Even law firms based in the U.S. without any cross-border practice should care that their vendors are GDPR compliant. Compliance is a table-stakes vendor maturity test.

GDPR should be taken seriously, even by law firms operating outside of Europe

The GDPR has significantly influenced global privacy legislation, serving as a foundational model for laws such as California’s CCPA and Quebec’s Law 25. Notwithstanding criticism, GDPR establishes principles that manage to be technologically neutral: a crucial bar for privacy-minded organizations that want to stay at the cutting edge of technology. Policy makers across jurisdictions have learned from the construction of GDPR. The CCPA grants individuals a remarkably similar set of rights with regards to their individual data. Quebec’s Law 25 integrates similar consent requirements as well as the Right to Erasure.

Law firm clients, ranging from individuals to sophisticated corporates, expect that law firms are able to afford them similar rights as established in these leading privacy frameworks. That means that their vendors need to be equipped to do the same.

What law firms should ask their vendors about GDPR

Whether or not a vendor claims to be GDPR compliant, law firm leaders shouldn’t trust them with their data until they ask them a few table stakes questions.

• Do you offer a Data Processing Agreement?

• Can firms access, export, and delete all their data? Can firms do so on a per-client basis?

• Do you conduct Data Protection Impact Assessments?

• Have you identified all your subprocessors and data flows?

• Do you restrict access with audit trails, role-based controls, and encryption?

Our journey

At PointOne, we began implementing GDPR controls as soon as we started serving our U.S. clients—well before our first cross-border users onboarded. We believed then as we do now that privacy, transparency, and control are foundational to building trust in legal tech.