As the clock ticks down to May 25, 2018 and pressure mounts to comply with the EU’s General Data Protection Regulation (GDPR) legislation, I’m sure many in the US ediscovery world are struggling with exactly how the GDPR will impact their data obligations due to the increasingly divergent views between the EU and the US on data privacy.
Taking it back a step further, are you still wondering if you will be affected by the GDPR and its broad regulations? The GDPR was enacted to strengthen and unify the data rights of all EU citizens. But, it directly impacts ediscovery teams outside of the EU due to the strict requirements it places on anyone who collects, manages, and processes data in the EU. This extends to not just data controllers, but also to data processors, clearly covering any data that is processed for purposes of litigation and investigation. In short, the GDPR impacts any corporation, law firm, vendor, or consultant with a presence in, or clients from or in the EU.
Even with the obvious applicability of these GDPR requirements to ediscovery outside of the EU, you may not have had the time to prepare and could be struggling with how to handle regulations that are directly at odds with the US approach to data privacy and retention. According to a survey from Gartner, by the end of 2018, more than 50% of US companies affected by the GDPR will not be in full compliance.
So, are you and your US corporate legal and ediscovery teams prepared? If the answer is “no” or even “maybe,” there’s no time like the present to get yourself acquainted with the GDPR’s broad reach, and move full steam ahead with preparations.
Here are three of the top challenges for US ediscovery teams to consider when preparing for the GDPR:
1. The Right to be Forgotten
The “Right to be Forgotten” provision gives data subjects larger control over their personal data. While in the US, personal data is generally considered to be the property of the data holder, under the GDPR, the EU explicitly designates personal data as the individual’s property. It’s easy to see how this rule presents unique challenges for ediscovery teams as they grapple with conflicting US requirements for collecting and holding data.
Under the Right to be Forgotten rule, all individuals in the EU have the power to request removal or erasure of their data from databases and systems. There are numerous questions to consider as it relates to ediscovery. For example, will the EU take under consideration whether a person is subject to a litigation hold when that person exercises the right be forgotten? What will happen if a US judge responds unfavorably to this type of request because of the conflicting US obligation to preserve potentially relevant data? The answers are still unknown, and being prepared for these types of situations will be a top challenge that may require the creation of new internal ediscovery processes to make sure you’re ready to respond.
2.New Liability for US Data Processors
Under the GDPR, impacted data processors will have direct liability as opposed to only the data controllers that are subject to direct oversight. The data processor, whether located in the EU or outside the EU, faces obligations including the implementation of appropriate organizational and technical measures with respect to all personal data, and notification to the data controller when a data breach occurs. Among other considerations, processors will likely need to seriously consider whether it will be necessary to appoint a designated data protection officer to maintain compliance with this challenge.
In addition, law firms or corporations who need to pull data from custodians within the EU will need to understand and comply with the obligations under the GDPR for those data subjects. For vendors and consultants whose reach extends globally, they are likely to be classified as data processors or even data controllers and will also fall under the GDPR’s definitions. Vendors and consultants will need to not only be compliant themselves, but also knowledgeable enough to advise their clients on data compliance.
3. Transfer of Data to Third Party Countries
The GDPR also imposes strict limitations surrounding the transfer of personal data to third party countries that the EU deems to have inadequate protections of personal data. This makes it more important than ever to know the details behind where all of your data resides. The GDPR mandates that an organization have the ability to identify precisely where data is located, whether it’s in a data center, in the cloud, or held with a third party. A first step in the process may be to create an updated data map and make sure you have the capabilities to quickly find EU custodian data.
It’s important to note that the GDPR includes substantial penalties for non-compliance. Under the new penalty system, controllers face penalties of up to four percent of annual global revenue turnover. For big US companies, especially ones that will likely be designated as controllers rather than simply data processors, those fines threaten to deliver a large blow.
Keeping in mind these specific ediscovery challenges is a good starting point when determining the details of your GDPR compliance plan. With uncertainty and significant penalties looming, it’s critical to understand the GDPR and begin your US compliance efforts now.
If you would like to discuss this topic further or if you have questions, please reach out to firstname.lastname@example.org.