What Lawyers Need to Know About the GDPR

John Lehman
John Lehman
May 24, 2018

You may have heard about the GDPR, the latest effort in personal data regulation that has been making headlines lately. Here is a break down of everything you need to know about it and what steps you can take to protect your clients’ data within your legal practice.

What is the GDPR?

Created by the European Parliament, the goal of the General Data Protection Regulation (GDPR) is to ensure businesses protect the personal data they acquire from “data subjects” in the European Union.

The GDPR defines "data subject" as “an identified or identifiable natural person,” which, in layman's terms, essentially means any person who provides their personal data to a business. When you create an account on e-commerce sites such as Amazon or Ebay, opt-in to an email newsletter, or even fill out an intake form at a doctor’s office—and in the case of your clients, your law firm—you are providing your personal data to a business.

These businesses are called "data controllers", which the GDPR defines as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Law firms such as yours would also fall under this label.

What is considered personal data?

Personal data protected by the GDPR includes (but isn’t limited to):

  • Full names
  • Residential addresses
  • Email addresses
  • Identification numbers (driver's license, social security number, etc.)
  • Banking information
  • Web data (GPS location, cookies, IP addresses, etc.)
  • Medical records
  • Race & ethnicity
  • Sexual orientation
  • Political affiliation

When will the GDPR go into effect?

The GDPR will officially go into effect on May 25, 2018. Failing to comply with the GDPR could result in hefty fines—as much as $28 million or four percent of the offending company’s annual revenue, depending on which figure is larger. However, experts predict that such penalties will likely be reserved only for the biggest, most egregious offenders who aren’t actively taking steps to protect the data of customers in the EU.

How does the GDPR affect me?

It’s a common misconception that businesses not located within the EU do not need to worry about the GDPR, as they believe EU regulations cannot be legally applied to them. The truth is, international agreements between various countries and the EU means that the GDPR affects businesses worldwide. Regardless of location, any business that collects personal data from customers in the EU must be compliant with the GDPR.

However, if your law firm doesn’t collect personal data from customers in the EU, then the GDPR likely won’t apply to you. That said, if you foresee your firm doing so in the near future, then it’s in your best interest to take steps towards GDPR compliance. Even if you never work with a client in the EU, the practices required for GDPR compliance can significantly improve your firm’s cyber security systems.

What do I need to do to become compliant?

Privacy policies

For professional service firms such as yours, creating a privacy policy should be your top priority if you don’t already have one. Under the GDPR, your privacy policy must contain simple language that clearly states how you collect your clients’ data and what you are doing with it. You must also disclose whether your firm will be sharing a client’s data with a third party and how long you intend to keep their data. Your privacy policy must also be easily accessible on your site, or made readily available upon request.

Demonstrable consent

The GDPR also requires businesses to obtain explicit consent from a customer in the EU before utilizing their personal data for the purpose of business. For example, if you had a client’s email address and wished to send them an e-newsletter, you must be able to clearly demonstrate that your client wanted you to send it to them. This can often be achieved by adding a clause to your client intake forms, or adding a box to your online forms that respondents can check to indicate consent.

Expanded rights

New rights granted to customers in the EU under the GDPR include the Right to Access and the Right to be Forgotten. The Right to Access allows individuals in the EU to obtain their data from a data controller upon request, at no cost. The Right to be Forgotten allows individuals in the EU to request any data controller who possesses their personal data to purge it from their records.

Data management

It’s vital that you know where your clients’ personal data is so you can retrieve it in the event of a request. If this data is stored on your machines, make sure they are stored in an encrypted digital locker and can only be accessed by authorized personnel. If any data is handled by a third party, such as an online payment processor, you will need to reach out to them to retrieve it if you receive a request.

It’s also your firm’s responsibility to confirm that any request for data is legitimate. This can be accomplished by checking the requestor's identity against personal data you’ve already legally obtained, such as asking them to recite their home address or phone number. If you cannot verify that the request is legitimate, then the request must be denied.

What happens next?

It’s important to remember that the GDPR is still relatively new as of this writing—the full impact of this new regulation will likely be seen in time. Though the GDPR may seem imposing, most professional service firms have nothing to fear. As long as you evaluate current data security practices (and adjust where necessary), adhere to new consumer rights, and maintain transparency about personal data usage, your firm will likely be in the clear.

If you want to learn more about the GDPR, you can read the regulation in full on its EUR-Lex page.