How many times a day do you enter personal information on a website? Whether it's your address, Social Security Number, age, or otherwise, information that identifies you as an individual is valuable.
The European Union's General Data Protection Regulation (GDPR) revolutionized data privacy regulation, creating new privacy rights for EU citizens and new obligations for businesses across the globe. Attorneys, who already handle sensitive information about their clients, may find themselves subject to GDPR rules depending on their clientele. As businesses globalize, more law firms will likely need to have these regulations on their radar.
Rights for Consumers Under GDPR
The GDPR outlines four rights for “data subjects," meaning those whose personal information is held by another entity:
- Breach Notification
- Right to Access
- Right to Be Forgotten
- Data Portability
Although these protections are only afforded to EU residents, they can apply to any entity that collects personal information ("data processors") – regardless of where they conduct business.
If a data processor experiences a data breach that is likely to "result in a risk for the rights and freedoms of individuals," the GDPR requires them to notify customers soon after the breach becomes known. For companies within EU member states, notification is required within 72 hours of first becoming aware of the breach. For everyone else, the notification must come "without undue delay."
Right to Access
Under the GDPR, data subjects can contact an organization and request confirmation on whether their personal information is being processed, and how. Data controllers must provide this information free of charge and in an electronic format. This enhanced transparency is one of the most sweeping changes the GDPR enacted.
Right to Be Forgotten
The "right to be forgotten" refers to a data subject's ability to have their data erased from a data controller's system. They can also ask for the dissemination of their data to cease, and for third parties to stop processing their data. This process is sometimes called "data erasure."
Data portability goes hand in hand with the right to access. After a data subject receives a notification regarding their data, they can request for transfer to a different data controller.
What it Means for Lawyers
The most significant aspect of the GDPR for attorneys to watch is its extraterritorial scope. It applies to all companies that offer goods or services to EU residents, whether their home operation is in the EU or not. Therefore, any law firm with global operations must comply.
Firms should conduct comprehensive reviews of their data collection policies to ensure any data from an EU resident is handled according to the GDPR. This includes analyzing what data the firm collects, why they collect it, and how it is used. Any customer-facing privacy statements should be revised to provide GDPR-compliant transparency about how a customer's data might be used.