Lawyers in the United States know about the General Data Protection Regulation the same way that a child knows about the boogeyman. They know it’s out there, and they know it’s scary—but when you get down to specifics, things get hazy fast.
The truth is, even those of us in Europe cannot yet know in great detail what the GDPR will look like in practice—despite the fact that it has been hiding under our beds for quite some time. From the moment the GDPR was approved in April 2016 to when it took effect last month, we have had two years to prepare. Even so, before any of us have had practical experience with the new regulatory structure and its enforcement, we can only know the broad strokes. We know that the GDPR promises to mark a sea change in how companies can use consumers’ data. We know that it was created to grant consumers greater control over their data and result in more uniform privacy rules across the EU. And we know that punishments for violating the GDPR laws sound draconian. For running afoul of the new rules, companies may face fines of up to $24.6 million (scary) or 4 percent of their annual revenue (genuinely horrifying), whichever is greater.
There has been a lot of talk about how law firms can and should be preparing corporate clients for the GDPR, and given the severity of the above measures, some of it has taken on a fear-mongering tone. There has been much less talk about how law firms themselves might be impacted by the regulations. That’s an oversight worth correcting; the reach of the GDPR extends beyond web titans like Google and Facebook to include any entity that handles personal data, law firms included. And here’s the good news: When they turn on the lights and consider what the GDPR means for them, U.S.-based firms are likely to find that the perils of the GDPR have been looming overly large in their mind, and that they have been overlooking the opportunities that come with the new regulations.
The (Overstated) Perils of the GDPR
No one said that complying with the GDPR would be a walk in the park. The reality is that collecting data from any third party—clients, witnesses, opposing parties, or others—presents hazards for law firms. What if the subject of the request denies consent, creating a record of their objection? What if they withdraw their consent after they have given it? U.S.-based practices—particularly those with offices, cases, witnesses or clients in jurisdictions where the GDPR is the law of the land—should evaluate whether their procedures for transferring, maintaining, protecting and disposing of third-party data comply with the new rules.
As they do so, they may find themselves giving thought to unexpected factors. Policing vendors with access to client information, for instance, will take on greater importance under the GDPR. In addition to monitoring their own compliance, law firms need to ensure that service providers have appropriate safeguards in place. Law firms can’t afford to assume these third parties already have their houses in order.
Law firms will also have to carefully consider the breadth of their requests when asking third parties, including clients, to collect and turn over data. There are many circumstances under which lawyers make such requests, and often they are overbroad. But the calculus has now changed. Acquiring unnecessary data only increases the risk that a firm has collected private information that could put it on the hook for GDPR-related liability. To reduce that risk, it might be worth making more tailored requests—especially of those most likely to have GDPR-triggering material. Likewise, firms should not hold onto data longer than necessary.
Finally, if and when they must produce documents containing personal data, legal practices should prepare to do more redaction to mask it. Software can automate the process to some extent, but ultimately human eyes are needed to ensure that personal data within the body of documents is appropriately masked.
This is not an exhaustive list of considerations for U.S. firms when it comes to GDPR. But firms should not feel daunted by the task ahead of them—and they also should not panic. In these early days of the regulatory scheme, enforcers will be looking for low-hanging fruit. A firm that has made a good-faith attempt will go a long way toward putting itself in the clear on GDPR compliance.
The (Overlooked) Opportunity of the GDPR
If there is a silver lining to the new GDPR rules for the law firms, it’s that the GDPR could create ongoing work for them. We can’t yet say how much legal work will be derived from GDPR enforcement actions against companies, but they could create a significant stream of work, depending on how aggressive regulators are. In addition, the now-famous Morrisons Supermarkets case, in which a grocery chain was found vicariously liable for one employee’s vengeful exposure of the personal details of thousands of fellow employees, suggests that GDPR-related employment litigation could represent a new line of work. This includes potentially affected U.S.-based businesses with personnel in the EU.
In addition to litigation work, there will be a need for regulatory counsel. A lot of work went into preparing for the arrival of the GDPR on May 25, but compliance efforts didn’t stop then. Clients will need ongoing compliance advice to account for emerging technologies and data privacy processes. Implementing the new rules is not just a matter of flipping a switch. Instead, developing a working regulatory system—and advising clients on how to respond to it—will be an evolutionary process.
In many ways, the GDPR is simply giving teeth to existing data protection laws and seeking to introduce consistency on how they should be interpreted by various jurisdictions.
Law firms should not become overly concerned with the new laws now in place, despite the fact that they remain an unknown quantity. Going forward, firms that develop sound governance policies for handling information and take steps to protect data will find themselves in a favorable position with regulatory authorities. As of now, the best a firm can do is read the GDPR closely, monitor case studies and new guidance and make a good-faith effort to abide by proper controls for data collection. Shining a flashlight under the bed never hurt either.
Vince Neicho is an expert legal solutions consultant at Integreon.