Data Privacy Compliance Checklist

Capture the live version of the policy from the firm website and any client portal. Compare against the version-controlled copy in NetDocuments or iManage — drift between the published page and the master file is a common audit finding.

Walk through any new tools adopted in the last year — e-signature, eDiscovery platform, marketing automation, AI drafting — and confirm each category of personal data and processing purpose is reflected in the policy. Lawmatics intake forms and Clio Grow are commonly missed.

Verify CCPA/CPRA notice at collection for any California clients or web visitors, GLBA Privacy Notice for matters touching financial information, and any required consumer-rights links. Single-state policies are insufficient if the firm's website accepts intake from other jurisdictions.

List every category of personal data the firm processes by practice area — immigration files include biometrics and national IDs, family law files include minor children's data, PI files include medical records. Note retention period per state bar minimums (commonly 5–7 years post-close).

Identify any client data hosted outside the US — Microsoft 365 tenant region, Clio data center, eDiscovery vendor processing in the EEA. If the firm represents EU residents or transfers data to EU offices, confirm Standard Contractual Clauses are in place.

The RoPA captures purpose, lawful basis, categories of data subjects, recipients, and retention. Required under GDPR Art. 30 for any EU-touching firm; treated as a best-practice artifact even where not required because state regulators increasingly request it.

Walk the workflow from request receipt through identity verification, attorney review, and response. CCPA gives 45 days; GDPR gives 30 days. Privileged work product and current-matter strategy are typically exempt — confirm the response template flags those exclusions correctly.

Submit a dummy intake through Lawmatics, Clio Grow, or whichever lead tool is in use. Confirm the consent checkbox is unchecked by default, the timestamp is captured, and the consent record is retrievable. Pre-checked boxes are not valid consent under GDPR or CPRA.

Receptionists and intake specialists routinely take case facts before a conflict check clears. Reinforce that even pre-engagement consultation information is confidential under Rule 1.18, and that consent waivers cannot supersede the duty of confidentiality.

Use the NIST CSF or a Rule 1.6(c) reasonable-safeguards checklist. Score each domain (access control, encryption, endpoint protection, backup, vendor risk) and rate overall residual risk. The IT manager runs the assessment; the managing partner signs the conclusion.

Pull the MFA enrollment report from Microsoft 365 / Google Workspace, Clio or NetDocuments, and any remote-access tool. Every active attorney and staff account must have MFA on; service accounts and shared mailboxes are the usual gaps.

Confirm ethical walls are enforced in iManage or NetDocuments — lateral hires and conflict-screened matters frequently have stale ACLs. Cross-check against the conflicts database to make sure screened attorneys cannot reach the matter file.

Triggered when the risk assessment scores High. Document each finding, assign an owner, and set a closure date no later than 60 days out. The managing partner reviews progress monthly until findings are cleared.

Include every processor that touches client data: PMS, DMS, eDiscovery, e-signature, court-filing service, transcription, expert witnesses, marketing/CRM, and managed IT. The shadow-IT vendors (file-sharing tools associates picked up themselves) are the ones that bite.

Every processor needs a Data Processing Agreement; vendors handling PHI (medical records on PI matters) need a BAA under HIPAA. Confirm SCCs are appended for any processor outside the US. Note any vendor whose contract is missing or expired.

For each gap, decide: renegotiate the contract, replace the vendor, or accept the risk with managing-partner sign-off. Set a target close date 30 days out and assign the firm administrator as owner.

Walk through the plan with IT, the managing partner, and outside counsel for breach response. Update names and phone numbers — stale escalation contacts are the most common reason a tabletop falls apart.

Each state where the firm has clients sets its own clock — many require notice within 30 to 60 days, some sooner if more than a threshold number of residents are affected. Build the matrix once and keep it next to the IR plan.

Use a realistic scenario — a phishing compromise of a paralegal mailbox containing privileged matter correspondence. Time the response from detection to client notification. Capture any decisions that took longer than they should have.

A reportable breach is one that triggered notification under any state law, GDPR, HIPAA, or the firm's contractual obligations. Even contained incidents that did not trigger external notice should be logged.

Capture detection timestamp, scope, affected data subjects, notifications sent (regulators, clients, carriers), and corrective actions. Attach the final notice letter and any regulator correspondence. Required for the malpractice carrier's annual disclosure questionnaire.

Sample 10 closed matters and 5 open matters across practice areas. Verify retention policy followed, access logs clean, no unauthorized DMS exports, and no client data in personal email or personal cloud. The firm administrator runs the sample; the managing partner reviews findings.

Cover Rule 1.6 confidentiality, phishing recognition, secure file-sharing, and the breach reporting hotline. Required for all attorneys and staff including contract attorneys and temps. Track completion and follow up individually with anyone who slips past 30 days.

Managing partner reviews the assembled findings, remediation plans, training completion, and breach log. Sign-off becomes the artifact provided to the malpractice carrier and to any client requesting a vendor security questionnaire response.