The EU General Data Privacy Regulation (GDPR) goes into effect on May 25, 2018. It establishes a uniform data privacy law across the EU. The right to data privacy is considered a fundamental human right in the EU, and the GDPR reflects that approach. Law firms do not need to have an office in the EU or even set foot in the EU to be subject to the GDPR. The GDPR applies to any type of business, wherever it is located, that either: (1) offers goods or services in the EU; or (2) monitors the behavior of EU citizens. If a law firm offers its services in the EU, and has personal information about residents of the EU, it is subject to the Regulation even in the absence of any other connection with the EU. The size of the law firm (or other business) makes no difference.
Penalties for noncompliance with the GDPR are potentially significant. They can range up to the greater of £20 million or 4 percent of an entity’s annual worldwide turnover for serious violations. Actions can also be brought by data subjects or on their behalf in their country of residence for an infringement of his/her/their privacy rights.
