0370 270 6000

Your information

We understand the importance of information and data security to both our business and to you as our client. We are committed to protecting the security and integrity of all data within our control including, but not limited to, complying with the requirements of GDPR and the Data Protection Act 2018. This is evidenced in part through our full ISO27001:2013 accreditation which we have held since January 2013 - we were one of the first UK law firms to achieve this accreditation. In addition, we are fully compliant with Cyber Essentials Plus.

Specifically in relation to GDPR and the Data Protection Act 2018, we implemented an extensive and comprehensive project for the purposes of ensuring compliance with all UK data protection legislation. We summarise below a number of key elements that formed part of this project, many of which were already entrenched within the business in any event – and are now incorporated within the business as usual operation of the firm:

  • Information security is managed by the Information Security Group (ISG) whose role is to ensure our security requirements are maintained, review effectiveness of systems and manage risk. The ISG reports to our Risk and Compliance Committee and the Exec.
  • We have a comprehensive suite of policies and procedures to deal with data protection and information security and these are available (where applicable) to staff on our microsite. These cover areas such as acceptable use, access control, clear desk and screen, encryption, incident reporting and data classification.
  • As part of our ongoing awareness programme, we have in place a training plan for data protection and information security (including cyber risk) in order to raise awareness and provide more detailed training and education. In this respect, everyone in the firm has undertaken compulsory information security, data protection and confidentiality e-learning training which is completed as part of induction and annually thereafter. The Information Security Group (ISG) also raises awareness of information security issues via annual updates, poster campaigns, and quizzes/spot checks.
  • From a data control perspective, we operate a ‘paper light’ approach across our offices whereby documents received are stored within our secure electronic filing systems and hard copies are only retained where absolutely necessary. Where appropriate, access to the electronic file is restricted to those necessary for the efficient running of the file. Also, we use secure datarooms for the exchange of information where possible.
  • All our devices are encrypted and we carry out routine vulnerability and penetration testing of the security of our systems. We also have in place a continual monitoring of our cyber space. External vulnerability scans are performed weekly by a CREST member company, and internal vulnerability scans performed monthly.
  • All electronic equipment at 'end of life' is physically destroyed by chipping into 5mm pieces and a certificate of destruction for every piece of hardware destroyed. All mobile phones and ipads are digitally wiped.

Further information

For further information on how we use your data, please visit the following pages:

Contact us

Please send enquiries about your data to compliance@brownejacobson.com.

Mandy Cooling

Mandy Cooling

Legal Director - Risk & Compliance

View profile