Skip links

GDPR Compliance for Regulated Firms: Just Where is your Confidential Data?


This may sound like an odd question, as I’m sure many of you will be certain you know just where all your confidential and personal data is held. But do you really? And does it matter?

Private Data

Any business's data is precious, but none more so than that of regulated firms who are privy to so much confidential information and who must meet their SRA regulatory obligations to maintain client confidentiality. 

Not only do regulated firms hold much personal data, which is governed by the Data Protection Act and forthcoming GDPR legislation, they also hold a wealth of commercially confidential details ranging from large financial transactions, to trade secrets, through to the personal affairs of high-profile clients.

But in the globalised world in which we now operate, with increasing demands for remote working, there is a real danger that your precious business data may be scattered across the world.  Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data and/or emails?
And then there’s data that has been shared with business partners and other third-party organisations.  And data that has, for whatever reason, found its way onto file sharing services like Dropbox or USB sticks.

The Cloud 

Then there is the cloud.  The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs.  The cloud takes many forms, from well-known public cloud offerings, through to private cloud environments and individual cloud-based software applications.  Understanding which of these your firm is using and where your data is actually being stored as a consequence is paramount, if you are to meet your obligations under GDPR, which include ensuring that you do not store data in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. Indeed, aside from GDPR, data residency is a major concern for regulated firms from a jurisdiction point of view as well.


There’s also copies of data taken for backup purposes to consider. And do bear in mind this is not just your scheduled backups of your in-house servers, but can be backups that you may not even be aware of, such as automatic cloud backup software which may be installed on employee owned devices, which is copying confidential company data to an unknown provider’s cloud storage, in an unknown location, unbeknown to anyone.  Indeed many of you may have read about a case earlier this year when an unnamed barrister was fined by the ICO (the Data Protection supervisory body in the UK), after 725 unencrypted documents containing information belonging to up to 250 people, including vulnerable adults and children, was uploaded to the internet when the barrister’s husband updated software on the couple’s home computer.  These documents were visible to an internet search engine and the breach only came to light after a local government solicitor informed her chambers that documents containing confidential and sensitive information could be accessed online.  Under GDPR, the financial and reputational consequences for such a breach could be crippling, so it is imperative that regulated firms have a real understanding of where their data is.
In general terms, the more widespread and less controlled your data is, the more vulnerable you leave your regulated firm to a security breach.  So understanding what data you hold, where it is stored and who has access to it, is absolutely critical.  This in turn needs to be documented, both so that the Senior Partners have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts firms back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.
Over coming blogs, I will be exploring in more depth some of the key issues around GDPR compliance for regulated firms. In the meantime, if you are concerned about your firm’s GDPR compliance position, please do not hesitate to contact me on 0118 920 9600 or email when I will be happy to arrange a no obligation conference call to discuss how Connexion can help.

If you would like to read other articles in our series of informational resources for senior partners at regulated firms, please visit our blog at



Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size regulated firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for regulated firms please visit our website

Rob Leverton

Rob has worked as an IT technician and project manager with Connexion for 14 years before moving into his current role as head of the technical services team.

Although Rob comes from a technical background he’s very much a people person and he is exceptionally good at building excellent working relationships with our customers and his technical team to deliver service excellence to our clients.

Rob Leverton

James Stratton

James is passionate about technology and how it can transform business.  Having worked with hundreds of businesses in many different sectors over the last 25 years he has a huge amount of business IT knowledge that he enjoys imparting to Connexions customers.

James is responsible for Connexions strategic development and also still enjoys a role in consulting and sales and marketing