The Story
In May 2018, the General Data Protection Regulation (GDPR) came into force, radically changing the rules surrounding data protection and data privacy across the EU. Companies scrambled to comply with far more onerous rules related to how they collected, used and stored personal data.
Impact on Businesses and Law firms
Let me dive into how the GDPR has impacted law firms.
GDPR uncertainty has led to a surge in demand for advisory work. Businesses of all sizes had to hire advisers and implement systems to make sure they were following the rules, especially given the GDPR’s substantial penalties for noncompliance. Lawyers were there to help companies update their privacy policies, ensure they were processing data on a ‘lawful’ basis, and advise on the new rights that users have over their data. Some law firms, like Herbert Smith Freehills and DLA Piper, even turned to technology to help clients comply with the GDPR in the event of particular data breaches.
The GDPR has meant data protection and cyber security issues play a larger role across practice areas. Take Marriott International, for example, which is facing a £99.2m fine by the UK’s data regulator, the Information Commissioner’s Office (ICO). The ICO found that Marriott failed to carry out sufficient due diligence during its acquisition of Starwood Hotels. Following this case, lawyers may well place greater importance on cyber due diligence during M&A deals, as well as seek further contractual protections on behalf of buyer, in case security incidents related to the target company come to light in the future.
Finally, let’s not forget, law firms are a business. Just like any other business, they must also comply with the GDPR. Let’s look at this in the context of the recent growth of legal technology tools within law firms, for instance. Thanks to the principles of ‘privacy by design’ and ‘privacy by default’, law firms must consider data privacy during the design stages (which might involve carrying out a privacy impact assessment), as well as ensuring privacy is the default standard for processing data, so only data that is needed to achieve a specific purpose is processed.
By Jaysen Sutton
