Risk Update

GDPR and Conflicts of Interest: Ghosts in your files?

Readers who are expert searchers and analyzers (as many of you are, professionally) may already be aware of a sister site I launched earlier this year called Off the Record. It’s about information governance. (Yes, I like puns.) And we’re starting to do some interesting things there as well.

Ted Graham, formerly the intake director at Brown Rudnick and now looking for new haunts, recently reached out with a topic, title and hook he knew would grab my attention… and thus a tale was spun: “GDPR and Conflicts of Interest: Ghosts in your files?” —

  • “An October 2018 decision issued by the Maryland State Bar Association’s Committee on Ethics was the first of its kind in the US. While the bar did not seek to opine on the obligations of law firms under the EU General Data Protection Regulation (GDPR), it provided an interesting glimpse into how US-based bar associations, and law firms, will need to be mindful of the regulation.”
  • “First, and foremost, it’s important to understand whom the GDPR applies to. In addition to entities located within the borders of the EU, it can apply to, under the “targeting prong,” entities, or individuals, who reside outside the EU as well.”
  • “The Maryland decision (Ethics Docket No 2018-06) was in response to a local attorney’s concern about the GDPR’s Article 17 ‘Right to Erasure,’ often referred to as the ‘right to be forgotten.’ Article 17 states that a data subject has the right to demand ‘erasure of personal information concerning him or her without undue delay’ and that a data controller must thereby erase such personal data.
  • Thus, the concern raised in Maryland was that if a client invoked its Article 17 rights on a law firm, that firm would ‘be unable adequately to check for conflicts for purposes of complying’ with the Rules of Professional Conduct. The Committee’s response suggested that if a client had invoked Article 17, and the law firm complied with the erasure, the data subject thereby became a former client of the firm and that the client’s request to be forgotten acted as a waiver of conflicts ‘that could have been discovered had the data been retained.'”
  • “We do not suggest that either exception under Article 17 makes a law firm immune from the right to be forgotten. Simply put, the law firm and the client must come to an understanding of what a request under Article 17 means for both.”

See the complete article for analysis and approaches to address compliance.