The new General Data Protection Regulations (known as GDPR) rules were agreed upon in Brussels in 2015 and took effect in May, 2018. GDPR addresses the obligation to protect personal data across the EU. Many of its requirements are new and will require significant planning and effort to assure compliance. However, many of the requirements being brought into Law under the GDPR are practices that eDiscovery professionals have been advocating for years.
Brexit is No Excuse
Don’t be fooled by Brexit. GDPR will impact UK businesses offering any products or services in the EU market, regardless of whether business data is processed or stored on EU soil, and regardless of whether the UK stays in the EU. For some, there is an erroneous assumption that EU data protection rules will not apply to UK entities when the UK leaves the union. Because the European Union is the biggest trading partner of the UK, UK entities are going to have to be compliant under the GDPR in order to continue doing business with their largest client base.
Anticipation of GDPR has been a dark cloud over many organisations. A number of surveys and posts have described anxiety about the burdens, cost, and effort that effective GDPR compliance will exact. From my point of view as an eDiscovery/eDisclosure provider, the eDiscovery community has a huge jump on GDPR. By definition, we are in the business of identifying, collecting, processing and analyzing data. FRONTEO has innovated in global eDiscovery in Asia, North America and more recently Europe. So, while we also have some internal process changes to prepare for GDPR, we also have a wealth of knowledge and tools to adapt internal process and comply with the new rules. EDiscovery expertise can, in effect, be the silver lining on the GDPR cloud.
GDPR – Key Changes to Understand
If you are already familiar with the UK Data Protection Act requirements, the transition to GDPR will be perhaps more understandable but not simpler. Here are a few of the differences to be aware of:
Increased Emphasis on Custodian Consent in ESI Collections
Under the GDPR rules, the data subject’s consent means “any freely given specific, informed and explicit indication …. By which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.” Prior to GDPR, each EU country has its own rules on the form of consent, causing extra effort in rule-checking or corresponding with counsel to assure compliance with local law.
Silver lining: GDPR provides a single consistent definition on consent across the UK and EU, enabling organisations to develop methods (web app or other electronic forms, perhaps) that will meet compliance requirements across Europe. FRONTEO forensics experts collect custodian data on a regular basis, and have tools that can rapidly identify documents containing personal information such as credit card numbers, licenses, medical records, and more.
Notification Requirements in the Event of Data Breach
This new GDPR requirement calls for organisations, in the event of a data breach, to “notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it”.
Silver Lining: There is a recurring information governance theme running through many elements in the new GDPR regulations. In the process of preparing for GDPR, organisations will realise that some ‘spring cleaning’ of data stores, and updating of internal information governance policies and processes will ease the transition. An effective information governance infrastructure can help reduce data volumes and put controls on storage, management, transfer, tracking and disposal of information, thereby establishing a clean foundation for litigation readiness and GDPR. With the house in order, notification in the event of a data breach is a pre-defined and tested process.
Right of Erasure / Right to be Forgotten
Under the GDPR, the right to erasure, also known as ‘the right to be forgotten’, enables an individual to request the deletion or removal of personal data when there is no compelling reason for its continued processing. A subject may request erasure when the personal data is no longer necessary for the purpose which it was originally collected/processed, when the individual withdraws consent, or when the individual objects and there is no overriding legitimate interest for continuing the processing.
Silver Lining: eDiscovery professionals are experts at analyzing, classifying and filtering information. For a subject requesting erasure we can help identify where the data resides and how to defensibly destroy it
Data Access requests by former employees
Under the UK Data Protection Act people have a right to obtain personal data held by organisations, such as previous employers. Those requests, called data subject access requests (SARs) must generally be complied with within 40 days. Under GDPR that data must be provided “without undue delay and at the latest within one month”. The new requirement will likely pose a challenge for employers that do not have a strong process for handling SARs.
Silver Lining: eDiscovery providers can use analytics to filter and segregate data in a targeted manner. At FRONTEO we can help clients in the UK in preparing files to support Data Access Requests, and we will likely expand that service across Europe with the enactment of GDPR.
Put an eDiscovery Professional on your GDPR Team
This post is by no means an exhaustive review of GDPR requirements! Watch future posts for a discussion of data security and GDPR, for example. For those who are facing a GDPR readiness project (or are already in the throes of it!), I hope these ideas leave you feeling positive about the challenges ahead, and confident that existing eDiscovery tools and processes can help assure your success complying with GDPR.