For privacy and data security lawyers at global law firms, there's never been a busier time.

Not only are they reporting a surge of work from clients struggling to comply with the European Union's new General Data Protection Regulation, but many of them have been helping prepare their own firms for compliance with the new regulation, which comes into effect in just three weeks on 25 May.

The GDPR sets up a single set of rules for data protection for all EU member states. But it also applies to all companies that process the personal data of EU residents, regardless of the business's location. And penalties for noncompliance are steep: up to 4% of a company's worldwide revenue or €20m, whichever is higher.

That has sent many companies rushing for legal advice and support from firms with a history of handling European data security measures.

"We are extremely busy," said London-based Squire Patton Boggs partner Anne LaFrance, who co-chairs the firm's global data privacy and cybersecurity group. "We've been burning the midnight oil pretty much every day to get folks to a defensible position by 25 May."

Paper flying

Reacting to changing privacy regimes is nothing new for veterans of the practice. The EU adopted its first directive on data protection in 1995, which mandated that member states implement rules starting in 1998.

But while directives such as the 1995 rules are up to EU countries to implement and adapt over time, the GDPR is a regulation, which makes it directly and immediately binding on all member states.

The list of affected industries is sprawling, too. Beyond such businesses as the big tech companies, the rule affects the financial services, real estate, gambling, and hospitality industries, to name a few. Because the potential reach of the new regulation is so wide, for many clients, the first piece of analysis is whether the GDPR applies at all.

"It's one thing if you have an established presence in the EU," said Tim Blank, the managing partner of Dechert's Boston office. "If you're a US-based company without an established presence, but you offer goods and services, it's a different analysis."

There's also a third category: US-based companies that do not sell goods or services or have established presence in the EU, but do store data there.

LaFrance also sees a wide range of needs from her client base. Extremely sophisticated data-rich, consumer-facing businesses - the 'pick and mix clients'- come in the door with particularly complex issues, such as how to manage the new regulation on a pan-European basis.

Then there are the companies handling business-to-business data - the "soup to nuts clients," LaFrance calls them - that have never focused on these issues before and need help with everything.

"We're almost becoming their internal compliance department on this particular issue," she said.

The story is the same with Mayer Brown, which has lawyers in Europe, Asia and the US working on compliance preparations.

"For those more sophisticated clients, or those clients who were more ahead of the curve, we have been helping with very specific issues. With others, we've been helping with the whole exercise," said London intellectual property (IP) and IT partner Oliver Yaros.

Businesses also need to update existing agreements and create new vendor agreements with third parties that handle personal data. Squire Patton Boggs has trained a team in the US, working under EU experts, to help manage the vendor process.

"If you're working with a cloud provider or an IT provider, you're obligated to make sure your agreements provide very specific clauses," LaFrance said. "There's paper flying back and forth - figuratively - online among data controllers and vendors coming up with very creative ways to manage this."

Ramping up

The volume of the work has been building over the last two years. Big technology companies and players in regulated industries - such as financial services and insurance - have been clear from the start about the impact of the new regulation. Ropes & Gray Europe privacy and cybersecurity head Rohan Massey said that an EU commissioner told him that on a visit to the West Coast last year, everyone was prepared for the GDPR, and on his return to Europe, no one was ready.

"Some business run on the value of data, that's their entire business model," he said. "Others have it as a byproduct, it's not their core purpose. They're the ones that are behind."

Still, even if lawyers are doing more now, as the deadline gets closer and closer, that doesn't mean a client has necessarily been ignoring the issue. "A lot of what we're doing is fine-tuning," said Palo Alto-based Baker Botts special counsel Cynthia Cole. "It may appear on the surface to be last minute, but there's a lot going on internally before they reach out to the lawyer."

Some firms have found it necessary to staff up to meet increasing demand, while others have drafted in lawyers from adjacent practices. Squire Patton Boggs has taken on contract lawyers and hired new people in Europe and the US.

"It still isn't enough, and there isn't enough experience out there," LaFrance said.

At Dechert, the firm has partners from its financial services, M&A, international trade and litigation practice groups stepping in to advise clients. And the firm and its peers see the work being split between lawyers across continents.

"What we found is having an international footprint is helping us," said Yaros of Mayer Brown, where lawyers from Europe, Asia and the US are all working on compliance preparations. "It's great being able to work on these projects where you can draw resources from all over the firm."

Past the finish line

The upcoming deadline might afford lawyers a quick pause, but they will spend the following days and weeks continuing to ensure compliance while preparing for a new stream of work. For example, there will still be the need to review and tweak new and old vendor contracts.

Lawyers will also be advising clients on keeping a living record of what data they hold and what they use it for.

"25 May is not really the finish line. You have to be in compliance, but staying in compliance is just as important, and it's really the beginning of your GDPR compliance obligations," Blank said. "I don't think by 26 May, people will be breathing easier, dusting off their hands and saying, 'On to the next project.'"

The nature of EU regulators' enforcement efforts will undoubtedly determine what comes next as well. Few expect notices of violation to start flying immediately.

"The regulators are publicly stating there will be clear and effective enforcement as of 25 May. They will be looking to use their increased power of sanction, and I think that will happen," Massey said. "But I don't see a sea change were we will suddenly see headlines of big fines immediately."

But practitioners will play close attention to the first announced violations to see what the concrete effects of the regulation are.

"As different companies are brought forth as examples, either because of breaches or because they have not complied, then, on my side, we'll be fine-tuning and taking a look at what 'consent' or what 'legitimate interest' really means, because we'll see how that's being interpreted and enforced," Cole said, referring to two of the six stipulated legal bases for possessing personal data under the regulation.

And some lawyers will inevitably find themselves representing clients that have earned the attention of enforcement officials or parties directly harmed by data breaches. With stiffer fines, the calculus may shift to challenging enforcement actions, rather than just absorbing their blow.

Public revelation of breaches, prompted by stricter reporting requirements, could trigger a rise in American-style class actions in the UK. According to LaFrance, litigation funders are already looking into the opportunities afforded by the new regulation.

Looking in the mirror

In the midst of all this opportunity, global law firms also have needed to prepare their own operations for compliance with the regulation, since their business invariably involves personal data collection.

"Baker Botts is an international law firm, and international firms are subject to the regulation," said IP partner Neil Coulson, who chairs the firm's IP practice across London and Moscow. "We've been looking internally at compliance over the last 18 months."

The degree to which the two functions match up varies on a firm-by-firm basis.

"There is definitely overlap between the people who are doing work for clients and the people who are helping Dechert as well. But it's not 100 percent," Blank said.

At Squire Patton Boggs, the two threads have been tightly intertwined. "It's like, 'Physician, heal thyself,'" LaFrance said. "The team in Europe is treating the firm like it's any other client. We've been doing this for more than 18 months."

According to LaFrance, while the firm determined it was not obligated to appoint a data protection officer under the regulation, it elected to do so, and LaFrance herself will be filling the role.

The work has also included new training, new notices, revised standard terms to incorporate the regulation, along with stronger data breach procedures. It has spanned different departments, LaFrance said, but it has also pulled the firm together.

"It's been very therapeutic, in a way, though painful," she said.