GDPR for US law firms - What do you need to do?

The General Data Protection Regulation takes effect on 25 May 2018.  This applies Europe-wide.

Firms with European offices will need a thorough review of their processes.  They will need to give particular attention to establishing the lawful basis for the transfer of data outside the EEA.

For firms without European offices, there may still be a need to address GDPR issues if the firm offers services to individuals in Europe (or, less likely, monitors behaviour in Europe).  A firm might offer services if, for example, it advertises for clients for a class action where potential claimants may include European citizens.

Typical questions we are receiving from US law firms are whether GDPR applies to them at all, provisions in outside counsel guidelines, for example, stating that the firm is a ‘data processor’, and the interaction of GDPR and anti-money laundering requirements.

Many firms obtain data on EU citizens in the course of due diligence, or in connection with employment or criminal investigations, giving rise to questions about the impact of privacy notices on attorney-client privilege and the work product doctrine.

All firms need to address the following –

  • Risk assessment – map the data you hold, identify the lawful basis on which you process it, review how long you keep it, and satisfy yourself you are taking reasonable steps to secure it.
  • Review consents, if you are relying on them.
  • Appoint a Data Protection Officer if you need to.
  • Record keeping.
  • Train staff.
  • Review your recruitment procedures.
  • Review your contracts with data processors
  • Check whether you are transferring data outside the EEA and make sure you have a lawful basis for doing so.

How Legal Risk can help

We have wide experience of advising US-based law firms.  We have advised 10 Am Law 100 firms and many more Am Law 200 firms.

We can help with your risk assessment process.

We can also advise on documentation and dealing with subject access requests and other issues which may arise in practice.

Useful links


European Commission & Article 29 Working Party:


Law Society:

Bar Council:

Council of Bars and Law Societies of Europe:


  • 18 . 04 . 2018 SRA proposals for PII reform – are there any winners? | JLT SRA proposals for PII reform – are there any winners? | JLT

    First published here.

  • 29 . 03 . 2018 Risk Update March 2018 Risk Update March 2018

    Demolition job: SRA Consultation on Professional Indemnity Insurance (PII)-Challenging opponents’ legal costs-What is integrity?-General Data Protection Regulation-Conflicts of Interests and Confidentiality-AML-Non-disclosure agreements

  • NEXT EVENT Liverpool Law Society – Compliance Conference 2018 Liverpool Law Society – Compliance Conference 2018 Location: Liverpool Law Society, 2nd Floor, Helix, Edmund Street, Liverpool, L3 9NY Start: May 23, 2018 RECENT NEWS