The GDPR: Teeth, and Considerations for Corporate Legal Counsel and Discovery Teams

The struggle is real. With the EU's General Data Protection Regulation (GDPR) set to take effect in May of 2018, the serious implications for corporate legal counsel and e-discovery teams are difficult to deny. Among other aspects of its broad reach, the GDPR extends compliance requirements to both data controllers and “processors,” a distinction that certainly includes e-discovery data processing in the context of litigation and investigations. Complicating matters further, the Regulation affords data subjects the “right to be forgotten,” a key aspect that affords individuals that right to request erasure or removal of data from systems and databases, presenting potential new challenges for the collection and hold of data in connection with U.S. discovery requirements.

In addition, the GDPR imposes certain organizational requirements, accountability measures, breach notification requirements and processing system assessments, not to mention specific limitations around the transfer of personal data to third party countries not deemed to provide adequate personal data protections (here's looking at you, Uncle Sam). And all of this is backed by some serious teeth: a tiered financial penalty regime stretching up to 4% of annual global revenue turnover. That can make for some astronomical numbers, and while it's unlikely that such steep fines will be commonplace, it is clear that there is a concentrated effort on the part of regulators to place a level of seriousness around data protection and privacy compliance that rivals anti-trust considerations. The purported penalty scheme and steep financial consequence of non-compliance to the GDPR is, without question, an effort to get companies of all stripes to stand up and take notice.

Why Discovery Teams Have Been Slow to Adapt

Despite the applicability of GDPR requirements to the operations of corporate legal and discovery teams, the targeted and narrow data management required of the GDPR remains starkly at odds with the traditional U.S. approach to the discovery process. Data transfers to the U.S. are tied to a seemingly endless wave of uncertainty, following the invalidation of Safe Harbor, questions surrounding the adequacy of the Privacy Shield to protect EU citizens data, and even a new round of litigation that extends to standard contract clauses (also called model contracts), a somewhat stable mechanism for cross-border transfer in use for many organizations. Moreover, despite the uniform applicability and harmonization of data protection across the EU inherent in the GDPR, Article 88 of the Regulation allows Member States some wiggle room in mandating additional protections for local data subjects, requiring further advanced preparation and awareness for discovery teams. Finally, considering the complications of multijurisdictional data processing and significantly higher costs of document review “across the Pond,” the incentive to continue to push compliance concerns to the back burner remains extremely high.

Furthermore, as GDPR compliance is not strictly a legal or discovery issue, but also implicates IT, information security, and overall enterprise data management, a lack of clarity around the executive level ownership of GDPR compliance seems to be driver for further inaction. Early research in 2017 demonstrated a willingness on the part of multinational corporations to prioritize and invest in GDPR compliance, but in one study early this year, fewer than half of those surveyed had advanced GDPR readiness moving into 2017.

We've Got a Plan: Start by Doing Things

Despite some early reluctance to push for GDPR compliance in the context of e-discovery, the upshot is that an organized approach and planning process will pay off in spades by streamlining international discovery efforts, ensuring the robustness of data collection, shoring up approaches to cross-border data transfers, and gaining insights into early case assessment and information governance efforts. Moreover, the application of technology tools and know-how already in the hands of e-discovery vendors and teams can be of huge benefit in meeting GDPR compliance obligations.

Of course, it all starts with a plan. Well-defined procedures and policies for personal data processing in line with the GDPR, and tailored for the context of discovery obligations, will afford corporate legal counsel and e-discovery teams the ability to nimbly adapt both to the needs of fast moving litigation, as well as the pressure of international regulators. Some of the key considerations for e-discovery teams to keep in mind in the overall context of GDPR compliance include:

Knowing Where Data Is

This seems intuitive, but vigorous data mapping exercises ahead of a discovery obligation will afford both companies and legal teams the opportunity to pinpoint what data is held in what servers in which jurisdictions, and how that data is utilized in applications, backups and data retention processes. Aside from being an important step in GDPR compliance, data mapping exercises offer an organizational advantage to discovery teams when a litigation or investigatory matter arises, while also providing important insight into determining whether cross-border transfer mechanisms are required, or alternatively whether data should be collected, processed and reviewed in-country.

Taking It Personally

Take early steps to identify and categorize personally identifiable information (PII) that may fall within a data collection. Assessing the scope and depth of PII data through various databases and applications is vital, including taking an inside look at how PII data is passed through shared platforms, databases and applications. Closely tracking PII data is critical to ensure compliance with the GDPR, as well as some transfer mechanisms including the Privacy Shield and often Binding Corporate Rules provisions, as well.

Keeping Data Subjects in the Loop

Keeping data subjects aware of on-going e-discovery exercises or discovery obligations in play will assist in ensuring that explicit consent and permissions are obtained before data is transferred or processed. An established process of notification for data subjects, often through some combination of targeted data management and procedural oversight, will be important in meeting and maintaining regulatory compliance and organization within the e-discovery exercise.

The PIA (Privacy Impact Assessment)

The privacy impact assessment is required under the GDPR in certain processing situations. In providing essentially a trail of data deletions and transfers, a PIA can be immensely useful for the purposes of discovery, both in demonstrating compliant data transfer and retention, but also by providing defensible deletion records in the context of e-discovery requirements and obligations. The PIA can also demonstrate how PII in a data set was reduced, eliminated or remediated.

Targeting Proportionality

e-Discovery tools, software, applications and technology are already well suited to targeting data in a very specific way. Where potential data sets are large, as may often be the case, processing and filtering can be carried out in-country, as an initial step, prior to even considering transfer, review and production requirements. Moving whole data sets into the e-discovery process is not likely to be a feasible approach under GDPR requirements, which require specific and narrow processing of data for specific purposes. However, minimizing the data for collection in advance can minimize the regulatory burden, while also overlapping with certain e-discovery requirements toward proportionality and a balanced discovery processes. And again, there is little need to reinvent the wheel: there are tools that corporate legal and e-discovery teams already have in place can facilitate this effort.

Conclusion

Despite the regulatory challenges inherent in the GDPR, the approaches to handling international data sets necessitated by the regulation can sufficiently be handled by most e-discovery teams, using know-how and technology already at their disposal. In fact, with a bit of house cleaning and process re-engineering, the new regulatory compliance requirements also can serve to streamline, enhance and improve the existing approaches to international discovery. Advance efforts ahead of that infamous May 2018 deadline can provide numerous benefits going forward, and, with any luck, will serve to avoid the sanctions, penalties and harsh bite of GDPR accountability.

*****
Ryan Costello is the operations manager for eTERA's operations in Europe, providing electronic discovery, document review and technology consulting services across the Electronic Discovery Reference Model. For more information please visit www.eteraconsulting.com.

The struggle is real. With the EU's General Data Protection Regulation (GDPR) set to take effect in May of 2018, the serious implications for corporate legal counsel and e-discovery teams are difficult to deny. Among other aspects of its broad reach, the GDPR extends compliance requirements to both data controllers and “processors,” a distinction that certainly includes e-discovery data processing in the context of litigation and investigations. Complicating matters further, the Regulation affords data subjects the “right to be forgotten,” a key aspect that affords individuals that right to request erasure or removal of data from systems and databases, presenting potential new challenges for the collection and hold of data in connection with U.S. discovery requirements.

In addition, the GDPR imposes certain organizational requirements, accountability measures, breach notification requirements and processing system assessments, not to mention specific limitations around the transfer of personal data to third party countries not deemed to provide adequate personal data protections (here's looking at you, Uncle Sam). And all of this is backed by some serious teeth: a tiered financial penalty regime stretching up to 4% of annual global revenue turnover. That can make for some astronomical numbers, and while it's unlikely that such steep fines will be commonplace, it is clear that there is a concentrated effort on the part of regulators to place a level of seriousness around data protection and privacy compliance that rivals anti-trust considerations. The purported penalty scheme and steep financial consequence of non-compliance to the GDPR is, without question, an effort to get companies of all stripes to stand up and take notice.

Why Discovery Teams Have Been Slow to Adapt

Despite the applicability of GDPR requirements to the operations of corporate legal and discovery teams, the targeted and narrow data management required of the GDPR remains starkly at odds with the traditional U.S. approach to the discovery process. Data transfers to the U.S. are tied to a seemingly endless wave of uncertainty, following the invalidation of Safe Harbor, questions surrounding the adequacy of the Privacy Shield to protect EU citizens data, and even a new round of litigation that extends to standard contract clauses (also called model contracts), a somewhat stable mechanism for cross-border transfer in use for many organizations. Moreover, despite the uniform applicability and harmonization of data protection across the EU inherent in the GDPR, Article 88 of the Regulation allows Member States some wiggle room in mandating additional protections for local data subjects, requiring further advanced preparation and awareness for discovery teams. Finally, considering the complications of multijurisdictional data processing and significantly higher costs of document review “across the Pond,” the incentive to continue to push compliance concerns to the back burner remains extremely high.

Furthermore, as GDPR compliance is not strictly a legal or discovery issue, but also implicates IT, information security, and overall enterprise data management, a lack of clarity around the executive level ownership of GDPR compliance seems to be driver for further inaction. Early research in 2017 demonstrated a willingness on the part of multinational corporations to prioritize and invest in GDPR compliance, but in one study early this year, fewer than half of those surveyed had advanced GDPR readiness moving into 2017.

We've Got a Plan: Start by Doing Things

Despite some early reluctance to push for GDPR compliance in the context of e-discovery, the upshot is that an organized approach and planning process will pay off in spades by streamlining international discovery efforts, ensuring the robustness of data collection, shoring up approaches to cross-border data transfers, and gaining insights into early case assessment and information governance efforts. Moreover, the application of technology tools and know-how already in the hands of e-discovery vendors and teams can be of huge benefit in meeting GDPR compliance obligations.

Of course, it all starts with a plan. Well-defined procedures and policies for personal data processing in line with the GDPR, and tailored for the context of discovery obligations, will afford corporate legal counsel and e-discovery teams the ability to nimbly adapt both to the needs of fast moving litigation, as well as the pressure of international regulators. Some of the key considerations for e-discovery teams to keep in mind in the overall context of GDPR compliance include:

Knowing Where Data Is

This seems intuitive, but vigorous data mapping exercises ahead of a discovery obligation will afford both companies and legal teams the opportunity to pinpoint what data is held in what servers in which jurisdictions, and how that data is utilized in applications, backups and data retention processes. Aside from being an important step in GDPR compliance, data mapping exercises offer an organizational advantage to discovery teams when a litigation or investigatory matter arises, while also providing important insight into determining whether cross-border transfer mechanisms are required, or alternatively whether data should be collected, processed and reviewed in-country.

Taking It Personally

Take early steps to identify and categorize personally identifiable information (PII) that may fall within a data collection. Assessing the scope and depth of PII data through various databases and applications is vital, including taking an inside look at how PII data is passed through shared platforms, databases and applications. Closely tracking PII data is critical to ensure compliance with the GDPR, as well as some transfer mechanisms including the Privacy Shield and often Binding Corporate Rules provisions, as well.

Keeping Data Subjects in the Loop

Keeping data subjects aware of on-going e-discovery exercises or discovery obligations in play will assist in ensuring that explicit consent and permissions are obtained before data is transferred or processed. An established process of notification for data subjects, often through some combination of targeted data management and procedural oversight, will be important in meeting and maintaining regulatory compliance and organization within the e-discovery exercise.

The PIA (Privacy Impact Assessment)

The privacy impact assessment is required under the GDPR in certain processing situations. In providing essentially a trail of data deletions and transfers, a PIA can be immensely useful for the purposes of discovery, both in demonstrating compliant data transfer and retention, but also by providing defensible deletion records in the context of e-discovery requirements and obligations. The PIA can also demonstrate how PII in a data set was reduced, eliminated or remediated.

Targeting Proportionality

e-Discovery tools, software, applications and technology are already well suited to targeting data in a very specific way. Where potential data sets are large, as may often be the case, processing and filtering can be carried out in-country, as an initial step, prior to even considering transfer, review and production requirements. Moving whole data sets into the e-discovery process is not likely to be a feasible approach under GDPR requirements, which require specific and narrow processing of data for specific purposes. However, minimizing the data for collection in advance can minimize the regulatory burden, while also overlapping with certain e-discovery requirements toward proportionality and a balanced discovery processes. And again, there is little need to reinvent the wheel: there are tools that corporate legal and e-discovery teams already have in place can facilitate this effort.

Conclusion

Despite the regulatory challenges inherent in the GDPR, the approaches to handling international data sets necessitated by the regulation can sufficiently be handled by most e-discovery teams, using know-how and technology already at their disposal. In fact, with a bit of house cleaning and process re-engineering, the new regulatory compliance requirements also can serve to streamline, enhance and improve the existing approaches to international discovery. Advance efforts ahead of that infamous May 2018 deadline can provide numerous benefits going forward, and, with any luck, will serve to avoid the sanctions, penalties and harsh bite of GDPR accountability.

*****
Ryan Costello is the operations manager for eTERA's operations in Europe, providing electronic discovery, document review and technology consulting services across the Electronic Discovery Reference Model. For more information please visit www.eteraconsulting.com.