Study Shows that Law Firms Aren't Prepared for GDPR

Topics: GDPR

According to a tweet by security blogger Graham Cluley, only a quarter of law firms in the UK report being ready for GDPR.

GDPR quoteAnd that doesn't mean that they're not ready to advise other businesses about their potential vulnerabilities – it means that by their own admission, their IT systems are not yet compliant with the regulation, which goes into effect May 25, 2018.

This is a sentiment echoed by legal IT expert and entrepreneur Matt Torrens, who finds the report to be an unsurprising representation of the UK legal profession's approach to GDPR – they're just not taking it seriously.

In fact, in a blog linked from his tweet, Cluley noted that 25 percent – as a self-reported assessment of lawyers' level of GDPR preparedness – could be a drastic overstatement.

So why would a space that deals with litigation be so blasé about a big regulation like GDPR? Let's take a look at that question. 

From there, we can explore the sort of impacts UK law firms are risking if they continue to back-burner GDPR, and what it means not just for lawyers in the UK, but for all businesses in the UK, the U.S. and beyond.

Read SpringCM's comprehensive GDPR Overview.

What's Different About the UK?

At the moment, the UK is in a singular situation with regards to its EU membership.

In the wake of 2016's "Brexit" referendum, in which the country voted to leave the EU, and the subsequent triggering of Article 50 (the part of the EU treaty which determines the process of a single country pulling out of the multinational entity) politicians and legislators have begun negotiating the future of the relationship between the UK and the EU after the UK's departure.

From the outset, these negotiations have been contentious, highly-politicized and slow-going, as both sides try to determine what moves will be advantageous for whom and which fixtures, if any, of the current relationship with the EU, can remain after the UK officially leaves in early 2019.

Meanwhile, UK citizens and businesses – especially those enterprises that do a lot of business throughout Europe – are waiting to see how this massive retooling of international agreements will impact them personally.

This may be part of the lack of focus on GDPR from UK law firms. Firms with significant presences on the continent could be distracted, focusing more attention on how – or if – they will continue to do business with Europe after the official exit from the EU.

Regardless of the root causes, though, there are a few reasons that such firms should still be taking GPDR seriously. First and foremost, no matter how the final Brexit deal is written, GDPR will still apply.

GDPR and Doing Business With Europe (Not Just In Europe)

One of the interesting things about how GDPR is written is that it requires businesses outside of Europe whose IT infrastructure controls or processes data of EU citizens to be able to meet the regulatory burden, hit security benchmarks and the like for the parts of the network that use that data.

So even if British lawyers are technically no longer EU citizens after 2019, if they're doing business with Europe, their firms will still be on the hook for the potentially debilitating fines in place for GDPR violations.

There's also speculation that the reason for the lack of movement on the part of British law firms is that they just don't believe that the fines will actually be levied against non-EU enterprises, even if the rule is on the books.

But as Cluley notes in his blog, given the size of the potential fines – who would want to bet on that chance?

Not to mention that the UK could easily decide to adopt some, or even all, of the regulatory demands of GDPR as part of post-Brexit national cybersecurity mandates if UK legislators determine them to be the right way to protect data privacy.

And concern over potential fines – no matter who they're coming from – is only one of the reasons companies of all stripes, in the UK, the U.S. and elsewhere should be serious about GDPR.

Taking GDPR Preparation Seriously: A Best Practice for All Businesses

GDPR does make some regulatory demands that are unique, such as requiring that businesses be able to meet data takedown requests for EU citizens. But some of the demands, like building out a network with privacy assurance and cybersecurity in mind at every step, align perfectly with sensible cybersecurity best practices and good customer service.

So if you're a U.S. company that does any business with the EU or EU citizens, all this talk of meeting compliance benchmarks should at the very least inspire you to take a look at your overall cybersecurity posture, audit your systems, and think about meeting these benchmarks not as hitting arbitrary guidelines just for compliance's sake – but as going above and beyond to protect your customers, no matter where they reside.

And it should also inspire you to partner with vendors who place meeting cybersecurity compliance guidelines at the top of their list of priorities. Together, you can make sure that any customer or user data that you use in the course of doing business is protected – for the sake of not running afoul of GDPR and other regulations, as well as for the safety of your customers' information.


Editor's Note: This post was originally published in January 2018. It has been updated for accuracy and comprehensiveness.


Subscribe to Our Blog