The Evolving Needs of Data Privacy in Law Firms

September 16, 2019

Modern law firms’ data are a trove of highly sensitive information, such as the names, contact information, and various financial and legal matter details of an organization’s clients. As the global data explosion continues and the types of data collected continue to increase, laws and regulations designed to protect data from misuse have arisen.

The European General Data Protection Regulation (GDPR), put in place to strengthen the protection of personal data for individuals within the European Union (EU), went into full effect on May 25th, 2018. This groundbreaking policy enacted broader data protection rules than previous laws and increased penalties for non-compliance. GDPR applies to any company that processes data (whether as a primary party or sub-processor), offers services or goods, or monitors the behavior of people in the EU—even if the company does not reside in the EU. 

So, what does this mean for those handling data in a law firm? What technology should firms use to make sure they stay in compliance? Below is a non-exhaustive list of data handling practices and technologies that enable law firms to manage them better. 

Deletion of Personal Data

According to the GDPR, businesses must delete personal data after the primary purpose of the processing has ended or if the individual requests their personal data be removed. There are many cases in which a law firm may have to follow through with this process

To help with this task, assess the use of an Information Lifecycle Management (ILM) tool. Fulcrum Snap, Fulcrum GT’s industry-leading practice management system, leverages SAP applications that provide simplified deletion functionality based on ILM. All SAP applications include ILM objects that support the “end of purpose” check. ILM objects trigger from central master data sets. With this purpose check enabled, all apps integrated with central, master data verify whether they are still permitted to store that data — if no longer needed, the information is deleted.

Data Separation and Authorization

GDPR requires the ability to separate data by attributes so that data collected for one purpose remains separate from data collected for another purpose. It also establishes the assumption that all access — including access by persons, machines, and software logic — must be controlled by authorizations which are defined by the purpose of storing that data.

Data separation is highly relevant in the legal industry as ethical walls are commonplace to avoid conflicts of interest while handling legal matters, adherence to the country or region-specific data protection laws, and even role-driven access. Individuals and corporations may be simultaneously involved in different types of matters with various legal representation. For proper handling, data needs attributes that reflect the purpose of its use. Attributes can be used to separate data access and control, a matter code, for example. It is critical to organize the data in a way that separates a single legal entity or legal matter from any other broader organizations or client involvements.

In short, access to data should only be granted if the user has a reason to utilize that information under the predefined purpose for storing that data. Fulcrum’s applications include an enterprise-grade technical authorization schema that allows separation by these types of attributes and more.

Transmission Control

Proper encryption during transmission is required to safeguard the security of data, but it is even more important to avoid illegal transfers. Handling that risk means that you need to identify any interface in a system dealing with personal data, document the interface, and provide authorizations ensuring that only designated personal information is accessed according to the purpose of storing that data — this includes any data access that takes place over remote function call (RFC) connections. To help make RFC communications more secure, Fulcrum Snap leverages the Unified Connectivity (UCON) concept, a basic functionality included with SAP applications.


In the end, each law firm will have to find its path in following evolving regulations for data privacy and protection. Regardless of the technology used to handle compliance, one sensibility to hold on to comes from former US Deputy Attorney General Paul McNulty: “If you think compliance is expensive, try non-compliance.”


Written by: Drew Blazaitis

Drew Blazaitis leads Fulcrum Global Technologies’ product strategy and innovation teams, focusing on Fulcrum’s end-to-end legal product suite, emerging technologies, go-to-market activities, and value engineering practices.

Check out Drew’s How to Know When Your Business is Ready for Artificial Intelligence for more information about data preparation and AI.