GDPR for US law firms - What do you need to do?

The General Data Protection Regulation is now fully in force.  This applies Europe-wide.

Firms with European offices will need a thorough review of their processes if they have not already done so..

They will need to give particular attention to establishing the lawful basis for the transfer of data outside the EEA. Firms with UK offices in particular will also need to consider the impact of a possible no-deal Brexit.

For firms without European offices, there may still be a need to address GDPR issues if the firm offers services to individuals in Europe (or, less likely, monitors behaviour in Europe).  A firm might offer services if, for example, it advertises for clients for a class action where potential claimants may include European citizens.

Typical questions we are receiving from US law firms are whether GDPR applies to them at all, provisions in outside counsel guidelines, for example, stating that the firm is a ‘data processor’, and the interaction of GDPR and anti-money laundering requirements.

Many firms obtain data on EU citizens in the course of due diligence, or in connection with employment or criminal investigations, giving rise to questions about the impact of privacy notices on attorney-client privilege and the work product doctrine.

All firms need to address the following –

  • Risk assessment – map the data you hold, identify the lawful basis on which you process it, review how long you keep it, and satisfy yourself you are taking reasonable steps to secure it.
  • Review consents, if you are relying on them.
  • Appoint a Data Protection Officer if you need to.
  • Appoint a European Representative if you need to.
  • Record keeping.
  • Train staff.
  • Review your recruitment procedures.
  • Review your contracts with data processors
  • Check whether you are transferring data outside the EEA and make sure you have a lawful basis for doing so.

How Legal Risk can help

We have provided legal advice to over 30 US-based law firms, including 10 Am Law 100 firms and many more Am Law 200 firms, on a variety of issues including GDPR, conflicts, and regulation of UK offices.

We can help with your risk assessment process.

We can also advise on documentation and dealing with subject access requests and other issues which may arise in practice.

Useful links can be found here.

Key Contact

Frank Maher

For specialist legal advice on GDPR for US law firms please contact Frank.

0345 330 6791