Home » Large Law » The Time Is Now: Preparing for GDPR | Part Two of Three

The Time Is Now: Preparing for GDPR | Part Two of Three

Compliance with all of the regulations that apply to your firm’s marketing and business development activities is critical to the reputation and success of your firm. Staying on top of the rules and deadlines of these regulations, however, can be a daunting prospect.

Your firm may be affected by regulations that are created and enforced by both local and foreign entities. Whether certain regulations apply to your business depends on the nature of your client relationships and the scope of your firm’s operations. That’s why it’s a good idea to stay consistently informed of the implications of global regulations that could impact your firm’s compliance.


The General Data Protection Regulation (GDPR) regulation applies to the personal data of all individuals who reside in the European Union (EU) and it’s intended to return control of that personal data to each EU citizen. Depending on the nature of your business, GDPR could certainly apply to your firm—even if you have no physical presence in Europe.

The GDPR, officially titled Regulation (EU) 2016/679, is issued by the European Parliament, the Council of the European Union, and the European Commission, replacing the data protection Directive 95/46/EC from 1995. The GDPR itself is an 88-page PDF covering the new guidelines in exhaustive detail.


The GDPR regulation asserts that organizations that collect, process, and secure personal data of EU citizens must abide by specific privacy principles. This means that law and professional services firms are evaluating the implications of GDPR on their operations to determine how it affects them.  Here are a few highlights of the regulation:

  • GDPR gives EU citizens and residents control of their personal data
  • GDPR applies to companies, government agencies, and other organizations offering goods or services to people in the EU
  • GDPR applies to organizations that collect and analyze data of EU residents
  • GDPR applies to organizations that do not have a physical business presence in the EU if the organizations store or process personal information of EU residents


Noncompliance with this regulation can lead to serious consequences. The potential penalties include:

  • Written warnings in cases of initial and unintentional noncompliance
  • Periodic data protection audits
  • Fines of up to 2% of global revenues or 10 million euros, whichever is higher, for violation of specific provisions
  • Fines of up to 4% of global revenues or 20 million euros, whichever is higher, for violation of specific provisions.


If it’s determined that GDPR affects your firm, it’s important that you demonstrate compliance by May 25, 2018. The deadline is looming, so if your firm isn’t preparing, it’s certainly time to get started!

Fortunately, a wealth of information about GDPR compliance is available. One resource is this practical 10-step plan that outlines the steps necessary to evaluate your risk and ensure compliance. The plan reveals action you can take right now to help get your firm prepared for the GDPR, including project initiation, GDPR awareness, data risk assessment, policy and procedure adjustments, privacy notice development, understanding and complying with the rights of data subjects, ensuring compliant processing of personal data, and incident/crisis management.


Ensuring GDPR compliance can do much more than prevent financial penalties and reputation risk for your firm. This is an opportunity to improve the quality and accuracy of your client and prospect data and provide greater transparency concerning the firm’s collection and processing of information. Taking just a few steps can improve client trust and loyalty to your firm.

It’s also a good idea to evaluate the relevant technologies and software applications used at your firm and understand how your vendors plan to support your GDPR compliance needs. Once you’ve established what your firm needs to do to become and remain compliant, you should share this information with your software vendors so that they can back your efforts.

GDPR will be a serious challenge for some law firms, even those based in the United States and Canada. The clock is ticking toward the May 25, 2018, deadline, so prompt action is critical.

For even more valuable information, be sure to contact your InterAction® Account Manager for an exclusive invitation to the webinar series covering the ways that InterAction tools can be used to execute GDPR compliance plans.


Facebook Twitter Pinterest Plusone Linkedin Digg Delicious Reddit Stumbleupon Tumblr Posterous Email Snailmail

About Mark Weadon

Mark Weadon
Mark Weadon is a Senior Product Marketing Manager at LexisNexis for InterAction and LexisOne. Prior to joining LexisNexis, Mark marketed business analytics software and solutions to the pharmaceutical industry at SAS Institute. Mark has also held management roles in Global Information Technology at Cisco Systems and GlaxoSmithKline. Mark holds an MBA degree from Elon University and a BA degree from Duke University.