The Ultimate Guide to GDPR and Ediscovery
[Editor’s Note: EDRM is proud to amplify the educational offerings of our Trusted Partners.]
What Is the GDPR?
The EU General Data Protection Regulation, or GDPR, established “rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data” to protect “fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” Before the GDPR, European countries had a hodgepodge of data privacy regulations. The EU enacted the GDPR in 2018 to harmonize and standardize these various laws, creating a single data privacy rule for all the participating nations.
In short, the GDPR provides several broad protections for the personal data of European residents, including the right to access one’s data and the right to have one’s data erased. It requires that companies justify their possession of personal data and carefully control what they do with it. What exactly does this mean you might be wondering? Here’s some clarification on a few details that are commonly misunderstood when it comes to the GDPR.
First, while the GDPR is loosely referred to as an EU regulation — which it is — it is not limited to the EU in two distinct senses. For one, the GDPR has been adopted by and applies to not only the 28 member nations of the EU but also Iceland, Norway and Liechtenstein, as part of the European Economic Area (EEA). Note that, for now at least, this means that residents of the U.K. will also be covered under the GDPR even after departing the EU, unless and until the U.K. gives notice that it is leaving the EEA. Switzerland, on the other hand, is in neither the EU nor the EEA. Additionally, as already mentioned, the GDPR is broader than the EU in that it applies to businesses anywhere that possess or process the personal data of residents of the participating nations. We’ll discuss what this means more in the next section.
Second, note that the GDPR defines “personal data” quite broadly; an American concept of privacy likely doesn’t cover everything that the GDPR protects. “Personal data” includes “any information relating to an identified or identifiable natural person.” Of course, that definition encompasses a person’s name, any identification numbers, birth date and location information such as physical addresses or IP addresses. But it goes further, also including online identifiers, demographic information and “cultural or social identity” information. Avoid the compliance trap of redacting names and expecting that to suffice under the GDPR. Anything that can be used to identify a specific person — even if it takes a lot of work to figure out — is personal data protected by the GDPR.
Third, you’ve probably noticed that we’ve referred to the personal data of European residents, not citizens. The GDPR actually protects the “personal data of data subjects who are in the Union,” which applies not just to citizens or residents but also to visitors and any natural person who can be found within the participating nations.
How Does the GDPR Extend to Companies in the U.S.?
Under Article 3 of the GDPR, companies that have no physical ties to Europe are still bound by the GDPR if they “process” the personal data of protected residents in relation to either “the offering of goods or services” or the monitoring of data subjects’ behavior. What exactly does “processing” mean, though?
Again, this definition is broader than you’d expect from an American perspective. “Processing” under the GDPR includes “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.” That definition clearly includes collection, recording, structuring, consultation and use of data. But processing isn’t just an active verb: the GDPR sets out further examples of processing that extend to storage, retrieval, restriction and erasure or destruction of data. Finally, processing also includes “disclosure by transmission, dissemination or otherwise making available.”
In other words, if your company has offered goods or services to even one customer in a participating European country and has thereby obtained and done practically anything with that customer’s personal data, you must comply with the GDPR. If you don’t know whether you have such a customer, the safe bet is to analyze and track the data that you do possess to identify any European customers. Here’s the good news: if it turns out that you are subject to the GDPR, you’ll need to identify that personal data and strictly control what you do with it. Just getting started and doing the data audit to determine whether you are subject to the GDPR will go a long way toward bringing you into compliance by highlighting the data that you must protect.
How the GDPR Will Affect Ediscovery
Up to this point, we’ve said nothing about traditional principles of U.S. discovery, such as retaining electronically stored information (ESI) in anticipation of litigation or producing relevant ESI to a requesting party. That’s because the GDPR does not contemplate these types of uses or establish any exceptions for them. Therefore, it can often be in conflict with U.S. litigants’ discovery obligations.
To understand why this is and what it means for discovery, let’s step back a moment to consider the key differences between European and U.S. expectations regarding information and privacy.
In Europe, the right to privacy is delineated as a fundamental right under Article 8 of the EU Charter of Fundamental Rights. Prior to the GDPR, that right and the means to protect it have been individually defined by each member country pursuant to the Data Protection Directive, which set a baseline standard. In the U.S., our Constitution protects free speech, but it recognizes no specific right to privacy. Americans expect (and receive) far less in terms of personal data protection and privacy than their European counterparts. This expectation may be changing, however, as more U.S. States adopt privacy regulations that are similar in many ways to the EU’s GDPR (for example California’s CCPA).
What the U.S. does protect is the right of litigants to receive evidence that is relevant and proportional to their claims and defenses in a court case, wherever that information may be located. European nations have no corollary, as there is an extremely limited right to discovery in most European courts.
How can businesses reconcile these conflicting obligations, then, when the vast majority of discoverable documents, emails and other ESI will contain personally identifiable information that is protected under the GDPR? The immediate answer may be that they cannot comply perfectly with both at once. Remember that under the GDPR’s broad definition of processing, every stage of U.S. discovery, from preservation and collection to analysis, review and production, is considered data processing that must be safeguarded and limited.
For example, a key component of discovery is not just identifying discoverable ESI but actually producing it to an opponent. While the GDPR does provide for cross-border data transfers, personal data can only be transferred to countries whose protections are deemed to be adequate — and the U.S. is not one of those countries. The Privacy Shield program does allow companies that demonstrate their compliance with data protection requirements to transfer data to U.S. locations, but those provisions don’t extend to third-party transfers. Companies therefore can’t transfer discoverable data to a U.S. company under the GDPR and can’t use the Privacy Shield program to transfer that data to opposing parties in litigation.
While this conflict is being resolved, it’s worth considering the penalties for violating the GDPR so you can make an informed decision about how to balance your duties and responsibilities.
Compliance and Penalties
What do you do when you can’t comply perfectly with conflicting laws and you can’t afford to violate either one? Don’t fall into the trap of not acting because you believe that any effort you make is doomed to fail. Instead, design a thorough compliance strategy that will demonstrate your good-faith effort to respect and protect data privacy despite your cross-border discovery obligations. Devise recordkeeping methods that will comply with your GDPR obligations, set up access points for data subjects to obtain, correct or request erasure of their data, vet your data processors and processes thoroughly, beef up your security while creating a breach response plan and train your staff in all of these new requirements.
In terms of discovery obligations, be mindful of how proportionality limits can minimize your need to produce personal data. Once you have established a legal basis for processing (e.g., your organization’s legitimate interest under Article 6 of the GDPR), take steps to ensure your adherence to privacy expectations as outlined in Article 5 of the GDPR. These include guiding principles of transparency, purpose limitation, data minimization, and accountability. Plan a phased approach to discovery where personal data can remain secure until and unless it is required.
The best way to run afoul of the GDPR and other privacy regulations is to ignore them, remaining willfully ignorant and blatantly disregarding its mandates.
How to Handle the GDPR for Ediscovery
- Appoint a DPO and/or a data ombudsman. If your company regularly conducts large-scale monitoring of data subjects, you are probably required to hire a DPO under the GDPR. Even if the GDPR doesn’t mandate a DPO’s appointment, having one knowledgeable person dedicated to managing your GDPR compliance and information security is always a good practice. Depending on how many customers worldwide you collect and process personal data for, and consequently how many data access requests you can expect to receive, you may also benefit from hiring or assigning a consumer data ombudsman. This person can serve as the single point of contact for customer data access, correction and erasure requests as well as complaints.
- Conduct an information audit. To comply with the GDPR — or even know whether it applies to your business — you must have an accurate, up-to-date map of the data you have and where it resides. What personal data do you collect? Where do you get it, and who else has access to it? What do you do with it? How long do you (or must you) keep that information? Arrange to have a complete data audit of your organization, and keep it up to date. Use this audit to purge outdated information as well.
- Develop a data management plan and ensure that you have a system to record your processing activities. Once you know what data you have, you must develop a system to track your data from creation to destruction. Remember that the GDPR requires data collectors and processors to document their processing activities, which include practically every action related to data. Also be sure to track your legal basis for possessing or processing personal data. The details of what data you are processing, how you process it and why must be written in your contracts.
- Create a response plan for data subject requests. Data subjects have the right to access their information, correct mistakes in their data and request that their data be “forgotten” or erased. Through your data map, you should know what personal data you have and where it is. Develop a plan for verifying the authenticity of access requests, and how you will provide that data on request in a commonly used electronic format that customers will be able to access. Note that you must respond to access requests within one month of the subject’s request. Additionally, create a written policy governing data deletion and be sure that you know who will make decisions about data erasure.
- Review your current privacy notices, statements and policies. Privacy notices, consent forms and contracts should all be reviewed on a regular basis and revised as needed to ensure compliance with evolving privacy requirements. You should disclose in your privacy notice the types of data you may collect, how you will share and use that data and how long you will retain personal data. You must also explain how individuals can make access or erasure requests.
- Create a security breach detection and response plan. Of course, the purpose of the GDPR — and all sound information security practices — is to avoid security breaches in the first place. That said, the best plans can fail, and the GDPR requires that you have procedures in place to promptly detect and report breaches. Determine who you will need to report security failures to and be prepared to act quickly: companies will have at most 72 hours to report breaches that threaten personal data security, and fines for failing to timely report are assessed on top of fines for allowing the breach to occur at all.
Companies worldwide are subject to data privacy requirements and staggering fines for noncompliance to information security practices – the GDPR is no different. The worst thing you could do is hide your head in the sand — start by taking a few reasonable steps to begin assessing your data and your information processing policies can quickly advance you to a good-faith effort and help you avoid compliance traps.