The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 25th of this year, and the regulations will impact several areas of business operations within the EU.
Businesses doing business with individuals or companies within the European Union will also be affected.
For American Law Firms that represent foreign clients, the impact will be felt immediately in several ways. Here is a brief summary of how GDPR may impact your firm.
A major change that will be felt immediately pertains to “extraterritorial” reach. EU law will apply to any business or individual that processes the personal information or data of a resident of the European Union. This includes the offer of goods or services or the monitoring of behavior.
Reach will therefore be measured digitally rather than physically. In fact, less attention will be paid to the physical location of the entity. Rather, the specific behaviors will be examined. This will include the types of currency or language used on a website or the profiling of EU individuals, for example.
In short, the law will broaden the EU’s ability to claim legal jurisdiction based on digital activities rather than physical proximity.
Any entity conducting business of any type with a citizen or company of the European Union should assume that GDPR applies to them.
Personal Data Protection
The GDPR imposes stricter guidelines for the collection, handling, and sharing of personal data. This is the hallmark intention of the regulation to begin with. The definition of personal data is also expanded to include modern identifiers such as biometric data (such as a fingerprint obtained to unlock a mobile device), IP addresses, retinal scans, and even genetic data.
Further regulations will govern the consent to obtain, store, or share data. Greater transparency will be necessary, including explicit details in some cases. In addition, any business that falls under GDPR’s regulations will need to appoint a representative within the European Union even if they have no physical presence there. This role may be outsourced.
The general scope of the law will no doubt spark a lengthy uproar regarding privacy and its role in eDiscovery. The US and the EU have long been at odds in this regard as the US statutes on discovery often clash with EU privacy laws, which are now becoming stricter.
In an effort to tighten data protection, the GDPR imposes strict penalties for violations. These may include up to €20 million (USD $24 million currently). While most fines will likely not come close to this extreme, the stakes are high for falling out of compliance.
What Your Firm Can Do
There are two major challenges facing US law firms once GDPR goes into effect. The first is that the waters are uncharted. Certain portions of the law may be challenged in court, additional changes may be forthcoming, and new regulations always bring with them a transition period.
Another challenge is adapting to stricter regulations governing data communication and privacy. The regulations are tighter, the reach is wider, and the penalties are more severe.
Data protection, including client information, will have to be brought up to speed with new compliance standards. Firms would be wise to begin the process now of ensuring that any clients within, or conducting business with the EU are having their information properly maintained to avoid repercussions once GDPR goes into effect.
Legal Imaging can help US firms navigate these new and murky waters. We are a US-based litigation support firm specializing in e-discovery and computer forensics -- two areas sure to be impacted by GDPR.
With the May deadline approaching, firms should prepare to comply with GDPR or face severe penalties. Contact Us for a FREE Practice Management Assessment and discover how Legal Imaging can assist your firm today.