GDPR Implications for U.S. Law Firms

Share this page
Print
PDF

Privacy, Cyber & AI Decoded Alert | 2 min read

Mar 28, 2018

Risk Management Question: Do U.S. law firms need to comply with the General Data Privacy Regulation (GDPR), a new European mandate that extends well past the borders of the European Union? If so, what steps need to be taken to comply?

The Issue: On May 25, 2018, the GDPR goes into effect across the 28 Member States of the European Union. The GDPR applies to any type of business that is established in the EU, including U.S. firms with offices in the EU. In addition, the GDPR could apply to law firms without an EU office, if the firm (i) offers goods or services to "natural persons" in the EU or (ii) monitors the behavior of persons in the EU. Law firms matching either of these descriptions are subject to potentially significant penalties for non-compliance with the GDPR irrespective of the size of the firm, or the nature of services offered. Individuals also have the right to bring private actions under the GDPR.

The GDPR is aimed at protecting the processing of personal data. The GDPR defines processing broadly to include virtually any activity that can be performed to personal data, including collecting, using, storing, sharing or transmitting it. The GDPR defines personal data as essentially anything that can be used to identify a natural person.

Risk Management Solution: Is your law firm currently handling any matters that involve personal information of an EU citizen? Does the firm have any personal information about an EU citizen in its email, document management or in marketing or contact databases? If so, the firm may be subject to the GDPR. If the GDPR potentially applies to your law firm, it is critically important to identify and map your data flows and identify if and where the firm stores any personal data of EU residents. This can include contact lists, or email addresses to or from an attorney, client, or customer in the EU. Once your firm has identified and gathered this information it will be essential to ensure that steps are taken to ensure compliance with the obligations imposed by the GDPR, in time for its implementation date of May 25, 2018.

Download Cyber Alert – GDPR Implications for U.S. Law Firms (PDF)

Hinshaw & Culbertson LLP is a U.S.-based law firm with offices nationwide. The firm's national reputation spans the insurance industry, the financial services sector, professional services, and other highly regulated industries. Hinshaw provides holistic legal solutions—from litigation and dispute resolution, and business advisory and transactional services, to regulatory compliance—for clients of all sizes. Visit www.hinshawlaw.com for more information and follow @Hinshaw on LinkedIn and X.