Lighthouse recently held its seventh annual Illuminations Panel Event during Legaltech New York. During the event, leading industry experts discussed the key steps to success in creating a GDPR playbook. This blog will cover a high-level summary of what was discussed in the panel entitled, Creating a GDPR Playbook – Key Steps to Success.
During this session, panelists discussed exactly what GDPR was to level set the audience. This starting point not only helped ensure that the audience knew what GDPR was, but when it was officially going to be effective, what was encompassed under the umbrella of GDPR for internal planning purposes, and keys ideas of what your organization needs to do or be thinking about to be prepared. The most critical part of the panel was the ideas around long term strategies that can help to ensure your organization stays on top of the requirements at all times. The three panelists provided the audience with tips and techniques to apply these strategies in their organizations.
Key areas on which you should be educated are as follows:
What is GDPR?
Effective May 25, 2018, the General Data Protection Regulation (GDPR) will be the most expansive and comprehensive data privacy legislation to have been enacted in more than 20 years. The GDPR will replace the twenty two year old EU Data Protection Directive presently in place and, like its predecessor, will regulate the collection, storage, use and sharing of “personal data”. The purpose of the GDPR is to harmonize data privacy laws across Europe, to better and more consistently protect the privacy rights of EU citizens, and to promote global commerce. Unlike the current directive, which merely suggests how member countries should regulate data protection, the GDPR – as a regulation – mandates member countries to enact legislation that is consistent with certain standards. Although member countries are free to interpret certain derogations contained in the regulation, and only time will tell how this occurs in practice, the theory is that there will be more consistency and transparency about how to comply with data protection requirements within the EU.
To whom does it apply?
The GPDR applies to EU companies acting as controllers or processors, regardless of whether processing takes place in the Union or not. Companies can be both, but not with regard to the same data. GPDR applies to non-EU companies where processing activities are related to (1) offering of goods or services to EU residents (no payment required); or (2) the monitoring of behavior (where behavior occurs in the EU) This applies so long as Member State law applies by virtue of public international law.
Why does it matter?
The top three reasons that GDPR should matter to your organization include:
- Clear baseline requirements
- Long-arm jurisdiction
Penalties: Unlike many existing data protection and privacy laws, the GDPR has teeth – violations of key provisions could result in fines up to the higher of 20,000,000 EUR or 4% of the total worldwide annual turnover. [Although, money isn’t all that is at stake].
Clear baseline requirements: Although there is a lot of uncertainty around how member countries will address derogations and enforcement, one thing is clear – the GDPR provides a compliance roadmap against which companies will inevitably be evaluated.
Long-arm jurisdiction: The GDPR applies to any country that controls or processes the personal data of data subjects residing in the EU, regardless of where the data sits, and extends to non-EU companies where the processing activities relate to the sale of goods and services (in the EU) or behavior monitoring (in the EU).
Aside from the requirements above, the GDPR imposes independent liability upon third-party processors, including, for example, e-discovery providers. In addition, it imposes a new slew of governance requirements on controllers and processors, including, among others, for the retention of a data privacy officer, to track and log all processing activities, and regular audits and reviews of the process. Companies (and law firms) may wish to consider:
- Revisit vendor agreements and inquire about how service providers are complying with the GDPR.
- Revisit the legal bases upon which they rely to process data, including for investigations and litigation matters arising outside the EU (for which an exception does not apply).
- Revisit existing cross-border transfer mechanisms, including those for frequent use cases.
- Incorporate privacy by design principles into ediscovery practices, including those for data minimization. “Collect everything” is not contemplated. Ensure that your IT collection teams are working closely with legal and ediscovery teams to scope out requests carefully and qualify the legal basis for collection.
- Advocate with regulators - Have the right team members lined up to talk to them and be sure to help guide the conversations. It would be beneficial if you come to the table with a proposal and metrics around your needs so you clearly outline the details at once.
- Be prepared for remediation and risk – It’s important to know what data you have and where the data exists. Not having this information mapped out and readily available could potentially put you at higher risk. It will also ensure you are not keeping data too long without realizing it. Right now you can begin conducting interviews with business unit leads to understand the business unit goal, as well as what data exists and where. This will help get a head start handle on it creating a long term data map and defensible process in the future.
Key Takeaway: Keeping the top three reasons and all of the key focus areas above around GDPR in mind, create a GDPR roadmap and, for litigation, investigations and ediscovery teams, update your processes to include new GDPR requirements, particularly as they relate to the legal basis for processing, third-party processors, and governance requirements. For teams that frequently process EU data, a comprehensive plan is critical to ensure the continued success of your organization and facilitate the movement of data to meet legal requirements. Consider updating your ediscovery playbook or creating one, if it does not already exist. Doing so will allow you to:
- Understand and document the current state in your organization – where is your data, how is stored, how is it collected, what do you need or perhaps what don’t you need anymore?
- Create processes and procedures that can monitored and controlled to continuously protect your company’s personal data. As one of our panelists noted, “Process is the best defense for anything.”
- Effectively guarantee that your company has a plan to be in full compliance with the GDPR at all times.
- Ensure that you have the basis for an internal compliance program allowing your organization to assess needs and requirements seamlessly so that updates are made and tracked efficiently.
- Be prepared and lower your risk.
Please reach out to me if you would like to discuss this topic further or have questions at email@example.com.