Skip to content

Data security and retention

Data security and retention

Data breaches

Firms should consider and document the risks to all types of data they hold. This should be reviewed regularly – for most businesses, at least annually.

Data breaches can happen in many ways, including:

  • employee mistakes
  • equipment failure
  • hacking
  • cyber-attacks
  • malware (software designed to gain access to your computer systems) and
  • loss of equipment.

Preventing breaches by employees

Many data breaches are caused by employees. Make sure your staff are trained to keep data secure by focusing on topics such as:

  • what to do if there is a data breach and how to report one
  • how to transfer data securely (both inside and outside the office)
  • how to work securely from home
  • how to comply with the firm’s personal data-protection policy
  • how to avoid falling victim to malware, phishing and other types of cyber-attacks
  • being careful with the firm’s information on social media and
  • setting up proper passwords.

Keep a record of how you process and store information. Consider how you keep records of communications on all platforms that your organisation uses, such as email, social media, etc.

If you use suppliers to process information, conduct appropriate due diligence to ensure they handle information with care and keep it secure. Contracts with suppliers should include assurances that they will conform to all relevant national data-protection legislation and have appropriate controls in place to keep data safe. For UK and EU firms there are also mandated contractual clauses that must be added into supplier contracts. The UK Information Commissioner’s Office’s Contracts and liabilities between controllers and processors provides guidance on these contractual terms.

If you (and/or any of your suppliers) use cloud storage, the following is important.

  • Make sure you understand the physical jurisdiction where the information is held and/or the cloud is hosted, and make sure you are within the relevant agreements regarding transferring personal information between countries.
  • Make sure you know the location of all data and the relevant jurisdictional regulations governing that location.
  • Consider the location of all the stakeholders for whom you process personal information (you may fall under regulations and laws that apply in other countries and jurisdictions).
  • Consider circumstances where encryption is needed to further protect information, either in transit (when it is transferred) or at rest (when it is being held on your computer); for example, emails, file-sharing websites, laptops, etc.
  • Consider whether certain information requires additional encryption or security to protect it; for example, bank/payment or health-related information.

Staff training and procedures

Someone within the firm should be responsible for overseeing data-handling enquiries and controls.  Staff should know who this person is, and they should be encouraged to seek advice from them on matters relating to the processing of personal and confidential information.

All staff should also be given regular training on your processes for data handling and the relevant legislation in your jurisdiction.

Document the processes and rights for individuals to:

  • request access to data held about them
  • revoke consent
  • object to processing activities
  • request that data is deleted and
  • for errors etc. to be corrected.

In many jurisdictions, these are legal rights, and there may be set time limits to respond to requests. It is important to train staff on how to recognise and handle these requests.

You should also have processes in place to identify, rectify, report and keep records of data breaches. These should be clear about:

  • when those affected need to be told about a breach and
  • when it is required that a breach be reported to a regulator.

The individual in your firm who is responsible for information-handling should oversee these decisions.

It is important that you handle breaches in a way that does not discourage staff from reporting them. Try to avoid individual blame. The aim of the process should be to:

  • make sure you’ve complied with the law and
  • identify changes to processes and training that reduce the risk that a similar breach will happen in future.

Data retention

Only keep data for as long as it is necessary to do so. Firms usually have a retention policy that sets out how long different types of data should be kept for. This is linked to the purpose for processing data and varies for different types of data.

Firms may need information to respond to claims made against them, so retention policies may be based on this. To do this, you need to know if there are any time limits on starting legal claims in your jurisdiction. This can be a complex question. For example, in England and Wales the limitation period may be:

  • six years from when the service was provided
  • six years from when a loss was suffered
  • a long-stop position of 15 years if the claimant did not know a loss was suffered earlier or
  • 12 years, depending on the type of instruction and the type of claim.

More details are given in the current edition of Risk, liability and insurance, RICS guidance note. Members and firms may need to take advice on the jurisdictions they work in.

Firms may also be asked to transfer their file to a new firm that the client has instructed, or directly to the client. But not all documents on a working file necessarily belong to the client; what does depends on:

  • your contract with the client
  • the service and deliverables you have agreed to provide and
  • the law in your jurisdiction.

In England and Wales, there is some law about what documents on a solicitor’s file belong to a client. Broadly, documents that were provided by your client or that your client has paid for belong to them, but your internal notes, emails and copy correspondence may not. However, remember that the client may also have a right to access the personal data you hold about them in those documents. If you are unsure about what should be provided, you may need to take legal advice.

Security processes and controls, and cybersecurity advice

Firms globally are being targeted by frequent cyber-attacks. Advice on this can change frequently. Government agencies provide advice about the steps that businesses can take to keep safe, such as:

‘Cyber security’ includes the technology, policies and procedures that you have in place to protect data against cyber-crimes such as hacking or ransom attacks.

Top tips:

  • Breach detection: some cybersecurity breaches happen months or even years before a firm becomes aware. Cyber criminals can be subtle operators. Make sure that the information technology and security people in your firm have implemented proper breach-detection technology so that they are alerted of a cyber-attack at the earliest opportunity.
  • Software patches: software applications must be updated regularly to ensure that flaws in security are remedied. If your software needs updating, it means you are vulnerable. Fix it.
  • Penetration testing: carry out regular penetration testing on your network to ensure that you fix the weak spots before hackers exploit them.
  • Encryption: encrypting data when it is stored (at rest) and when it is in transit can mitigate the worst effects of hackers. Consider a risk-based approach to determine which of your data should be encrypted. It is always wise to have an encryption policy in place.
  • Firewalls: a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the internet.
  • Cyber insurance: make sure your firm has adequate insurance to cover you against the effects of a major personal data breach. The General Data Protection Regulation (GDPR) exposes firms more than ever before to fines, liabilities and litigation.

Consider appropriate strategies such as:

  • password creation and updating rules
  • multi-factor authentication and
  • anti-malware/antivirus software.

Regularly review user privileges and, where practical, keep logs/audit trails of access to systems that hold data. Protect against data loss with regular backups to appropriate offsite storage.

With the increase in hybrid working, with many employees now working from home either partly or wholly, consider the use of additional tools such as virtual private networks (VPNs), and define policies and rules about the use of devices, including printers, in a home office setting.

Where appropriate and practical, consider and enforce the separation of functions that represent high levels of data risks (e.g. payments). Authenticate the initial setup and updating of payment details through a second method of communication to prevent fraud and cyberattacks. For example, if you are sent bank account details by email, have a process that requires a phone call to a known telephone number for that client to authenticate the details in the email. RICS has seen examples where internal email systems have been compromised so that an email that appeared to be from a colleague providing a change of bank account details was actually from a fraudster. A process that always required a double check with the client may have prevented the loss of funds that resulted.

Phishing emails are becoming increasingly sophisticated. They can look almost identical to a legitimate notice from a company/organisation.

Don’t forget that, if you have physical data in hard-copy files, this also needs to be kept secure in locked storage. Have processes for staff around the handling of physical data within office locations, when travelling, when working at external locations and in home-office settings.

Confidentiality and non-disclosure agreements

Confidential data and information are usually protected by confidentiality clauses or non-disclosure agreements. These are fundamental to protecting a company's vital confidential and proprietary information, whether disclosed internally or while engaging with other business parties. These agreements are commonly referred to as:

  • confidentiality agreements (CAs)
  • nondisclosure agreements (NDAs) or
  • confidential disclosure agreements (CDAs).

NDAs are essential tools for managing the disclosure of sensitive business information both internally and to other parties. They set out:

  • restrictions on a receiving party's use, disclosure and return of a disclosing party's confidential information and
  • the parties' related rights and obligations.

The most effective agreements are those that are:

  • directly relevant to the parties' business needs and
  • specifically tailored to reflect the business purpose for which the information is to be shared.

In addition to safeguarding its own confidential information, a firm is often contractually responsible for protecting information that another party discloses to it. As well as imposing protective restrictions and obligations on parties that receive its confidential information, a firm should also seek to minimise its administrative burden and potential liability for managing and protecting confidential information that it receives from others.