GDPR for US law firms - What do you need to do?

The General Data Protection Regulation takes effect on 25 May 2018.  This applies Europe-wide.

Firms with European offices will need a thorough review of their processes.  They will need to give particular attention to establishing the lawful basis for the transfer of data outside the EEA.

For firms without European offices, there may still be a need to address GDPR issues if the firm offers services to individuals in Europe (or, less likely, monitors behaviour in Europe).  A firm might offer services if, for example, it advertises for clients for a class action where potential claimants may include European citizens.

All firms need to address the following –

  • Risk assessment – map the data you hold, identify the lawful basis on which you process it, review how long you keep it, and satisfy yourself you are taking reasonable steps to secure it.
  • Review consents, if you are relying on them.
  • Appoint a Data Protection Officer if you need to.
  • Record keeping.
  • Train staff.
  • Review your recruitment procedures.
  • Review your contracts with data processors
  • Check whether you are transferring data outside the EEA and make sure you have a lawful basis for doing so.

How Legal Risk can help

We have wide experience of advising US-based law firms.  We have advised 9 Am Law 100 firms and many more Am Law 200 firms.

We can help with your risk assessment process.

We can also advise on documentation and dealing with subject access requests and other issues which may arise in practice.

Useful links