Earlier this year, we were all bombarded with emails informing us of the impending EU legislation around data protection and warnings of repercussions for noncompliance leading up to May 25th, 2018. As we all now know, this was the date the European Union’s General Data Protection Regulation, or GDPR, came into effect.
What might not be as obvious is that GDPR regulations will need to be followed by US law firms if they are doing business with European businesses and citizens, as well. If your firm is charged with improperly handling European citizens’ personal data, you could be hit with a fine of over 20 million dollars.
Why are Law Firms Affected?
“The GDPR is a far-reaching legal instrument that will have a significant impact on all companies involved in the processing of personal data, including many outside the EU,” according to Jones Day,
Bloomberg Law states, “Under GDPR... EU data subjects will have the right to access their personal information held by an organization at any time, and the organization will have a very short response deadline. The [subject] would also have the right to object to the automated collection of his personal data, ask [the] firm to correct inaccurate data, or ask for all of his personal data, including metadata, to be put onto a device or transmitted to him—and deleted forever from the company’s servers and devices."
What is considered ‘personal data’? “...'Personal data' includes names, email contact information, location data, social media posts, medical information, and any other information that might identify a person, either directly or indirectly."
"In the case of a law firm...a GDPR-compliant disclosure might include a statement that [the firm] would be disclosing the subject’s personal information to the opposing party, to the court, or any other reasonably foreseeable entities."
How Do We Become Compliant with the GDPR and Avoid Large Penalties?
Law firms currently doing business with any of Europe’s member countries and citizens will need to become and remain compliant with the GDPR to avoid large penalties. Those that are marketing to prospects in the EU should also be adhering to the more stringent requirements that come with working with European citizens and countries.
Unfortunately, there isn’t a checklist available to firms attempting to comply with GDPR regulations; there are far too many available interpretations of this legislation.
Also important to note is that compliance with GDPR is not dependent upon a single moment in time; rather, how your operations are structured and carried out in the future. This is one reason many firms are hiring or appointing a Data Protection Officer (DPO) to serve as the main point of contact for GPDR compliance and accountability. This person (or team) holds the responsibility of information governance for the business and thus, may implement large operational, organizational and technical changes necessary for compliance.
EU member countries are also in the process of submitting their individual legislation to supplement the laws outlined in the GDPR, allowing for dynamic shifts in requirements for compliance from country to country and as time progresses.
In order to remain compliant, lawyers/law firms with clients in Europe will need to continuously monitor GDPR laws as each country passes its own legislation.
What are Some Guidelines or Practices We Can Implement to Align with the Laws for GDPR?
As mentioned above, appointing a DPO is a great first step towards GDPR compliance.
Here are a few additional best practices:
- Audit your overall cyber security posture
- Implement data collection and protection principles
- Implement procedures to identify, respond and make required notifications of security incidents
- Perform a risk assessment on automated, large-scale processing and monitoring of data
- Create data flow maps
- Consider new grounds for data transfers, such as codes of conduct and certifications
- Increase your investment in cyber security
Source: Jones Day
Below is another list from Nymity of the top 10 measures that have been implemented for GDPR compliance purposes, compiled from a survey of 46 organizations.
What Else Can We Do?
In the event of a complaint, don’t scramble to ensure your practice is GDPR compliant. Let the experts of Fairdinkum Consulting prepare your firm for compliance prior to any issues. We will identify people, process, and technology gaps and will train your staff on cyber security, perform vulnerability scans and penetration tests to ensure your firm is compliant with the required regulations of GDPR, while maintaining the highest security standards.