GDPR Implications for U.S. Law Firms
Privacy, Cyber & AI Decoded Alert | 2 min read
Mar 28, 2018
Risk Management Question: Do U.S. law firms need to comply with the General Data Privacy Regulation (GDPR), a new European mandate that extends well past the borders of the European Union? If so, what steps need to be taken to comply?
The Issue: On May 25, 2018, the GDPR goes into effect across the 28 Member States of the European Union. The GDPR applies to any type of business that is established in the EU, including U.S. firms with offices in the EU. In addition, the GDPR could apply to law firms without an EU office, if the firm (i) offers goods or services to "natural persons" in the EU or (ii) monitors the behavior of persons in the EU. Law firms matching either of these descriptions are subject to potentially significant penalties for non-compliance with the GDPR irrespective of the size of the firm, or the nature of services offered. Individuals also have the right to bring private actions under the GDPR.
The GDPR is aimed at protecting the processing of personal data. The GDPR defines processing broadly to include virtually any activity that can be performed to personal data, including collecting, using, storing, sharing or transmitting it. The GDPR defines personal data as essentially anything that can be used to identify a natural person.
Risk Management Solution: Is your law firm currently handling any matters that involve personal information of an EU citizen? Does the firm have any personal information about an EU citizen in its email, document management or in marketing or contact databases? If so, the firm may be subject to the GDPR. If the GDPR potentially applies to your law firm, it is critically important to identify and map your data flows and identify if and where the firm stores any personal data of EU residents. This can include contact lists, or email addresses to or from an attorney, client, or customer in the EU. Once your firm has identified and gathered this information it will be essential to ensure that steps are taken to ensure compliance with the obligations imposed by the GDPR, in time for its implementation date of May 25, 2018.
Download Cyber Alert – GDPR Implications for U.S. Law Firms (PDF)
Related Capabilities
Featured Insights
Insights for Employers Alert
May 29, 2026
USCIS Policy Update: New Adjustment of Status Guidance Impacting Employers and Individuals
Press Release
May 28, 2026
Hinshaw Adds Former General Counsel as a Commercial Transactions Partner in Miami
Insights for Employers Alert
May 29, 2026
USCIS Policy Update: New Adjustment of Status Guidance Impacting Employers and Individuals
Press Release
May 28, 2026
Hinshaw Adds Former General Counsel as a Commercial Transactions Partner in Miami
Event
May 27-29, 2026
Steve Puiszis Moderates Discussion on Today's Law Firm Risk Environment
Press Release
May 27, 2026
Press Release
May 26, 2026
L.J. Rotman Recognized in the Inaugural Minnesota Lawyer Minnesota Legal 250
Privacy, Cyber & AI Decoded Alert
May 21, 2026
Deploying AI Companions in Elder Care: A Privacy Compliance Playbook
Press Release
May 20, 2026
Hinshaw Releases America 250 Book Exploring Insurance's Role in Building the United States
Consumer Crossroads: Where Financial Services and Litigation Intersect
May 19, 2026
OCC's Final Escrow-Interest Preemption Rules Bolster the Second Circuit’s Cantero Decision
Webinar
May 19, 2026
Scott Seaman Speaks on Making Decisions in Difficult Risk Environments
Consumer Crossroads: Where Financial Services and Litigation Intersect
May 14, 2026
Key Takeaways from the 2026 MBA Legal Issues and Regulatory Compliance Conference
