GDPR One Year Later!

By David Lipscomb posted 08-05-2019 16:52


Privacy is the buzz word that we all hear about today. Why?  Because on May 25, 2018 the European Union (EU) General Data Protection Regulation (GDPR) went into effect solidifying that privacy is a human right.  It is binding on all EU members businesses and their partners that manage and collect personally identifiable information (PII) on EU citizens, and grants rights and remedies for businesses to be fined and sued for non-compliance. With the implementation of GDPR, citizens are granted the following rights:

  • Right to be informed

  • Right of access

  • Right to rectification

  • Right to erasure/to be forgotten

  • Right to restrict processing

  • Right to data portability

  • Right to object and Rights in relation to automated decision making and profiling


 So, what does this mean for law firms?  It depends on the role the law firm plays in the handling of the data.  Let’s define the roles of controllers, joint controllers, and processors:

Controller - Any entity that exercises overall control of the purpose and means of the processing of personal data.

Joint Controller – Any entity that shares the overall control of the purpose and means of the processing of personal data.

Processor- An entity that acts on behalf of, and only on the instructions of, the relevant controller.


In most cases, law firms would be considered joint controllers and not processors of data as determined by the engagement letter with the client.  If the law firm is determined to be a joint controller, they would be equally liable with their client for any infractions under GDPR.  More information can be found at the UK’s independent authority, Information Commissioner’s Office (ICO) website.

The right that would likely be of utmost concern to law firms would be the “Right to be forgotten or Erasure”. This right holds the data controllers responsible for deleting all information pertaining to an EU citizen when requested by the data subject. However, there are circumstances where data cannot be erased in a timely manner, or at all, by a firm (for more detail, check the ICO website).  Fines can be significant.  Just within the year Google was fined 55 million dollars for violating the regulation and other smaller companies were fined another 6.5 million dollars.  As you can see, regulation violations can bring significant financial consequences.

The implementation of a privacy framework that allows firms to process and manage requests in support of GDPR and other privacy laws is generally straight-forward due to the way information is introduced into the firm and how documents are managed.  Additionally, many vendors have updated their software to accommodate requests for where PII data resides via added queries, reports, and alerts.

For those fortunate enough to be attending ILTACON, there are two sessions discussing privacy regulation to make sure you attend.  On Tuesday at 1:30 will be a panel presentation ‘Data Privacy – Everyone’s Getting In On It’.  The panel will be discussing the overall impact of privacy legislation, how it has affected data and privacy handling within your organization, the financial impact it’s had in the form of fines and settlements, upcoming U.S. privacy laws and the future of the privacy landscape.  Thursday’s session at 2:00, ‘Data Privacy – the Anniversary of GDPR and the Shape of Things to Come’ will address the impact on organizations as they implement the necessary policies and procedural changes required to maintain compliance, including technical and organizational measures required to foster a culture of privacy awareness at the firm.