The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Is a law firm required to respond to a data subject rectification request?
Answer: Yes. To the extent that a law firm is considered a controller of data, it is responsible for responding to a data subject that requests the “rectification of inaccurate” personal information that is held by the law firm.1 Such a request might originate, for example, from an employee of the law firm, a former employee of the law firm, a client, an adversary in litigation, or a witness in litigation.
It is important to note that the obligation to respond to a request for rectification does not mean that a law firm must change the information that it holds about an individual. If the law firm is unable to verify that the information that it holds is inaccurate, if the inaccuracy has – in itself – relevance to the law firm, or if the law firm disagrees with a data subject’s assertion of inaccuracy, the firm can simply note within its file that the data subject has requested rectification and asserts that the correct information is something other than what is in the file.