The General Data Protection Regulation(GDPR) (Regulation (EU) 2016/679), promulgated by the European Union (EU), comes into effect this May, a little over two years after it was adopted by the European Parliament and the Council of the European Union. The GDPR is designed to protect the personal data of EU residents wherever such data sits in the world. The high risks and costs of non-compliance under GDPR are forcing many American companies, including law firms, to evaluate and supplement their existing data protection practices.

In General

The GDPR takes effect May 25, 2018 and replaces the current EU Data Protection Directive and the UK Data Protection Act of 1998. (You can access the regulation and related information on the EU's data protection website.) There is no grace period after May 25th and companies in non-compliance may start accruing fines starting that date. The regulation’s penalties for non-compliance can be costly as companies can be fined up to four percent of annual global revenue or €20 million.

The GDPR is meant to protect the personal data and privacy rights of people living in the European Union (“Data Subjects”). Personal data is considered to be any information related to a natural person that can be used to directly or indirectly identify that person. Under this broad classification, anything from a name, an email address, a residential address, bank information, photo, medical information, social media posts, or even a computer’s IP address may be considered to be personal data protected by the GDPR.

The regulation not only applies to companies located within the EU, but also to companies located outside of the EU if they offer goods or services to, or monitor the behavior of, people in the EU. The GDPR applies to all companies that may process and hold the personal data of Data Subjects, regardless of the company’s location or size.

Application to Law Firms

A law firm’s regulatory obligations under GDPR will vary depending on the firm’s practice areas and the nature of its use of personal data of Data Subjects. Under the GDPR, companies are categorized into two categories: data controllers and data processors. Data controllers are entities that determine the purposes, conditions, and means of processing personal data, while data processors are entities that process personal data on behalf of a data controller. Both controllers and processors must comply with the GDPR, but their obligations and responsibilities under the regulation differ. A law firm can act as either a data controller or processor depending on its role in collecting and managing personal data.

In order to understand the day-to-day implications of the GDPR, consider how the regulation attempts to safeguard the privacy of an individual’s personal data. A well-known mandate is the “Right to erasure” (also known as the right to be forgotten), which entitles a person to request a data controller erase all personal data associated with him or her. (1) For law firms there is an exception in that the Right to erasure does not apply to the extent personal data processing is necessary “for the establishment, exercise or defence of legal claims.” (2) Additionally, this GDPR requirement does not override federal or local obligations to retain certain types of data for a certain period of time.

Another GDPR provision that may affect law firms is the 72-hour breach notification requirement. (3) A law firm acting as a data controller must notify its lead supervisory authority (4) within 72 hours after becoming aware of a personal data breach. A law firm acting as a processor must notify the data controller without “undue delay” after becoming aware of a personal data breach. Breach notifications to a supervisory authority have to take a certain form and contain a required set of information. (5) Whether acting as a controller or processor, it is important for law firms to have established breach notification procedures in place so that if there is a breach the firm can comply with the GDPR’s strict time requirements.

Several other aspects of the GDPR may also apply to law firms. Some provisions are broad and open to interpretation such as “Right of access,” (6) which entitles a person to obtain an accounting of all personal data stored by a controller and “Data Protection by design,” (7) which calls for privacy protections to be implemented in the very design of data processing systems. Others are narrower and more prescriptive, such as data encryption requirements (8) and requiring companies to appoint a Data Protection Officer (9) in some situations.

If your law firm doesn’t have any European contacts through personnel, customers, or data then your firm may not be subject to the GDPR. But, if your firm has European employees, European clients, or processes European personal data through discovery or other information sharing processes then it may be wise to evaluate your firm’s exposure to GDPR at this time.

Any such evaluation should begin with a firm-wide information inventory or audit documenting where all protected personal data is located in your firm’s systems. After that, the law firm’s current data protection practices should be assessed and compared to the GDPR’s requirements, which will reveal compliance gaps whether they are technical, administrative, or organizational. This type of gap analysis can be the foundation to your firm’s roadmap to GDPR compliance. However, with time running short it is important to prioritize and approach compliance gaps wisely so that your firm can be ready when May 25th rolls around.

(1) Art. 17
(2) Art. 17, Sec 3, Paragraph e
(3) Art. 33 Sec. 1
(4) The EU member state data protection authority that acts as the lead authority with regard to cross-border personal data processing.
(5) Art. 33 Sec 3, Paragraph a-d
(6) Art. 15
(7) Art. 25
(8) Art. 32
(9) Art. 37