If your law firm collects, stores or uses personal data from citizens within the European Union (EU), it is important to understand what the General Data Protection Regulation (GDPR) will mean for you. The new data protection standards put in place by the GDPR will take effect on May 25, 2018. This not only affects practices based out of countries in the EU, but will also impact U.S.-based firms that have access to data for EU citizens. Since violating the new GDPR standards could mean serious fines for your practice, we’ve put together a few key points to make sure you are ready for the May 25th changes.
- Under the GDPR, your law firm will be considered a “data controller” as opposed to a “data processor” since you have the ability to state how and why personal data is collected.
- The regulations do not apply just to data you collect moving forward, but retroactively as well. If you have not already taken steps to examine and assess where all of your data is stored, it is important to begin now. Your practice will need to make sure you have the ability to do the following with this data, according to the new regulation’s standards:
- Erase a consumer’s entire data profile at their request;
- Provide information to the consumer about exactly what data you are processing, where
you are storing it, and the purpose this data collection serves;
- Provide the consumer with a copy of the personal data you’ve collected on them at their
The consumer also has the right to question and fight all decisions that may impact them if the decisions were made on a purely algorithmic basis.
- Failing to meet the requirements of the GDPR could result in a fine of up to $23 million or 4% of your firm’s annual worldwide turnover. If these fines are implemented, it could put some practices out of business. There are cyber insurance policies available, but whether or not to invest in this type of service will depend on each practice’s individual needs.
The standards put in place by the GDPR are quite different from the more liberal U.S. approach to consumer data collection, so if your firm may be impacted by these changes, it is imperative that you begin preparing now for the May 25th changes to be sure your data collection methods are lawful under the new standards.