GDPR Implications for U.S. Law Firms
Privacy, Cyber & AI Decoded Alert | 2 min read
Mar 28, 2018
Risk Management Question: Do U.S. law firms need to comply with the General Data Privacy Regulation (GDPR), a new European mandate that extends well past the borders of the European Union? If so, what steps need to be taken to comply?
The Issue: On May 25, 2018, the GDPR goes into effect across the 28 Member States of the European Union. The GDPR applies to any type of business that is established in the EU, including U.S. firms with offices in the EU. In addition, the GDPR could apply to law firms without an EU office, if the firm (i) offers goods or services to "natural persons" in the EU or (ii) monitors the behavior of persons in the EU. Law firms matching either of these descriptions are subject to potentially significant penalties for non-compliance with the GDPR irrespective of the size of the firm, or the nature of services offered. Individuals also have the right to bring private actions under the GDPR.
The GDPR is aimed at protecting the processing of personal data. The GDPR defines processing broadly to include virtually any activity that can be performed to personal data, including collecting, using, storing, sharing or transmitting it. The GDPR defines personal data as essentially anything that can be used to identify a natural person.
Risk Management Solution: Is your law firm currently handling any matters that involve personal information of an EU citizen? Does the firm have any personal information about an EU citizen in its email, document management or in marketing or contact databases? If so, the firm may be subject to the GDPR. If the GDPR potentially applies to your law firm, it is critically important to identify and map your data flows and identify if and where the firm stores any personal data of EU residents. This can include contact lists, or email addresses to or from an attorney, client, or customer in the EU. Once your firm has identified and gathered this information it will be essential to ensure that steps are taken to ensure compliance with the obligations imposed by the GDPR, in time for its implementation date of May 25, 2018.
Download Cyber Alert – GDPR Implications for U.S. Law Firms (PDF)
Featured Insights
Press Release
Oct 22, 2025
Hinshaw & Culbertson LLP Launches New Website and Refreshed Brand
Privacy, Cyber & AI Decoded Alert
Oct 22, 2025
Press Release
Oct 22, 2025
Hinshaw & Culbertson LLP Launches New Website and Refreshed Brand
Privacy, Cyber & AI Decoded Alert
Oct 22, 2025
Press Release
Sep 26, 2025
Hinshaw Recognized as a “Leader in Litigation” in the BTI Consulting Litigation Outlook 2026 Survey
Employment Law Observer
Sep 23, 2025
Privacy, Cyber & AI Decoded Alert
Sep 23, 2025
Fall 2025 Regulatory Roundup: Top U.S. Privacy and AI Developments for Businesses to Track
Press Release
Sep 15, 2025
Hinshaw Achieves 2024–2025 Mansfield Rule Certification Plus Status
In The News
Sep 5, 2025
Jessica Riley Reflects in a Law360 Story on Lessons She Learned as a Junior Lawyer
Press Release
Aug 25, 2025
Trial Spotlight: Hinshaw Prevails in ERISA Fiduciary Fraud Case
Press Release
Aug 21, 2025
102 Hinshaw Lawyers Recognized in 2026 Editions of The Best Lawyers in America® and Ones to Watch™
