In a short answer, if your firm deals with clients in the European Union, then yes.
The General Data Protection Regulation went into effect on May 25, 2018. Companies have been scrambling to make sure they are in compliance with these new requirements, and email inboxes have been flooded with updated Privacy Policies. Each European country had its own privacy laws before this overarching regulation was enacted; now member countries are united under the world’s strictest privacy law.
What does this mean for the American law firm with European business dealings?
The European Union Parliament now states that the GDPR is “enforceable by any EU member state against any business, anywhere in the world, that holds or processes the personal data of even one citizen of the EU.” This means that any companies doing business in Europe, even if they don’t have a physical location there, can be held accountable under this law. This applies even if a company just stores data in a European country or if they collect information about EU subjects — that could be something as innocuous as a marketing activity, for instance.
Bloomberg BNA offered the example of law firms that retain copies of EU client documents after they ask for their files to be returned. You’re just making copies for your own records, right? Not so fast. If that client wants to “be forgotten,” which is allowable under the new law, that law firm may be in trouble. Because the GDPR creates a private right of action if there is noncompliance, that client now has the ability to sue. (Of course, whether they’d waste resources in order to do so is another question.)
BigLaw firms have the money to hire people for the express purpose of GDPR compliance, perhaps even establishing their own internal compliance departments, but smaller firms will likely have more difficulty both establishing and maintaining compliance. After all, May 25 was not the end of the road. Now companies must remain in compliance with the GDPR. Outsourcing compliance issues to legal professionals who are versed in EU law would be the prudent choice.
Compliance with the GDPR is the intelligent thing to do, because penalties are 4% of a firm’s global revenue or up to 20 million Euros, whichever is higher. Then the question becomes, “Are they really going to penalize my firm?” They might. They might not. Do you want to risk that?