By Casey Van Veen

Published on Mon, February 5, 2018

All posts by this person

Last week, I attended a Lighthouse panel entitled Positioning Yourself as a Trusted Advisor around GDPR at the London NYC hotel during Legaltech NY 2018. This session had, in my opinion, the most relevant and practical information for corporations, law firms, and legal practitioners. The three panelists (Andrew Haslam of Squire Patton Boggs, Robert Owens of Eversheds Sutherland, and Wayne Matus of UBS AG) provided detailed information around the GDPR and presented a checklist for anyone dealing with foreign data. I have done my best to abbreviate their thoughts and add my own two cents below.

The GDPR Checklist   

  • Do a data map, now! Understand where your foreign data sources reside. This will save you a fortune down the road. Be proactive instead of reactive.
  • Identify third parties with access/control of your personal data.
  • Take an inventory of the jurisdictions that you can choose from and pick one.
  • Consider whether you are obligated to retain a data privacy officer, and, if so, hire one quickly (as an internal or external resource).
  • Re-evaluate consents. The way the United States thinks of consent via cookies or a quick blurb in a terms of use contract is practically meaningless in the EU. It must be crystal clear what you are going to do with personal data. Have very detailed records to track consent and how you will dispose of it.
  • You must have a lawful purpose to process data. For ediscovery, that requires a re-evaluation of the lawful grounds for preservation, collection, search, review, and production. In addition, you must have an appropriate mechanism for transferring data. These are separate considerations.
  • For data controllers, inform data subjects of their rights with respect to the data.
  • Subject Access Requests are the US equivalent of a Freedom of Information Act Request and are often used as “back-door” discovery/disclosure. Know how to respond and be prepared.
  • Know that every new technology onboarded will require a privacy impact statement.
  • You have 72 hours to respond to a breach. What is your public breach response notification? Be sure to have one prepared.
  • Start training your employees on how to manage EU data and develop a long-term program.
  • In the EU, pick a lead controller. Find the safest geography, spend some time and shop around.
  • Get cyber insurance, now.
  • If you collect data, be incredibly open and transparent with the data owner. Advise what you will and will not do with the data (i.e. if you buy a light bulb today, we will email you in a year to see if you need a replacement. We will share your information with a third party that sells chandeliers). The message here has NO ambiguity.

Ensure you have a plan and policy in place so that when regulators move you will be in the know. For more information on this checklist, or to further discuss the challenges of GDPR, please reach out to me at casey.vanveen@discovia.com.

About the Author
Casey Van Veen

Vice President, Sales

Casey has been working with numerous Fortune 500 companies and AM Law 500 firms since 1999. Casey’s portfolio of companies includes technology, manufacturing, consumer goods, freight and logistics, healthcare, banking, gaming, and retail companies. The cumulative experience from these various industries provides him with the ability to develop out-of-the-box solutions to fit his client’s complex needs. His primary role is to advise corporations and law firms about the best practices to reduce risk and costs as well as develop strong ediscovery processes. HSR Second Requests, OIG investigations, complex litigation, patent, ITC, theft of trade secret, and labor and employment matters are all subjects he is well versed in. Casey has been a certified RCSP with kCura/Relativity since 2012. He holds a B.S. from the University of Arizona in Business with an emphasis in Marketing.