GDPR compliance – why you should appoint tlam to be your Data Protection Officer

There is a lot of preparation to be done before the GDPR Data Protection Laws come into force on May 25th. Amongst other things you have to document every process which you do which involves personal data, identify all of the types of data, the legal basis for holding it, how long you retain it for and document the measures you take to make it secure, you have to write Privacy Notices, have Processor agreements and lots more…

There is something else you have to do… you have to evaluate and document your reasons for deciding whether or not you need a Data Protection Officer, and the chances are that you will need one….

And the Data Protection Officer has to have particular skills and attributes and a particular position in your organisation:

  • They have to be invited to participate regularly in meetings of senior and middle management and their opinions on data protection given due weight
  • They must be given the time, resources and training required to carry out their tasks and maintain their expert knowledge
  • They must be able to perform their duties in an independent manner and cannot be instructed
  • There can be no conflict of interest so they cannot hold a position in your organisation which leads them to determine the purposes and means of processing personal data (so they cannot be a member of your senior team)
  • They cannot be dismissed or penalised for performing their tasks and this includes absence or delay in promotion or other benefits as well as dismissal
  • Data protection compliance is a corporate responsibility of the data controller not of the DPO

So this is a very difficult appointment to make

But help is at hand –

The Article 29 Working Party Guidelines on Data Protection Officers (“DPOs”) outlines how the function of the DPO can “be exercised on the basis of a service contract concluded with an individual or organisation outside the controller’s/processor’s organisation”

WP29 states that in such an arrangement “individual skills and strengths can be combined so that several individuals, working in a team, may more effectively serve their clients

We at tlam agree

The Working Party recommends that in this case there is a clear allocation of tasks within the DPO team with a lead contact and person in charge assigned to each client.

We at tlam agree

We believe that we already have a good understanding of your business from our experience of working for Law Firms so let us work with you and take away the headache of appointing a suitable DPO when we can do this role for you effectively and in a much more cost-effective way

Blue data

tlam achieves ISO27001 certification

At the end of August, tlam achieved ISO27001 certification – the international standard organisation mark for information security management.

With the great professional service given to us by ISO Quality Services Limited (ISOQSL), we are happy to confirm that we eased our way through to certification and will be undergoing our first audit in 6 months’ time.

The Development of our Business

We have been outsourcing finance departments, legal cashiering and accounts to Law Firms for nearly 10 years and now we are branching out into new technology ventures and diversifying our business.  As we roll out our new Paralegal offering and Mushroom, we wanted to enshrine our corporate and data governance in a recognisable standard of compliance. We are reinforcing our commitment to the diligent service we provide for our clients.

By going through the ISO certification, we are taking a proactive step to ensure full forward compliance with the General Data Protection Regulations.

Ironically, in the few days prior to our initial assessment, the Law Society published its article advising Law Firms to take up the ISO27001 assessment in order to get prepared for GDPR.



The Process

The ISO27001 certification process involved the following:

  • Identifying the clauses of the standard we need to comply with;
  • Writing a comprehensive information security policy document;
  • Making sure the policy is wrapped around a strong layer of corporate governance to achieve total compliance around the organisation. This should touch everything; visiting and physical security, maintenance of IT network and user access controls, software development, HR and controlling documentation;
  • Undergoing comprehensive risk assessments on information assets and forced entries into the network through various forms of breaches including Cyber Attacks;
  • Formulating a robust framework for internal auditing.

The Verdict

10/10 would recommend  and particularly for Law Firms.

We were very happy with the outcome and pleased that we had some great risk management structures and policies in place prior to our decision to take on the ISO27001 certification. Our assessor at ISOQSL, had this to say about tlam’s initial certification:

“tlam are a highly professional company which was clear to us ever since we first met with them earlier in the year. After their assessment for ISO 27001 we could see that they had detailed systems in place and were in a strong position for certification. We’d like to congratulate them on achieving ISO 27001 certification and thank them for being a pleasure to work with.”

If you would like some further information on data governance or the ISO27001 get in touch with Ed or Anne by calling 01684342023.

You can view our information security policy notice here.

All detailed information is available on request.

Blue data

What is your Law Firm doing about GDPR?


The General Data Protection Regulations (GDPR) set out by the European Union, ties together previous laws emanating from the Data Protection Directive (DPD) and are coming into effect in 2018.

If planned correctly, Law Firms will find it a straightforward consolidation of data destruction practices carried out physically. However, leaving it until later, might give you a sore headache and an inspection from the ICO. Just last week the ICO fined eleven charities for misuse of personal data. Think about all those sensitive client documents you have saved on your practice management systems, the invoices, card details and personal banking data your legal cashiers may be processing during the case?

The general principles of GDPR places more power in the hands of data subjects and more responsibility on companies and internet providers to protect and destroy personal data on behalf of the data subject.



The GDPR requires that personal data shall be:

  • Processed lawfully and transparently,
  • collected for legitimate interests,
  • retained securely and accurately for no longer than required.


The GDPR creates the following new rights for individuals and strengthens some existing rights under the Data Protection Act. The right:

  • to be informed;
  • of access;
  • to rectification;
  • to restrict processing;
  • to erasure;
  • to portability.


The GDPR includes provisions that promote accountability and governance

Organisations must introduce technical and organisational measures to ensure and demonstrate compliance.


The GDPR imposes restrictions upon transfer of personal data outside the European Union, to third countries or international organisations to ensure protection of the individual is not undermined.


The GDPR requires organisations to notify the supervisory authority within 72 hours where breach is likely to result in risk to the rights and freedoms of individuals. If a breach is likely to result in high risk to rights and freedoms, individuals must be notified.


Start thinking about how you should frame your data protection policies in line with the principles set out by GDPR. Think about how you document the decisions you take about processing activity.

Mange your consents to data and think about how you distribute information to your clients and any of their personal data. Firms need to manage consents, policies and have the ability to access personal data efficiently

Document policies and processes including a Data Protection Impact Assessment, Distribution and Data Mapping.

Produce contract terms to reflect transfer requirements and document transfers and data flows. Implement processes to determine breaches, ascertain the scope of data at threat and inform all concerned parties swiftly.


Have you mapped out where all your data is stored, distributed, secured and accessed digitally?

Does your Practice Management Systems comply with ICO guidelines on the storage of digital data?

How much stuff is the firm distributing via email?

How many third parties require the firm to transfer personal data, are individuals aware of this in your data protection policy?

Are individuals aware of this in your data protection policy?

woman-hand-apple-iphone (1)

Reforming the Gig Economy

From fine food, travel and accommodation through to taxis, disruptive technology and services are changing our patterns of consumption.  Traditional career routes are vanishing with them, to be replaced by “the gig economy”.    Artificial intelligence, distance and flexible working are going to revolutionise the legal market, and only the fleet of foot will be employment when the dust settles.

Tlam wants to innovate in this space. The gig economy holds huge opportunities not only for law firms, but for aspiring lawyers who seek to learn the trade properly before making their mark.  So far, the winners have been businesses which settle the age old dilemma of how to find trustworthy counterparties for what may be short term engagements.  Uber and Amazon have cracked the problem of trust with their star rating schemes.   Tlam aims to do the same for legal employment, creating the Commercial Awareness in Practice (CAP) programme that we think you should be part of. Here is the explanation of why.

Uber and Amazon have received much criticism for their business models, most notably for their flaky definition of employment.  As a result they face class action law suits across the globe.  NYU Business School Professor, Arun Sundararajan, wrote recently in the Guardian on how these new business models which seem to offer greater freedom for employees, also widen the opportunity for a privileged few to exploit the rest.

Meanwhile, the paralegal labour market has been part of the gig economy for many years. Law grads may spend years as a paralegal between different firms.  Many are paid a pittance.  Only the lucky few make the transition from paralegal to trainee.  Even at the best it is a waiting game, with little in the way of either income or hope to show for years of study.

There has been some good reform; steps such as new professional institutes and reinvigorated training pathways. There are some great organisations serving paralegals which have helped budding lawyers find their feet in the profession. However, the market factors driving the legal gig economy present many threats as well as opportunities for young lawyers. Legal services are becoming more commoditised. The ease of accessing good information on legal services is getting cheaper and the competition in areas such as property, immigration, contract drafting and now even litigation (with apps such as Apperio and new court mechanisms like Precedent H) are putting downward pressure on legal fees. This puts pressure on profits and thus costs, giving solicitors less money to spend on meaningful training and employment at graduate entry.

The margins in current business practices are not good enough and frankly, the outcome has been a regime of low pay, insecurity and the absence of training opportunities.  And clearly,  gig economic behaviour amongst firms is likely to expand.  But legal services are a great deal more complex than taxi rides or discount clothing.  In a legal market characterised by oversupply, the firms which win in the future will be those that win the public’s trust.  And that is true as much of those they employ.  Scaling up at short notice presents the problem of how to ensure they are hiring a competent legal mind with a good fit for the job.  Employment agencies abound, but typically they charge a fortune, add no value and make little effort to achieve a proper match.  And when a law firm needs an extra brain for a juicy case, AI will crunch volume but never sort the finer points.

There is a strong demand for solicitors with very strong legal and marketing skills in mid-size firms.  As the partners turn to recruitment agencies to find staff, the labour market becomes increasingly dynamic and salaries climb.  There is little incentive to train your own from the start as they better a training firm does the more mobile the trainee becomes on qualification.  The larger firms are winners in this market.  The badges of all the magic circle firms are on most of the Russell group law societies.  Student law society presidents promise to do more for students interested in non-corporate law, but it is a difficult task to achieve.  There are many small to mid-size firms doing a fascinating range of work from alternative investments, corporate and international trade to civil litigation and family.  These are great places to work.  With that considered, how then do you break through?

Finding opportunities in the gig economy.

In 2016 there was a record number of legal start-ups globally with many receiving authorisation form the SRA.  Thanks to new disruptive technologies and business models, some law firms will grow exponentially.  It currently appears that they may be advancing on some of the market share previously held by the top 100.  These are the firms that shun the trainee market and struggle with finding and keeping talented assistant solicitors.  Our aim is to bring top quality experience to these firms.

So far all the running has been made by graduates with starry academic records.  Our experience in the field tells us there is an appetite for qualities and skill sets which are sometimes harder to spot – computer programming, business management and financial literacy.  A tenacious approach can be rewarded by acquiring a CV that transforms a graduate into a super employable training contract applicant.

What Tlam are doing about it

Tlam has been in the outsourcing business for 8 years serving law firms up and down the country.  We have got to know the innermost thoughts of law firm partners on how to survive the turbulence of the law market.  We can see their desperate need for support that is “office ready”, realistic, disciplined and determined to make a difference.  Meanwhile, our own recruitment efforts have clearly demonstrated the availability of talent in the huge pool of law finalists.  The challenge for everyone is to achieve a match truly based on merit.  We can see how important it is that hiring is based on a true assessment of a candidate’s ability and experience.

The model we have been piloting is equip a team of paralegals with lateral skill sets such as financial management, computer programming, data architecture and market intelligence.  Some of this is done in our own practice, building and maintaining the financial architecture for these firms.  Some comes from a host of recently retired senior solicitors who have valuable mentoring to offer.

A two speed programme: The Tlam Grad Scheme

We are therefore introducing a two speed grad scheme. One is the enterprise programme centred around our offices in Gloucestershire and London where candidates can combine  legal placements and financial management. The other is our affiliates programme, which is solely focused on legal experience.

The way we attract the very best minds to our two schemes is the work we put into to get our people settled with a law firm training contract .  The way we achieve this is by offering exposure to things that are not found in a conventional vacation scheme, from boutique solicitors’ firms through notaries to innovative projects.  We will also be offering a new internship for 2017, providing basic paralegal and financial management skills prior to placement.

Graduates who work with us know they will have a real advantage in the legal labour market.  Employers know they can trust us to select and deliver the very best support for whatever task they have.

FullSizeRender (1)

Our take on the SRA accounts rules changes 2017

Last week the SRA held a consultation webinar regarding the proposals on the SRA accounts rules changes due in 2017. Tlam dialled in and since then, we have been openly discussing what this means for us and our firms in the future. We have debated and deliberated on the changes as these reforms are comprehensive and leaves some questions unanswered. However, our overall judgement is that these changes are forward thinking and more in line with the expectations of other professional services associations and regulatory bodies.
The key areas of reform:

  • Definition of Client Money and Client Liability
  • Abolition of the ‘Office Account’
  • Mixed Payments
  • Payments from the Legal Aid Agency
  • Alternative Client Accounts – TPMAs (Third Party Managed Accounts)


Like all big changes intended to simplify regulation, these carry the potential for increased risk over compliance, cybercrime, reputation and ultimately financial health. However, we at Tlam believe that, with the right tools and training resources, these changes provide new opportunities for law firms to expand efficiency, profitability and dynamism.


Over the next months we will be sharing our judgements on the main areas of reform, offering insight and advice to those who are unsure of what the SRA rule changes mean for them.