GDPR Implications for U.S. Law Firms
Privacy, Cyber & AI Decoded Alert | 2 min read
Mar 28, 2018
Risk Management Question: Do U.S. law firms need to comply with the General Data Privacy Regulation (GDPR), a new European mandate that extends well past the borders of the European Union? If so, what steps need to be taken to comply?
The Issue: On May 25, 2018, the GDPR goes into effect across the 28 Member States of the European Union. The GDPR applies to any type of business that is established in the EU, including U.S. firms with offices in the EU. In addition, the GDPR could apply to law firms without an EU office, if the firm (i) offers goods or services to "natural persons" in the EU or (ii) monitors the behavior of persons in the EU. Law firms matching either of these descriptions are subject to potentially significant penalties for non-compliance with the GDPR irrespective of the size of the firm, or the nature of services offered. Individuals also have the right to bring private actions under the GDPR.
The GDPR is aimed at protecting the processing of personal data. The GDPR defines processing broadly to include virtually any activity that can be performed to personal data, including collecting, using, storing, sharing or transmitting it. The GDPR defines personal data as essentially anything that can be used to identify a natural person.
Risk Management Solution: Is your law firm currently handling any matters that involve personal information of an EU citizen? Does the firm have any personal information about an EU citizen in its email, document management or in marketing or contact databases? If so, the firm may be subject to the GDPR. If the GDPR potentially applies to your law firm, it is critically important to identify and map your data flows and identify if and where the firm stores any personal data of EU residents. This can include contact lists, or email addresses to or from an attorney, client, or customer in the EU. Once your firm has identified and gathered this information it will be essential to ensure that steps are taken to ensure compliance with the obligations imposed by the GDPR, in time for its implementation date of May 25, 2018.
Download Cyber Alert – GDPR Implications for U.S. Law Firms (PDF)
Related Capabilities
Featured Insights
Press Release
Jun 3, 2026
In The News
Jun 3, 2026
Scott Seaman Discusses Wrongful-Death and Survival Actions Handbook on IICLE Podcast
Press Release
Jun 2, 2026
Palma Yanni Honored With 2026 Achievement Award by Mount Holyoke College
Press Release
Jun 3, 2026
In The News
Jun 3, 2026
Scott Seaman Discusses Wrongful-Death and Survival Actions Handbook on IICLE Podcast
Press Release
Jun 2, 2026
Palma Yanni Honored With 2026 Achievement Award by Mount Holyoke College
In The News
Jun 2, 2026
Jason Rosen Explores the Opportunities and Uncertainties of Florida’s New Series LLC Law
Hinshaw Alert
Jun 1, 2026
SCOTUS Clears Road to Negligent Hiring, Selection Against Freight Brokers
Insights for Employers Alert
May 29, 2026
USCIS Policy Update: New Adjustment of Status Guidance Impacting Employers and Individuals
Press Release
May 28, 2026
Hinshaw Adds Former General Counsel as a Commercial Transactions Partner in Miami
Event
May 27-29, 2026
Steve Puiszis Moderates Discussion on Today's Law Firm Risk Environment
Press Release
May 27, 2026
Press Release
May 26, 2026
L.J. Rotman Recognized in the Inaugural Minnesota Lawyer Minnesota Legal 250
