GDPR Implications for ediscovery from a legal and technical point of view Friday Paul Lavery, Partner, McCann FitzGerald Ireland Meribeth Banaschik, Partner, Ernst & Young Germany mccannfitzgerald.com
Topics Introduction ediscovery Platforms ediscovery Legal Implications of GDPR Tactical and technical considerations
What makes GDPR challenging? The EU General Data Protection Regulation (GDPR) protects personal data that is collected or processed by organizations established in the EU or soliciting business from EU residents. GDPR will tighten the current Data Privacy Directive, and make cross-border ediscovery more complex by the way it regulates how data is collected, processed and reviewed. GDPR will have profound effects on global organizations and their ability to process and transfer data in the context of investigation and litigation. A key aspect of GDPR, the right to be forgotten, also spells out some serious implications for data collection and hold. GDPR s potentially significant penalties - can be up to 4% of total global revenues or 20 million euro (whichever is greater) are intended to increase compliance.
ediscovery Legal Implications of GDPR General Data Protection Regulation replaces existing law 0n 25 May 2018 Increases obligations on controllers and processors evolution of rights and obligations, but a revolution in respect of administrative compliance burden and sanctions for non-compliance Irish Data Protection Bill
Key Data Protection Terminology Personal data relates to identifiable living individuals (not anonymised data) Data - Applies to Electronic Data and Manual Data Manual Data Must form part of a relevant filing system Processing widely defined includes any obtaining, recording, keeping, consulting, using, disclosing access to, use of, disclosure, erasing or destruction of data
Main Legal Implications
Fair And Transparent Processing Articles 5(1)(a), 13 and 14 Data Subject must be made aware: Controller holds personal information about him/her Purposes for which information kept Disclosures of data Certain other details (additional to those required under existing law) Data protection notices
Making Processing Legitimate Duty to legitimise processing (Article 6) Justify on one of the following grounds: consent of data subject legal obligation (non-contractual) legitimate interests
Special Categories of Data e.g. health data Controller must satisfy one of the following grounds (Article 9): explicit consent of data subject obtaining legal advice/legal proceedings or the establishment, exercise or defence of legal claims processing necessary for reasons of substantial public interest on the basis of Union or member state law
Notice and legitimising conditions potential issues Is it reasonably practicable to notify all data subjects? Is it possible to satisfy legitimising conditions? Potential exemption where processing required by law (i) court ordered discovery or (ii) parties reach agreement on discovery
Use of third party service provider Where Service provider hosts the data on its platform they act as data processor Requirement under Article 28, GDPR to have contract between controller and processor Use only processors providing sufficient security guarantees Requirement to have contract with processor which includes various provisions (more detailed than required under existing law), including: processing in accordance with instructions; Security measures; Confidentiality obligations Audits and inspections Notification of data security incidents Return or deletion of data on expiry of processing services
Transfers Abroad Will data be hosted outside EEA or subject to remote access from location outside EEA? Prohibition on Transfer of Personal Data outside European Economic Area (EU, Iceland, Norway and Liechtenstein) unless recipient country ensures adequate protection Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay found to have adequate protection.
Transfers Abroad cont d Prohibition will not apply, amongst other things, if: data subject consent - impractical transfer necessary for purpose of obtaining legal advice or for legal proceedings data transfer agreement, in the form approved by the European Commission main option Privacy shield (if transfer is to United States)
Data Security Appropriate security measures must be taken against unauthorised access to, alteration, disclosure or destruction of personal data state of the art and cost of implementing security measures severity for rights and freedoms of data subjects that might result from unauthorised disclosure Potential measures pseudonymisation, encryption, ability to ensure confidentiality of systems, ability to restore availability and access to personal data, regular testing of security measures Access solely on need to know basis
Other relevant GDPR Obligations Data Minimisation (Article 5(1)(c)): Data should be adequate, relevant and not excessive Keep only the minimum amount of personal data needed for the purpose for which it is being processed Avoid keeping irrelevant or excessive data Will the system and search criteria for collating data be sufficiently developed to ensure that only data which is relevant, proportionate and not excessive is collected?
Record Retention/Deletion and Anonymisation Obligation not to keep personal data for any longer than is necessary Deletion when hosting on ediscovery platform no longer required
Other potential considerations Subject Access Rights Right to be forgotten Privacy Impact Assessment pre to deciding on the ediscovery Platform?
Privacy Impact Assessments Description of envisaged processing operations and purposes of processing? What personal data will be required Consider data protection obligations and how to comply with such obligations Is all of the personal data required? Is there a potential impact on privacy? What measures can be taken to further protect privacy?
Tactical considerations A concerted effort by applying good information governance hygiene, gaining insight via early case assessment, streamlining procedures and processes and utilizing technologies can help ease the pain of GDPR compliance in carrying out international discovery efforts. Some tactical considerations that can help you manage the new challenges and complexities brought by GDPR are: (1) Update or develop your discovery protocols to incorporate new procedures or controls to help manage compliance with GDPR. Consider working with privacy counsel to develop standard collection, processing and review protocols to have consistent procedures that fit the majority of your discovery needs. (2) Perform data mapping exercise to understand your data, if you haven t done so. Understanding your data is not only important for proactive GDPR compliance, it is also important to enable your legal teams to quickly respond to investigation and litigation matters.
Tactical considerations (3) Whenever possible, collect, filter and review data in the local country and cull the data set to only the most responsive. (4) Embed steps to identify and categorize personal data during data collection. The information will help you assess the impact of GDPR on the discovery effort. (5) Assess the scope of personal data during early case assessment. The early understanding of the impact will help you to anticipate the challenges ahead and plan your production schedule accordingly. (6) Develop a phased production scheduled by the data s risk profile and relevance to the matter. Begin with the most relevant data and with the least risk, such as public data or data not subject to GDPR. In doing so, you can limit the production of personal data by adding it as needed in the subsequent production phases. (7) Anonymize or pseudo-anonymize personal information that is subject to data transfer clauses of GDPR. There are many off-the-shelf technologies that can be quickly learned and applied.
Questions?