The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: What types of information do law firms collect that may be subject to the GDPR?
Answer: Law firms typically collect personal data subject to the GDPR in the following five contexts:
- Employee data. If a law firm has employees in the European Union the human resource data that it collects about those employees is most likely subject to the GDPR.
- Data about potential clients. Most law firms collect personal information about potential or prospective clients. Such data is typically used to target potential clients, plan for pitches, tailor responses to requests for proposals, or send direct marketing. Personal data about prospective clients may be subject to the GDPR if it is processed in the context of an establishment in Europe (g., a European office of a law firm), or if the data is used to market to individuals located within Europe.
- Data about the law firm’s clients. Most law firms collect personal information about their clients, or about individuals that work for their clients. Such data is typically used by a law firm for a variety of purposes including running conflicts, sending out invoices, collecting money owed to the law firm, transmitting marketing, and communicating with clients about projects and engagements. Personal data about existing clients may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (g., if the matter is handled out of a European office of the firm) or if the client (to the extent that the client is an individual, such as a private client) is located within Europe.
- Data received from clients to be used in a representation. Clients often transmit to law firm’s personal data that is relevant to a particular matter or representation. For example, if a client retains a law firm to defend it in conjunction with a sexual harassment lawsuit brought by an employee, the client might transmit information about the employee, her supervisors, or her colleagues. Such data will be subject to the GDPR if it is processed in the context of a European establishment of the law firm (g., if the matter is handled out of a European office of the firm). It is also possible that if a private client (e.g., an individual as opposed to a corporation) that is located in Europe transmits information about themselves to be used in a representation, that data is also subject to the GDPR.
- Data from other sources to be used in a representation. Attorney often receive personal data from third parties that may be relevant to a particular representation. For example, in the United States an attorney may serve a document request on an opposing party or a subpoena on a third party that asks for personal data that may be relevant to litigation. Such data may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (g., if the matter is handled out of a European office of the firm).