Be Ready for New EU Privacy Regulations – May 25, 2018 is Rapidly Approaching

Illustration of an European Union long shadow flag with a lock pad

New EU Privacy Regulations

New EU Privacy Regulations were approved in 2016.  There is a transition period and the new Directive takes effect in May of 2018.  The new Directive is known as the EU General Data Protection Regulation (GDPR).  A summary of the Directive can be found at

This article is a summary of some of the factors that law firms need to consider in planning for GDPR.  They should have a detailed understanding of GDPR requirements.

The GDPR contains new protections for EU residents and threatens significant fines and penalties for noncompliance.  A key change to EU data privacy comes with the extended jurisdiction of the GDPR, as it applies to all organizations processing the personal data of data subjects residing in the EU, regardless of the organization’s location.  Issues addressed in the new Directive include:

  1. Cross border data transfers and where data can be maintained
  2. Data subject consent, there are several requirements, including;
    1. Must be “freely given”
    2. Must be “specific”
    3. Must be “informed”
    4. Silence is not consent
  3. Data subject rights under GDPR, such as:
    1. The Right to be Forgotten
    2. The Right to Access
    3. Data Portability
    4. Breach notification

While GDPR is not a technology issue, data management and use of technology is an important element.  In addition to the substance of the practice, GDPR can impact several functional areas within an organization, including:

  1. HR
  2. Accounting
  3. Marketing – Business Development
  4. Information Governance
  5. Technology – including cross border data transfer issues – Under GDPR, any access to data in the EU from outside of the EU, even for system management purposes is considered a potential cross border data transfer. Data can be managed and stored outside of the EU if certain conditions can be met, including by following the EU Privacy Shield requirements.

GDPR is More Than a Technology Issue

Firms should also prepare to address the other non-technology related requirements under GDPR.  These include, but are not limited to:

  1. Communication with clients and customers as to data retention and security
  2. Ensuring that the Firm is meeting GDPR requirements for data subject rights
  3. The need for a Data Protection Officer
  4. Website notification language
  5. Other information governance and communication policies required under GDPR such as breach notification

There are several steps that should be taken to prepare for GDPR.

  1. Identify the functions within the organization that are likely to be impacted (as noted above these include HR, Accounting and Marketing)
  2. Raise awareness with key stakeholders
  3. Assign responsibilities
  4. Assess the impact of GDPR on the organization and specifically what data needs to be addressed under GDPR, this should include:
    1. Document relevant data and data flows
    2. Assess risk
  5. Develop and implement a plan to comply with GDPR


Share this News on Social Media