GDPR Implications for ediscovery from a legal and technical point of view

Similar documents
EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

IET Guidelines for Volunteers: Data Protection

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

European Union General Data Protection Regulation Effects on Research

Ministry of Justice: Call for Evidence on EU Data Protection Proposals

The GDPR and Upcoming mhealth Code of Conduct. Dr Etain Quigley Postdoctoral Research Fellow (ARCH, UCD)

GDPR Awareness. Kevin Styles. Certified Information Privacy Professional - Europe Member of International Association of Privacy professionals

What does the revision of the OECD Privacy Guidelines mean for businesses?

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

Privacy Policy SOP-031

The EU's new data protection regime Key implications for marketers and adtech service providers Nick Johnson and Stephen Groom 11 February 2016

ST. MARY in the MARSH PARISH COUNCIL

First Components Ltd, Savigny Oddie Ltd, & Datum Engineering Ltd. is pleased to provide the following

INTERNATIONAL. Building and Implementing an Information Governance Program in a Changing Legal Landscape

ICO submission to the inquiry of the House of Lords Select Committee on Communications - The Internet : To Regulate or not to Regulate?

Privacy Procedure SOP-031. Version: 04.01

The General Data Protection Regulation and use of health data: challenges for pharmaceutical regulation

Commonwealth Data Forum. Giovanni Buttarelli

TechAmerica Europe comments for DAPIX on Pseudonymous Data and Profiling as per 19/12/2013 paper on Specific Issues of Chapters I-IV

End-to-End Privacy Accountability

Privacy Impact Assessment on use of CCTV

Robert Bond Partner, Commercial/IP/IT

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Interaction btw. the GDPR and Clinical Trials Regulation

The new GDPR legislative changes & solutions for online marketing

ediscovery and Digital Evidence Online Course

EU-GDPR The General Data Protection Regulation

PRIVACY ANALYTICS WHITE PAPER

2

Hong Kong Personal Data Protection Regulatory Framework From Compliance to Accountability

Interest Balancing Test Assessment on the processing of the copies of data subjects driving licences for the MOL Limo service

Legal Aspects of the Internet of Things. Richard Kemp June 2017

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Client s Statement of Rights & Responsibilities*

clarification to bring legal certainty to these issues have been voiced in various position papers and statements.

Ocean Energy Europe Privacy Policy

Justice Select Committee: Inquiry on EU Data Protection Framework Proposals

Interactive Retainer Letter

ICC POSITION ON LEGITIMATE INTERESTS

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Guidelines for the Stage of Implementation - Self-Assessment Activity

Big Data and Personal Data Protection Challenges and Opportunities

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

Nymity Demonstrating Compliance Manual: A Structured Approach to Privacy Management Accountability

Swedish Proposal for Research Data Act

HL7 Standards and Components to Support Implementation of the European General Data Protection Regulation (GDPR)

D2. Results of the feasibility analysis

THE EUROPEAN DATA PROTECTION SUPERVISOR, Having regard to the Treaty on the Functioning of the European Union, and in particular Article 16 thereof,

Privacy Law in Canada: Obligations and Risks in the Cyber Age Dina L. Maxwell Associate Lawyer

Employees, contractors and other personnel of KKR should note that a separate privacy notice will be made available to them.

The Ethics of Artificial Intelligence

European Charter for Access to Research Infrastructures - DRAFT

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

ARTICLE 29 Data Protection Working Party

ISO/TR TECHNICAL REPORT. Intelligent transport systems System architecture Privacy aspects in ITS standards and systems

DEVELOPMENTS IN EU MDD & IVDD SOFTWARE REGULATION

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

Wireless Sensor Networks and Privacy

Having regard to the Treaty establishing the European Community, and in particular its Article 286,

BSA COMMENTS ON DRAFT PERSONAL DATA PROTECTION ACT

User Privacy in Health Monitoring Wearables

Committee on Development. for the Committee on the Environment, Public Health and Food Safety

ENTSO-E Draft Network Code on High Voltage Direct Current Connections and DCconnected

ABF SYSTEM REGULATIONS

Office for Nuclear Regulation

Australian Census 2016 and Privacy Impact Assessment (PIA)

Get Compliant and Stay Compliant with Department of Labor (DOL) Final Rule Fiduciary Regulations. White Paper

TERMS AND CONDITIONS. for the use of the IMDS Advanced Interface by IMDS-AI using companies

12 April Fifth World Congress for Freedom of Scientific research. Speech by. Giovanni Buttarelli

Consultation on the licensing of spectrum in the 800 MHz and 900 MHz bands

DATA PROTECTION POLICY

Preparing for the new Regulations for healthcare providers

British Columbia s Environmental Assessment Process

Loyola University Maryland Provisional Policies and Procedures for Intellectual Property, Copyrights, and Patents

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

The concept of transfer of data under European data protection law

The Game Changer: Privacy by Design

2018 / Photography & Video Bell Lane Primary School & Children s Centre

Pickens Savings and Loan Association, F.A. Online Banking Agreement

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Privacy framework

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

(Non-legislative acts) DECISIONS

HBM4EU project. Information, Invitation and Informed Consent Lisbeth E. Knudsen, Berit A. Faber. Information and recruitment of participants

Session 1, Part 2: Emerging issues in e-commerce Australian experiences of privacy and consumer protection regulation

GUIDELINES ON PRIVACY BY DESIGN AND PRIVACY IMPACT ASSESSMENT

DNVGL-CG-0214 Edition September 2016

F98-3 Intellectual/Creative Property

COUNCIL OF THE EUROPEAN UNION. Brussels, 19 May 2014 (OR. en) 9879/14 Interinstitutional File: 2013/0165 (COD) ENT 123 MI 428 CODEC 1299

Details of the Proposal

Why patents DO matter to YOUR business

clarify the roles of the Department and minerals industry in consultation; and

Polish Science Database (BWNP)

Towards Code of Conduct on Processing of Personal Data for Purposes of Scientific Research in the Area of Health

Interactive Workshop on Data Protection Impact Assessment

FP7 Cooperation Programme - Theme 6 Environment (including climate change) Tentative Work Programme 2011

Policy on Patents (CA)

CONSENT IN THE TIME OF BIG DATA. Richard Austin February 1, 2017

An overview of the changing data privacy landscape in India

Transcription:

GDPR Implications for ediscovery from a legal and technical point of view Friday Paul Lavery, Partner, McCann FitzGerald Ireland Meribeth Banaschik, Partner, Ernst & Young Germany mccannfitzgerald.com

Topics Introduction ediscovery Platforms ediscovery Legal Implications of GDPR Tactical and technical considerations

What makes GDPR challenging? The EU General Data Protection Regulation (GDPR) protects personal data that is collected or processed by organizations established in the EU or soliciting business from EU residents. GDPR will tighten the current Data Privacy Directive, and make cross-border ediscovery more complex by the way it regulates how data is collected, processed and reviewed. GDPR will have profound effects on global organizations and their ability to process and transfer data in the context of investigation and litigation. A key aspect of GDPR, the right to be forgotten, also spells out some serious implications for data collection and hold. GDPR s potentially significant penalties - can be up to 4% of total global revenues or 20 million euro (whichever is greater) are intended to increase compliance.

ediscovery Legal Implications of GDPR General Data Protection Regulation replaces existing law 0n 25 May 2018 Increases obligations on controllers and processors evolution of rights and obligations, but a revolution in respect of administrative compliance burden and sanctions for non-compliance Irish Data Protection Bill

Key Data Protection Terminology Personal data relates to identifiable living individuals (not anonymised data) Data - Applies to Electronic Data and Manual Data Manual Data Must form part of a relevant filing system Processing widely defined includes any obtaining, recording, keeping, consulting, using, disclosing access to, use of, disclosure, erasing or destruction of data

Main Legal Implications

Fair And Transparent Processing Articles 5(1)(a), 13 and 14 Data Subject must be made aware: Controller holds personal information about him/her Purposes for which information kept Disclosures of data Certain other details (additional to those required under existing law) Data protection notices

Making Processing Legitimate Duty to legitimise processing (Article 6) Justify on one of the following grounds: consent of data subject legal obligation (non-contractual) legitimate interests

Special Categories of Data e.g. health data Controller must satisfy one of the following grounds (Article 9): explicit consent of data subject obtaining legal advice/legal proceedings or the establishment, exercise or defence of legal claims processing necessary for reasons of substantial public interest on the basis of Union or member state law

Notice and legitimising conditions potential issues Is it reasonably practicable to notify all data subjects? Is it possible to satisfy legitimising conditions? Potential exemption where processing required by law (i) court ordered discovery or (ii) parties reach agreement on discovery

Use of third party service provider Where Service provider hosts the data on its platform they act as data processor Requirement under Article 28, GDPR to have contract between controller and processor Use only processors providing sufficient security guarantees Requirement to have contract with processor which includes various provisions (more detailed than required under existing law), including: processing in accordance with instructions; Security measures; Confidentiality obligations Audits and inspections Notification of data security incidents Return or deletion of data on expiry of processing services

Transfers Abroad Will data be hosted outside EEA or subject to remote access from location outside EEA? Prohibition on Transfer of Personal Data outside European Economic Area (EU, Iceland, Norway and Liechtenstein) unless recipient country ensures adequate protection Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay found to have adequate protection.

Transfers Abroad cont d Prohibition will not apply, amongst other things, if: data subject consent - impractical transfer necessary for purpose of obtaining legal advice or for legal proceedings data transfer agreement, in the form approved by the European Commission main option Privacy shield (if transfer is to United States)

Data Security Appropriate security measures must be taken against unauthorised access to, alteration, disclosure or destruction of personal data state of the art and cost of implementing security measures severity for rights and freedoms of data subjects that might result from unauthorised disclosure Potential measures pseudonymisation, encryption, ability to ensure confidentiality of systems, ability to restore availability and access to personal data, regular testing of security measures Access solely on need to know basis

Other relevant GDPR Obligations Data Minimisation (Article 5(1)(c)): Data should be adequate, relevant and not excessive Keep only the minimum amount of personal data needed for the purpose for which it is being processed Avoid keeping irrelevant or excessive data Will the system and search criteria for collating data be sufficiently developed to ensure that only data which is relevant, proportionate and not excessive is collected?

Record Retention/Deletion and Anonymisation Obligation not to keep personal data for any longer than is necessary Deletion when hosting on ediscovery platform no longer required

Other potential considerations Subject Access Rights Right to be forgotten Privacy Impact Assessment pre to deciding on the ediscovery Platform?

Privacy Impact Assessments Description of envisaged processing operations and purposes of processing? What personal data will be required Consider data protection obligations and how to comply with such obligations Is all of the personal data required? Is there a potential impact on privacy? What measures can be taken to further protect privacy?

Tactical considerations A concerted effort by applying good information governance hygiene, gaining insight via early case assessment, streamlining procedures and processes and utilizing technologies can help ease the pain of GDPR compliance in carrying out international discovery efforts. Some tactical considerations that can help you manage the new challenges and complexities brought by GDPR are: (1) Update or develop your discovery protocols to incorporate new procedures or controls to help manage compliance with GDPR. Consider working with privacy counsel to develop standard collection, processing and review protocols to have consistent procedures that fit the majority of your discovery needs. (2) Perform data mapping exercise to understand your data, if you haven t done so. Understanding your data is not only important for proactive GDPR compliance, it is also important to enable your legal teams to quickly respond to investigation and litigation matters.

Tactical considerations (3) Whenever possible, collect, filter and review data in the local country and cull the data set to only the most responsive. (4) Embed steps to identify and categorize personal data during data collection. The information will help you assess the impact of GDPR on the discovery effort. (5) Assess the scope of personal data during early case assessment. The early understanding of the impact will help you to anticipate the challenges ahead and plan your production schedule accordingly. (6) Develop a phased production scheduled by the data s risk profile and relevance to the matter. Begin with the most relevant data and with the least risk, such as public data or data not subject to GDPR. In doing so, you can limit the production of personal data by adding it as needed in the subsequent production phases. (7) Anonymize or pseudo-anonymize personal information that is subject to data transfer clauses of GDPR. There are many off-the-shelf technologies that can be quickly learned and applied.

Questions?

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback