Why need-to-know security is essential for GDPR compliance

Most people understand that the European Union (EU) introduced the General Data Protection Regulation to provide better data protection and privacy for all individuals within the European Union. Not everyone realises, however, that this regulation doesn’t just impact organisations in the EU – it impacts any organisation that operates or serves customers in the EU.

Put another way: the AmLaw 200 legal services providers in the US can no more afford to ignore GDPR requirements than the Magic Circle law firms can in the UK.

While GDPR encompasses many tenets around how data is stored and processed, perhaps the most important tenet is that of “data protection by design and default.” Practically speaking, this means companies need to be taking all necessary steps to ensure that confidential information is being sufficiently protected. For law firms and other professional services organisations who handle highly sensitive matters on behalf of their clients, this fundamentally means maintaining control over content.

Most of the content that firms handle is in the form of documents and emails and are usually stored within a centralised repository like a document management system (DMS). Historically, firms have utilised an “open” or “optimistic” security model with regards to the documents stored within the DMS – i.e. anyone within the firm can access any file, to see if there was material they could use or repurpose for a different matter.

In the age of GDPR, this open model is no longer appropriate – firms need to implement ‘need-to-know security’ for their documents and emails. Brown Rudnick, a law firm representing clients from around the world in high-stakes litigation and transactions, is one such example. The firm has instituted processes and policies for need-to-know access, content segregation, ethical walls and barriers – to meet today’s security threats and client and regulatory demands.

Controlled Access to Sensitive Data

As the name suggests, need-to-know security ensures that access to important files is strictly limited to those people who need to have access to that information, rather than open to anyone within the firm. In this “closed” or “pessimistic” security model, access to content is tightly controlled, increasing protection and limiting the potential damage that can be caused by a breach.

Implementing security policies globally across the firm is essential, as is the ability to accomplish this task in a scalable manner.

Most ethical wall and content segregation solutions operate by cascading appropriate security settings when a wall is created, touching every folder and document in the workspace being protected.

The cascade triggers re-filing and full content re-indexing when a wall is created, resulting in a very noticeable load being placed on the DMS database and server. It sometimes also creates a large indexing queue, which prevents new documents from being indexed and delays their inclusion in search results. As a result, users can be impacted by a slow-running system and the inability to search and find recently added documents.

Finding a solution that can manage security policies at scale is the only viable way forward for professional services organisations to avoid these limitations while ensuring compliance with GDPR guidelines for data protection.

An Essential Piece

Customers today expect that their sensitive data will be properly looked after and protected – and increasingly, regulations like GDPR are enforcing it. Implementing need-to-know security across the organisation – in a scalable fashion – will allow firms to demonstrate that they’re meeting the core expectations contained within GDPR’s terms around data protection across jurisdictions.

To the extent that GDPR is a harbinger of other data privacy regulations that will emerge on a statewide, national, and regional basis, need-to-know security stands as an essential part of how firms can address these regulations, enhancing the protection around their important documents and emails and the confidential data they contain.


By Ian Raine, Vice President of Product Management at iManage

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.