GDPR Implications for U.S. Law Firms

March 28, 2018
Law Firm Cyber Alerts

Risk Management Question: Do U.S. law firms need to comply with the General Data Privacy Regulation (GDPR), a new European mandate that extends well past the borders of the European Union? If so, what steps need to be taken to comply?

The Issue: On May 25, 2018, the GDPR goes into effect across the 28 Member States of the European Union. The GDPR applies to any type of business that is established in the EU, including U.S. firms with offices in the EU. In addition, the GDPR could apply to law firms without an EU office, if the firm (i) offers goods or services to "natural persons" in the EU or (ii) monitors the behavior of persons in the EU. Law firms matching either of these descriptions are subject to potentially significant penalties for non-compliance with the GDPR irrespective of the size of the firm, or the nature of services offered. Individuals also have the right to bring private actions under the GDPR.

The GDPR is aimed at protecting the processing of personal data. The GDPR defines processing broadly to include virtually any activity that can be performed to personal data, including collecting, using, storing, sharing or transmitting it. The GDPR defines personal data as essentially anything that can be used to identify a natural person.

Risk Management Solution: Is your law firm currently handling any matters that involve personal information of an EU citizen? Does the firm have any personal information about an EU citizen in its email, document management or in marketing or contact databases? If so, the firm may be subject to the GDPR. If the GDPR potentially applies to your law firm, it is critically important to identify and map your data flows and identify if and where the firm stores any personal data of EU residents. This can include contact lists, or email addresses to or from an attorney, client, or customer in the EU. Once your firm has identified and gathered this information it will be essential to ensure that steps are taken to ensure compliance with the obligations imposed by the GDPR, in time for its implementation date of May 25, 2018.

Download Cyber Alert – GDPR Implications for U.S. Law Firms (PDF)