Data Privacy Compliance Checklist

Capture the live version of the policy from the firm website and any client portal. Compare against the version-controlled copy in NetDocuments or iManage — drift between the published page and the master file is a common audit finding.

Walk through any new tools adopted in the last year — e-signature, eDiscovery platform, marketing automation, AI drafting — and confirm each category of personal data and processing purpose is reflected in the policy. Lawmatics intake forms and Clio Grow are commonly missed.

List every category of personal data the firm processes by practice area — immigration files include biometrics and national IDs, family law files include minor children's data, PI files include medical records. Note retention period per state bar minimums (commonly 5–7 years post-close).

Identify any client data hosted outside the US — Microsoft 365 tenant region, Clio data center, eDiscovery vendor processing in the EEA. If the firm represents EU residents or transfers data to EU offices, confirm Standard Contractual Clauses are in place.

Walk the workflow from request receipt through identity verification, attorney review, and response. CCPA gives 45 days; GDPR gives 30 days. Privileged work product and current-matter strategy are typically exempt — confirm the response template flags those exclusions correctly.

Submit a dummy intake through Lawmatics, Clio Grow, or whichever lead tool is in use. Confirm the consent checkbox is unchecked by default, the timestamp is captured, and the consent record is retrievable. Pre-checked boxes are not valid consent under GDPR or CPRA.

Use the NIST CSF or a Rule 1.6(c) reasonable-safeguards checklist. Score each domain (access control, encryption, endpoint protection, backup, vendor risk) and rate overall residual risk. The IT manager runs the assessment; the managing partner signs the conclusion.

Pull the MFA enrollment report from Microsoft 365 / Google Workspace, Clio or NetDocuments, and any remote-access tool. Every active attorney and staff account must have MFA on; service accounts and shared mailboxes are the usual gaps.

Confirm ethical walls are enforced in iManage or NetDocuments — lateral hires and conflict-screened matters frequently have stale ACLs. Cross-check against the conflicts database to make sure screened attorneys cannot reach the matter file.

Include every processor that touches client data: PMS, DMS, eDiscovery, e-signature, court-filing service, transcription, expert witnesses, marketing/CRM, and managed IT. The shadow-IT vendors (file-sharing tools associates picked up themselves) are the ones that bite.

Every processor needs a Data Processing Agreement; vendors handling PHI (medical records on PI matters) need a BAA under HIPAA. Confirm SCCs are appended for any processor outside the US. Note any vendor whose contract is missing or expired.

Walk through the plan with IT, the managing partner, and outside counsel for breach response. Update names and phone numbers — stale escalation contacts are the most common reason a tabletop falls apart.

Each state where the firm has clients sets its own clock — many require notice within 30 to 60 days, some sooner if more than a threshold number of residents are affected. Build the matrix once and keep it next to the IR plan.

Use a realistic scenario — a phishing compromise of a paralegal mailbox containing privileged matter correspondence. Time the response from detection to client notification. Capture any decisions that took longer than they should have.

A reportable breach is one that triggered notification under any state law, GDPR, HIPAA, or the firm's contractual obligations. Even contained incidents that did not trigger external notice should be logged.

Sample 10 closed matters and 5 open matters across practice areas. Verify retention policy followed, access logs clean, no unauthorized DMS exports, and no client data in personal email or personal cloud. The firm administrator runs the sample; the managing partner reviews findings.

Cover Rule 1.6 confidentiality, phishing recognition, secure file-sharing, and the breach reporting hotline. Required for all attorneys and staff including contract attorneys and temps. Track completion and follow up individually with anyone who slips past 30 days.