What does GDPR Mean for Law Firms? – Joshua Lenon, Clio

This is a Guest Post by Joshua Lenon, Lawyer in Residence at Clio the pioneering cloud-based law practice management software company.

While this isn’t per se about AI or automation, the reality is that everyone on the planet who has any connection to data analysis and legal technology, whether that involves machine learning or not, has an interest in getting it right when it comes to the changes GDPR will bring.

GDPR also creates opportunities for legal tech companies, and law firms, to provide data analysis and compliance solutions that could well make use of automation and machine learning. In which case, what better way to get our heads around the issues than hear from a lawyer who works at a major legal tech company and has some useful advice? Enjoy.

Joshua Lenon, Clio

The General Data Protection Regulation (GDPR) comes into effect across EU states in May 2018, including Great Britain. It will apply to every organisation, law firms included, that process EU residents’ personally identifiable information.

The latest PwC Annual Law Firms Survey found that only 13% of all law firms have performed an assessment over GDPR, with an additional 19% having only performed a partial assessment.

Exceptions for Law Firms

The GDPR contains crucial exceptions for law firms to leave their client work unaffected. For example, Article 9 prohibits the processing of personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and more, but for many cases these details may be crucial to the determination of a law’s applicability. Fortunately, Article 9(f) carves out an exception to this prohibition, allowing processing that is necessary for “the establishment, exercise or defence of legal claims.”

Law firms may also be exempt from consent and access rules surrounding data subjects. The GDPR lays out many rights and processes newly available for data subjects, like the right to access data stored about them (Article 15), or a right to be forgotten (Article 17).

Under these rules a law firm might be forced to disclose information gathered about third parties as a part of preparing for litigation or investigating legal claims, but Article 23 of the GDPR provides that a Member State may limit these obligations to safeguard “(g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.” This means that many duties imposed on other industries affected by the GDPR may not apply to the legal profession.

Furthermore, law firms’ obligations of professional secrecy and legal professional privilege put them in a unique position when it comes to GDPR compliance. Article 90 of the GDPR enables Member States to adopt specific rules in relation to data controllers and processors subject to an obligation of professional secrecy, like solicitors and barristers. These rules could limit a Member States’ supervisory authority to access a law firm’s confidential records, even if those records might be gathered without a person’s express consent.

Obligations for law firms in the regulations

All this is not to say that law firms have no obligations under the GDPR. Many obligations still exist and can be quite onerous. Firms must:

  • Be “accountable” for the data they hold, maintaining accurate records including how data was collected and how it is being used.
  • Notify the supervisory authority immediately of any breaches within 72 hours of becoming aware of it. If the data is deemed to be “high risk” they must also notify the client directly.
  • Appoint a Data Protection Officer if a firm is processing large amounts of data (clarified in Article 37) to oversee all matters related to data protection including training, compliance monitoring, and to act as a liaison with the Data Protection Commissioner.
  • Create data protection impact assessments when undergoing large-scale processing operations that aim to process a considerable amount of personal data at regional, national or supranational level, which could affect a large number of data subjects and which are likely to result in a high risk. However, the processing of personal data should not be considered to be on a large scale if the processing concerns personal data from clients by an individual lawyer (Recital 91).

GDPR’s impact on law firm technology

Law firms should begin reviewing their technology and operations now to become compliant with the GDPR by May of 2018. Article 32 requires data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Such measures could include encrypting personal data, data access logging to ensure ongoing confidentiality and integrity, backups for timely restores, and testing procedures to verify the previous measures. Data controllers should also take steps to ensure that others granted access to hold personal data only process them on instructions from the controller.

Notice on the EU’s GDPR site: eugdpr.org

The area most at risk for law firms is technology used to store case files and client contact details. This type of technology is commonly called case management or customer relationship management software (CRM).

Lawyers need to review what personal data they are storing, where is it held, and who is allowed to access that data. While these seem like easy questions, once you factor in backups, employee access, and cloud vendors/online storage, mapping out your data can seem daunting.

Law firms should be asking their software vendors about the steps they are taking to ensure GDPR compliance by the May 2018 deadline. Important questions to ask include:

  • Data locale – where is the data being stored?
  • Data security – is the data being encrypted?
  • Data access – how is access to the data being controlled, both as applied to law firm employees and vendor employees?
  • Data recovery – how easily is data restored?
  • Data portability – can I easily give data subjects a copy of their personal data stored in the system, in a “structured, commonly used and machine-readable format”?

Practical steps to ensure compliance 

  1. Know the rules

The Information Commissioner’s Office is a good place to start, providing a comprehensive overview of the rules outlined in the GDPR. The Law Society of England and Wales, and the Council of Bars and Law Societies of Europe (CCBE) have both published guidance on GDPR compliance for law firms.

Also be aware that the rules are not entirely final. Guidance is still being considered by European Commission’s Working Group 29, and the British government has proposed a new Data Protection Bill that will clarify many of the possible exceptions noted above.

  1. Educate

Make sure all staff are up to speed with the regulations and the impact they’ll have on how they handle customer data. Hold staff briefings, twice a year at least, on data protection. Run drills on simulated breaches to ensure preparedness.

  1. Gather

Review the means by which you communicate data processing and document consent with your clients. The GDPR sets a high standard for consent, but the biggest change is in consent mechanisms. This may include updating your law firm’s privacy policy. Your policy should be concise, transparent, and easily accessible. The GDPR requires a longer and more detailed list of information that must be provided in a privacy notice than previous legislation, giving data subjects more granular options and law firms more responsibility in responding to those options.

  1. Audit

Review all policies of any third party data processors that you employ to ensure they are working towards full compliance by 2018. Use the list above to start your audit.


The sanctions for breaches are stringent. Minor administrative breaches can attract a penalty of up to €10m or 2% of annual worldwide turnover, and more fundamental breaches are subject to a higher fine of €20m or 4% of annual worldwide turnover. The GDPR may be off the radar for many lawyers, but come May 2018, these sanctions will demand attention.