Third-Party Risk Management for Law Firms: Counsel, Barristers and Expert Witnesses
Your client's confidential data does not stay within your firm. It travels to barristers' chambers with instructions, to expert witnesses with case papers, to eDiscovery providers with entire document sets, to costs draftsmen with billing information, to medical experts with health records. Each of these third parties is an extension of your data controller obligations under GDPR — and most law firms have little visibility of what security controls these parties actually have in place.
Over 60% of organisations have suffered a data breach caused by a third party — and law firms share some of the most sensitive data imaginable.
The Third-Party Data Sharing Reality for Law Firms
A typical law firm's client data flows to a significant ecosystem of third parties:
- Barristers' chambers: instructions, pleadings, and case papers routinely contain sensitive personal data
- Expert witnesses: medical experts, forensic accountants, and surveyors receive client files and documents
- eDiscovery and document review providers: entire document sets in commercial litigation, including highly sensitive correspondence
- Court filing services: e-filing platforms that handle case documents
- Costs draftsmen and litigation funders: detailed financial and billing information
- Translation services: case documents translated — sometimes including medical or financial content
- IT service providers and cloud platforms: your practice management, email, and document management systems
Your GDPR Obligations When Sharing Client Data
As data controller, your firm is responsible for ensuring that every processor you share data with provides sufficient guarantees of appropriate security. This is not a theoretical obligation — it is one the ICO actively enforces. In practice, this means:
- Data processing agreements (DPAs) in place with every third party that processes personal data on your behalf
- Due diligence on the security of every processor at the time of engagement
- Ongoing monitoring — not just a one-time questionnaire at contract signing
- Ability to demonstrate to the ICO that you have assessed your processors' security
Panorays: Automating Third-Party Risk for Legal Sector Supply Chains
Panorays replaces the manual questionnaire process that most firms use — sending PDF questionnaires, waiting weeks for responses, accepting answers at face value — with continuous, automated assessment. Panorays assesses the actual security posture of your third parties from the outside, in real time. When a chambers' IT infrastructure changes, when an expert witness's email server becomes vulnerable, when your practice management provider releases a security update that your provider has not applied — Panorays tells you.
Frequently Asked Questions
Are barristers' chambers subject to GDPR?
Yes. Barristers' chambers are independent data controllers for much of the data they receive. However, when they process data strictly on behalf of your instructing firm — which is less common — they act as processors. Either way, you should have a data sharing agreement in place and satisfy yourself that appropriate security measures are in place before sending client documents.
What happens if a third party we share data with suffers a breach?
You may be required to notify the ICO if the breach involves personal data you sent to the third party. The ICO expects you to have carried out due diligence on the third party's security. If you cannot demonstrate that due diligence, you face regulatory exposure in addition to reputational damage. Panorays provides the audit trail that demonstrates you assessed and monitored your third parties' security.
How do we manage security due diligence for one-off expert witnesses?
For one-off engagements, proportionality applies — you do not need to conduct a full security assessment of every expert witness. However, you should have standard contractual terms including security obligations, avoid sending data via unencrypted email, and use secure file sharing platforms where possible. Panorays can assess frequently used experts and chambers on an ongoing basis.
Automate your third-party risk assessments with Panorays
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.