The new EU Global Data Protection Regulation (GDPR) takes effect on May 25, 2018, and organizations that collect, handle, process, or transfer data for or relating to EU citizens or businesses, regardless of where the business is based, are taking steps to become GDPR compliant. Practitioners and their service suppliers who do not take such steps may face severe penalties, including revenue-based fines reaching up to 4 percent of annual global turnover as well as private claims by individuals (akin to class actions) for failing to protect their personal data in compliance with GDPR.
EDRM formed a project team in August 2017 to examine GDPR and develop guidance for becoming GDPR compliant, particularly with an eye toward the regulation’s impact on cross-border discovery. Initially focused on data transfers from Ireland to the U.S., the guidance is aimed at mitigating some of the risk that international litigation teams and e-discovery practitioners face when balancing U.S. discovery obligations against European data privacy laws.
As a first step, the GDPR drafting team analyzed current case law, GDPR provisions, and scholarly interpretations of GDPR terms. The team’s first document, Decoding GDPR, defines critical terminology related to GDPR and was published in Judicature in spring 2018 after it was circulated to the full EDRM membership for comment.
This first document lays the foundation for future efforts, which could include guidance on data transfer and the creation of a formal code of conduct in line with the European Data Protection Board (EDPB), which provides interpretation of the regulations. Future documents will also be posted to this site (see right sidebar).
Join the GDPR Effort
Additional volunteers are encouraged to join the working group. Participation on the EDRM GDPR team is an opportunity to build your own knowledge and experience while helping shape the way our industry transitions its approach to data protection. Email edrm@duke.law.edu to ask questions or to get involved.
Other Resources