Kerry Beynon, Partner at RDP Law, looks at the role of technology in relation to regulatory compliance in a fast-changing world.
Many conversations these days seem to include reference to a new global calendar reference point—pre-COVID-19 and post-COVID-19. For some, looking back to pre-pandemic times is harking back to a lost golden era where you knew what you were dealing with while for others, the ‘new normal’ has posed opportunities—even if they are by necessity.
Whatever your experience, I think most would agree that technology has emerged as something we must embrace if we are to keep up with the changing global economy. In addition, sustaining the legal profession is something we must ensure as access to justice depends upon it.
So, what are the regulatory issues surrounding the use of technology and are risk and legal compliance mutually exclusive?
What are the positives?
There are positives that have emerged over the last few months. Many firms had business continuity plans in place pre-COVID-19 so when the global pandemic struck, those plans were swiftly implemented.
Many hours spent identifying and investing in technology that could be deployed in the event of mass homeworking and the documentation of policies, procedures and risk assessments largely paid off—colleagues could keep in touch with each other and fee-earners could carry on assisting clients.
Of course, procedures had to be updated as formal guidance was issued and updated, but the wheels largely kept turning in a way that would not have been possible without the use of technology.
As with everything there were and are challenges. Cybersecurity is a good example. Although expected, malicious cyber actors have taken advantage of the COVID-19 pandemic to exploit security vulnerabilities arising out of home working.
Phishing attacks and ransomware are all terms that we are familiar with, but how confident are you that your organisation could withstand a phishing email, particularly if it was designed to look as though it was an official email coming from the government about the coronavirus pandemic?
How certain can we be that when colleagues connect to office systems from home that they are not exposing the practice to risk? How confident are we that our patch management strategies will work in a home working environment so that software does not become outdated and expose the practice to risk?
As guardians of valuable data and large sums of client money, law firms are an obvious target for bad actors, and have to be prepared. But what does this really mean?
Further, with the decision in July 2020 that Privacy Shield is no longer a valid way to transfer personal data outside the EEA, some organisations will need to take swift action (if they have not already done so) to ensure that they are not falling foul of the rules around the international transfers of personal data. Add the end of the Brexit transition period in December 2020 to the mix and some might say these are challenging times from a compliance perspective.
Compliance as opportunity
But it is not all doom and gloom. It is often said that compliance with ‘principles’ (such as those set out in data protection legislation) is difficult because sometimes there is no clear right or wrong.
But approach it in a different way and compliance can become an opportunity—the compliance landscape does enable organisations to embrace appropriate technology and with technology can come efficiency, better ways of working and (in some areas of legal practice) more meaningful client engagement.
Whilst there cannot be a ‘one size fits all’ approach to compliance, there is hope for those who previously felt as though they didn’t know where to turn when it came to matters such as technology, cybersecurity and meeting one’s statutory obligations. This is because since the onset of COVID-19 there has been new/updated guidance issued by the ICO, Law Society and the National Cyber Security Centre.
There are also numerous free online training sessions offered by commercial entities, regulatory/professional bodies and by government and law enforcement agencies. As training is a key component of any compliance framework, this must be good news.
The coronavirus pandemic has shown us that to survive in business we have to embrace technology and if you are looking to invest in technology there would arguably be no better time than when there is a plethora of advice and guidance out there to help you make an informed choice.
So how would I answer the question posed above? Technology and risk are mutually inclusive and as a profession we are better off getting on that train (with our compliance framework in hand) before it departs without us.