well be a prudent step to take. It may even be that you become the DPO! You or your DPO will take on the responsibility of understanding the nature of your data estate – essentially all of your firm’s data – and, working with your IT team and under direction from your partners, the DPO will be responsible for implementing the procedures and the processes to ensure you are compliant (and remain so).


3. Understand your data estate

It’s vital that you work out what data you already have and make sure it adheres to your new working practices. I tend to think of data as managed or unmanaged. Managed data resides in a database, with access controlled by permissions and data that can only be accessed through a secure connection. Unmanaged data is the rest of it – your emails, stored on your PC and phone and tablet, along with documents saved locally or “kept safe” on a USB stick that is probably not encrypted and can so easily be lost or misplaced. It is this unmanaged data that is likely to pose the greatest risks to your organisation. In short, understanding your data estate and taking steps to safe guard it couldn’t be more important.


4. Implement new working practices

Once you’ve worked out the nature of your data estate you need to bring this into line with your new GDPR working practices and ensure all new data generated is done so in line with your new working practices. This should be relatively straight forward if you’ve set up new working practices and provided your staff with the necessary training.


5. Monitor, review, report

Becoming GDPR compliant isn’t enough. You need to monitor, review and report. This should take the form of on-going staff training, auditing of your

systems and data and reviewing your working practices. If you embark on a new area of work then design the whole process with privacy in mind and don’t be tempted to add it on at the end. Considering privacy from the outset will make the implementation of the new working practice fit seamlessly alongside your other GDPR processes.

By using the right software products your firm is in a strong position and you should be able to implement the vast majority of processes without having to disrupt the way you and your colleagues work. The GDPR is not designed to make our working lives more difficult, less efficient and more costly, although I fear some organisations may implement such bureaucratic processes that it may become hard to do your job. It’s about protecting data – and the rights of those individuals the data relates to – and it’s therefore important to work with a software company that you can trust, that understands your responsibilities (and theirs), as well as your need to drive efficiencies and improve your services whilst maintaining and increasing profit margin. This is the key not only to surviving but also to thriving under GDPR.


Protection and security are two of our key priorities and building GDPR specific features into our Osprey Approach software is just one of many initiatives we’re implementing to ensure our customers make the most of this new opportunity.


Craig Matthews is CEO of Pracctice Ltd, developers and suppliers of Osprey Approach, a truly integrated, practice management solution. Today, over 800 law firms, and in excess of 8,000 individual users, use Osprey on a daily basis.


If we can assist you with GDPR, or you have any questions about your current software, don’t hesitate to get in touch with us today at


This article was first published by Legal IT Insider magazine, February 2018

Book your free demonstration and learn why thousands of lawyers are choosing Osprey Approach to grow their law firms

Book your free demo Contact our team