As you may already know from the avalanche of emails that were cascading into inboxes around the world on and before May 25, the European Union's General Data Protection Regulation (GDPR) came into effect on that date after nearly two years of development. Businesses of all kinds, including law firms, have been scrambling to make sure their practices are compliant with the new regulations and working to avoid serious consequences.
Here's how law firm GDPR compliance can affect your business — and how you can ensure better adherence to the new guidelines:
GDPR's Powerful Protections and Steep Consequences
GDPR's protection of European citizens' privacy rights is incredibly stringent. It is also quite far-reaching: any business that collects information about EU residents, even a company or organization based outside the EU, is now subject to this new regulation. European regulators or individual people who experience material or non-material damages as a result of GDPR noncompliance may file a complaint against a data controller or processor if a business fails to comply with GDPR, opening the business up to possible consequences.
According to Law Technology Today, any firm in the world that improperly handles the personal data of people in the EU can face up to 20 million euros (approximately 22.3 million dollars) in fines or four percent of their total global revenue for the preceding fiscal year, whichever is higher. Given the massive penalties law firms could face, these organizations have a strong incentive to bring their practices into compliance. Those that do will also be well positioned to advise their clients affected by GDPR on how best to accomplish the same goal.
The Impact of GDPR on US Law Firms
If your firm serves clients in any of the EU's 28 member countries, you must abide by GDPR's mandate to safeguard personal data. The same is also true for law firms marketing to prospects in the EU. If neither of those factors applies to your firm's current operations, it might seem that the need for compliance is less apparent, but you are still not out of the woods.
The GDPR's language is unclear about whether people traveling within the EU when their personal data is collected are covered, for example. It's also very tricky to tell at a glance whether those visiting your law firm's website are protected by GDPR. Perhaps it's not a surprise that, given such ambiguity, not many law firms are ready to comply with GDPR. As Law.com reports, a recent survey by Wolters Kluwer found that less than half (47 percent) of medium to large-sized law firms feel that they are fully prepared to comply with GDPR. Meanwhile, only 16 percent of respondents said they were somewhat prepared, and more than a third (37 percent) of firms said that they had made no specific preparations at all.
If your law firm is not yet ready for GDPR, the most prudent course of action is to ensure better compliance now as a precautionary measure. That way, however the regulation is ultimately interpreted and clarified, you can rest assured that your firm won't run afoul of the regulations.
Though complying with GDPR is a heavy lift for many law firms, it's well worth your while to begin addressing it now. That way, should your firm ever come under scrutiny for its practices regarding EU citizens' data, it will have a better chance of avoiding costly penalties.
Ensuring Better Law Firm GDPR Compliance
After understanding the implications of GDPR for US law firms, there are a few smart steps your firm can take to ensure better compliance. While this list is not comprehensive and the level of preparation required may vary from firm to firm depending on whether it is classified as a data controller, a data processor, or both, these are some solid starting points.
- Designate a point person. Some firms may wish to designate a Data Protection Officer (DPO) — an employee, consultant, or team whose responsibilities are outlined in GDPR — specifically for the purpose of implementing necessary changes for compliance. The Wolters Kluwer survey notes that 60 percent of respondents informally assigned a point person to this role, while 43 percent of respondents took the extra step of designating a formal DPO even though the GDPR does not require them to do so.
- Obtain informed consent. Your law firm must obtain clear, informed consent from its clients and prospects concerning the use of their personal information. If your firm states that you will only use a client's email address for communications regarding a case or for receiving invoices from your law firm billing solutions system, for example, the firm cannot then use it for any other purposes unless explicitly granted consent.
- Securely store client data. Under the new regulations, you are required to securely store any client data you may have collected. If you store client data with a cloud communications provider, then it's a good idea to perform due diligence and ascertain whether they are compliant with the strict GDPR requirements regarding secure data storage.
- Boost your cybersecurity. Breaches are a fact of life in today's business landscape, and your law firm would do well — from both a GDPR and a risk management standpoint — to increase its investments in cybersecurity for that reason. It's also wise to plan now for how your firm will notify authorities in the event of a data breach.
Although complying with GDPR is a heavy lift for many law firms, it's well worth your while to begin addressing it now so it will have a better chance of avoiding costly penalties should your firm ever come under scrutiny for its data collection practices. With the required improvements in cybersecurity and organizational readiness, your law firm will also be better able to manage its risk, ensuring a stronger and more resilient practice in the long run.