The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: What are a law firm’s obligations under the GDPR in the event of a data security breach?
Answer: It depends. A law firm may be either a processor or a controller depending on the context in which it is processing personal data of data subjects in the European Union that it received as part of its representation of a client. If a law firm is acting as a joint controller, e.g., because it is processing personal data received from the client in the course of providing legal advice, it is required to notify the lead supervisory authority with 72 hours of becoming aware of the breach if the breach poses a risk to the rights and freedoms of individuals. The report should be submitted online through the website of the relevant supervisory authority. Depending on the applicable country to which the law firm makes notification, the report may need to be made in the language native to that country. The notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Although the above requirements are expressly set forth in the GDPR, the online reporting forms generally require the reporting entity to provide additional information.
If the breach poses a high risk to the rights and freedoms of the EU data subjects, notification to the individuals will be required “without undue delay.” While no time period is specified in the GDPR, the law firm should weigh the need to notify subjects as soon as possible against the risk that premature notification may result in communicating inaccurate information and/or possibly requiring a second notification.
In reality, however, in most instances the law firm is acting as a “joint” controller, meaning that the notification obligations will fall to both the firm and the client. Accordingly, the law firm should consult with its client(s) at the earliest opportunity about the circumstances of the breach and the plan for making notification. While the parties may have set forth their agreement concerning breach notification obligations in their firm engagement letter, in most instances the parties will not have done so. If the breach is the responsibility of the law firm, most clients will expect that the firm take the lead in making notifications.
Where the law firm is acting as a data processor and not a controller (e.g., where a law firm was retained for the express purpose of conducting document review of personal data and the client directed the process), the law firm is required to notify the client “without undue delay,” and the obligation to make notification to the supervisory authority and/or the individuals would fall to the client. This is similar to the requirements under U.S. law, which requires that a law firm that suffers a breach of personal data it received from a client notify the client, who in turn would be required to notify individuals and/or regulators.