Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Business support
  4. GDPR - The General Data Protection Regulation
  5. Guide to GDPR
  6. xSecurity

xSecurity

Organisations processing data must have appropriate technical and organisational measures in relation to personal data held in paper files and stored digitally. The main difference is that data stored digitally can be held in larger quantities and, therefore, can present more risks if lost or misused. However, the loss of paper files still attracts fines from the Information Commissioner’s Office (ICO) on a regular basis and many solicitors still work with large amounts of paperwork.


The same obligation existed under the Data Protection Act 1998 but the GDPR has provided more detail about what is expected, particularly in relation to digital data, taking into account advances in technology and the risk of cyber-attacks.

Considerations in relation to security of processing

In order to minimise the risk of personal data being misused, access controls should be in place to restrict the access of individuals to personal data on a ‘need to know’ basis.
If you are introducing a new processing system, then you should consider carrying out a data protection impact assessment. These are not covered in this guide but the ICO website has guidance.


In relation to cyber security, the GDPR states that in deciding what security measures are appropriate, organisations should take into account the costs of implementation and the nature, scope, context and purposes of processing in relation to security. This means, in practice, that the level of security that an organisation is expected to take will depend on the technology and the resources available to the organisation. The organisation should evaluate the inherent risks in the processing and implement measure to mitigate those risks.


In addition, the GDPR also states that this assessment should take into account the likelihood and severity of any impact on the data subjects if personal data was lost or stolen etc, and that the security measures should be appropriate to the risk. The risks to be considered are those which could lead to physical, material or non-material damage and, in particular, this refers to discrimination, identify fraud or theft, financial loss, damage to reputation, loss of confidentiality where the information is protected by professional secrecy and any other significant economic or social disadvantage. Particular care must be taken over the data identified as special category.

Pseudonymisation and anonymisation

Pseudonymised data is data which has had the personally identifiable features removed but which can be combined with other data to re-identify the individual. This is a new term under the GDPR and pseudonymised data can reduce the risk of personal data being lost or unlawfully accessed if the additional information for attributing the data is kept separately.

Encryption

The ICO encourages making sure that any personal data being transferred digitally, whether by email or on a removable device, including laptops, is encrypted. This will reduce the likelihood of it being accessed if it is lost or stolen and may mean that there is no requirement to report the loss of such items.

Ensuring ongoing confidentiality, integrity, availability and resilience of processing systems

At the moment, the ICO recommends the following basic requirements in relation to cyber security and more information is available in the Law Society of Scotland’s guide to cyber security:

  • Install a firewall and virus-checking software on your computers
  • Ensure that your operating system is set up to receive automatic updates
  • Protect your computer by downloading the latest patches or security updates, which should cover vulnerabilities
  • Do not let staff share passwords
  • Securely remove all personal information before disposing of old computers
  • Consider installing an anti-spyware tool
The ability to restore the availability of data in a timely manner

All organisations are vulnerable to cyber-attacks. In particular, the use of ransomware attacks has increased, meaning any business that relies on technology can be a target. The most common example is where malicious software gets into your IT system and encrypts the server. This could be through an email or the use or unsafe removable devices. A ransom is then sought from the business before its data is returned.
The ICO’s advice is to have a robust data backup strategy in place to protect against disasters such as fire and flood but also malware, such as ransomware. Backups should not be stored in a way that makes them permanently visible to the rest of the network. If they are visible, they can be encrypted by malware or the files could be lost. At least one of your backups should be offsite.

Have a process for testing security measures regularly

Regular vulnerability scans and penetration tests should be carried out on your systems for known vulnerabilities and to make sure that any issues identified are addressed.

Staff training
  • People are the weakest security link and staff should be trained in relation to data protection and security. Training should cover:
  • What is expected of you in relation to data security
  • Being wary of people who may try to trick you into giving out personal details
  • Staff can be prosecuted if they deliberately give out personal details without permission
  • The use of strong passwords
  • Being wary of emails that appear to come from your bank and that ask for your account, credit card details or your password (a bank would never ask for this information in this way)
  • Spam emails and not opening them, even to unsubscribe or ask for no more mailings

GDPR guide for law firms

Data protection regulations from the perspective of a legal practice

  • Ten steps
  • Law firms as data controllers
  • Create a record of data processing
  • Marketing
  • Client confidentiality, legal privilege and limited exemptions
  • Sharing data with third parties
  • Data retention
  • Data protection officers
  • AML and data protection
  • Security
  • Reporting personal data breaches
  • Requests for copies of personal data
  • Appendix 1 - Consent
  • xCreate a record of data processing
  • Appendix 2 - Example of a data protection policy
  • Example of Privacy Notice
  • xClient confidentiality, legal privilege and limited exemptions
  • xData retention
  • xSharing data with third parties
  • xData protection officers
  • xSecurity
  • xReporting personal data breaches
  • xRequests for client personal data
  • Appendix 1 - Consent
  • Appendix 2 - Example of a data protection policy
Read more about GDPR guide for law firms
Add To Favorites

Additional

  • Guide to GDPR

In this section

  • xSecurity
  • Ten steps
  • Law firms as data controllers
  • Create a record of data processing
  • Marketing
  • Client confidentiality, legal privilege and limited exemptions
  • Sharing data with third parties
  • Data retention
  • Data protection officers
  • AML and data protection
  • Security
  • Reporting personal data breaches
  • Requests for copies of personal data
  • Appendix 1 - Consent
  • Appendix 2 - Example of a data protection policy
  • Example of Privacy Notice
Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited