I probably don’t need to tell you that data privacy and protection are some of the thorniest topics right now in legal, IT, and records management practices.
Specifically, effective May 25, 2018, the General Data Protection Regulation (GDPR) will harmonize data protection laws in the European Union, replacing most national EU data protection regimes with one set of consistent rules. The impacts of this change will be far and wide, and it’s time e-discovery professionals become well-versed in all things GDPR.
It’s an understatement to say that this regulation will have significant impact on how data is handled across the EU. It’s even more understated to say that US companies and law firms will also need to rethink their practices should they engage in cross-border data handling.
“The closest US data protection regulation we have to the EU’s GDPR is HIPAA, which provides data privacy and security provisions for safeguarding medical information,” said Kenneth N. Rashbaum, Partner at Barton LLP and head of Barton’s GDPR Compliance Group. “Just like when HIPAA was enacted, US companies are going to need to look at how they collect data differently. It’s not the organization’s data; it’s the data subject’s data. This will be a significant shift,” explained Rashbaum.
Below are some key parameters and terminology you need to know to be minimally knowledgeable about the language contained in the 99 articles of the new regulation. Study these concepts and be prepared to spot GDPR issues when they arise in your organization or with your clients.
- The GDPR applies to organizations in the US (and elsewhere). If an organization collects data concerning an EU resident, the organization is subject to the jurisdiction of EU regulators, even if the organization is based outside the EU.
- The definition of “personal data” is broad under the GDPR. Companies are required to take reasonable measures to protect personal data against loss or exposure. Personal data is defined broadly, including the following items that could directly or indirectly identify someone: name, identification number, location data, an online identifier, or the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Data subjects have enhanced rights over their data. Data subjects have the right to determine what is done with their data and must provide consent for handling their data. Further, data subjects may ask organizations to confirm the parameters for which their data is being used (“right to access”), transfer their personal data between service providers (“right to portability”), and direct an organization to erase their personal data under certain circumstances (“right to erasure”).
- Organizations need to understand the roles of “controller” and “processor”. The regulation defines two types of organizations. A controller is an entity that decides the purpose and manner that personal data will be used. A processor is the person or group that processes the data on behalf of the controller; processing is obtaining, recording, adapting or holding personal data. GDPR requirements vary depending on the role of the organization in handling data, but penalties can be imposed on both controllers and processors if they are not implementing appropriate controls.
- There are strict data breach requirements. These include completing privacy impact assessments if breach risks are high, as well as the requirement to report certain data breaches within 72 hours.
- Expect to see a rise in international companies hiring Data Protection Officers (DPO). Under the GDPR, certain organizations will need to appoint a data protection officer if their core activities involve personal data. The DPO shall act independently of the controller or processor, reporting directly to the highest management level.
The GDPR is not overly prescriptive about how organizations should achieve compliance with the new obligations. Further, it remains to be seen how the supervisory authority tasked with administering the GDPR will enforce the new restrictions and allocate the hefty fines prescribed by the new rule. Much will need to be worked out throughout the year and into 2019.
“What constitutes a reportable data breach; what is a valid data transfer from the EU to the US; how does the right to be forgotten impact preservation obligations in a litigation; how will the relationships between data controllers and processors evolve? These are just a few of the genuine issues that need clarification under the new regime,” noted Sean Foley, Esq., CIPP/E, Project Manager at Los Angeles based e-discovery provider, ProSearch Strategies.
But, whatever happens in the coming months, experts are not advising organizations take a “wait and see” approach. At a minimum this means organizations – including companies, law firms, and e-discovery providers – need to ensure the personal data of EU residents is secure, accessible, and can be identified upon request.
“I have been engaged with a number of clients on GDPR compliance. Organizations need to look closely at what data they are handling, where it is being stored, how it is being protected, with whom it is being shared, and how long it is kept,” said Rashbaum.
Home addresses, photos, email addresses, bank details, social networking posts, medical information, or IP addresses are personal data – just to name a few examples. Starting this summer, all e-discovery professionals should think twice when they see individualized data in a discovery set, especially if that data originated in Europe. Above all, keep close watch over the working group clarifications and legal challenges to the regulation which are a certainty.
“This is an exciting time to be working at the intersection of e-discovery and data privacy,” remarked Foley.