Beginning May 25, the EU Data Protection Directive will be replaced with the General Data Protection Regulation (GDPR). In a nutshell, the purpose of GDPR is to improve the protection and privacy of all personal data collected about European Union data subjects. This will impact all companies that handle data associated with European countries, people, or organizations including law firms. Firms that handle data of European data subjects may have to take action to comply with the GDPR requirements.

What Does the General Data Protection Regulation Mean?

The GDPR obligations can be broken down into six categories:

1. Information Governance
   1. Raise awareness of data governance within the firm
   2. Define roles & responsibilities around data privacy
   3. Establish data protection officer (DPO)
   4. Develop and execute training program
2. Data Protection Impact Assessment (DPIA)
   1. Assess all systems that store and/or process data that could use private personal information
   2. Implement a process to assess all new systems
      1. Assessment should identify risks and mitigation strategies to secure and safeguard personal information
3. Data Security
   1. Protect and secure personal data and information
   2. Implement technical solutions to secure data, such as:
      • Encryption
      • Data loss prevention (DLP)
      • Access controls and identity management
      • Unified threat management (UTM)
      • Firewalls and antivirus
   3. Implement firm-wide policies and education around securing personal data and information such as:
4. Data breaches
   1. Report breaches within 72 hours
   2. Describe the nature of the breach in detail, and likely consequences
   3. Describe the measures taken to remediate the breach
5. Data Protection Officer (DPO)
   1. It is considered a best practice to explore the need for a DPO
   2. Firms should document and implement policy and process that support information governance
6. Data Transfers
   1. Data transfers outside of EU allowed only with appropriate safeguards
   2. Impacts cloud-services where information is being shared
   3. Must provide notice to impacted persons
   4. Must obtain consent from impacted persons

A choice NOT to comply could have steep consequences, including:

• Fines up to €20 million or 4 percent of profits
• Loss of reputation as a trustworthy service provider
• Financial consequences that accompany a data breach – an average of €4M per breach

Three Steps to Prepare for GDPR

With the six obligations in mind, law firms should take these three steps in preparing for GDPR:

1. Know Your Data: What personal data do you have and where is it being processed and stored?
2. Establish an Information Governance Program: Create a cross-functional team of attorneys and staff tasked with creating and enforcing policies related to information governance. Additionally, it is key to provide training and ongoing education to all attorneys and staff who come into contact with client data.
3. Have a GDPR Strategy:
   • Obtain explicit consent from persons if you will be processing their personal information.
   • Establish an Information Governance Program: Create a cross-functional team of attorneys and staff tasked with creating and enforcing policies related to information governance. Additionally, it is key to provide training and ongoing education to all attorneys and staff who come into contact with client data.
   • Breach notification process: While no firm plans for a data breach to happen, the development of a breach notification process will expedite the response time and prevent mistakes that may occur in a moment of panic.