eDiscovery Daily Blog
eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Four: eDiscovery Best Practices
Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems. He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great. If you missed it, you can check out the replay here. Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes. Enjoy! – Doug
Part Four: Now That I Understand The GDPR, What Do I Do?
In preparing for GDPR, all companies should start by doing the following:
Determine Their Role Under the GDPR: Any organization that decides on why and how personal data is processed is essentially a “data controller”, regardless of geographic location.
Appoint a Data Protection Officer: This is especially critical if the organization is a public body or is doing regular large-scale processing.
Prepare for Data Subjects Exercising Their Rights: These include the right to data portability and the right to be informed as well as the right to be forgotten.
And then, companies should continue by taking the following steps:
- Build a data map
- Identify all privacy-related data
- Analyze all privacy-related data
- Conform all data handling practices to GDPR standards
- Ensure compliance policies and procedures meet GDPR standards
- Secure all systems against data theft
- Obtain ISO 27001 Certification
- Hire a Consumer Data Ombudsman specifically for dealing with requests and complaints from data subjects.
This new GDPR regulatory framework will be the strictest privacy doctrine in the world and appears to be on a collision course with some US based discovery rules.
Bart Willemsen, research director at Gartner, recently commented that, “The GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe and with the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”
Despite this warning and even though many organizations have been monitoring and preparing for the GDPR during the past few years of negotiation, more than a few have not. Gartner predicts that on May 28 of next year, more than half of companies affected by the GDPR will not comply fully with its requirements.
So immediate preparation is essential. Keep in mind that the goal of the GDPR is not to punish business entities but rather the public policy purpose of ensuring that companies and public bodies increase their ability to detect and deter breaches.
Fines are designed to be proportional to the effort by companies to comply with the new regulations and will focus on those which systematically either fail to comply with the law or disregard it altogether. They can be avoided by companies which are transparent in their policies and procedures, make a good faith effort to develop that transparency and report any data breaches swiftly.
Prepare now to put into place policies and procedures for both compliance and reporting, especially if you have multiple business locations and/or handle data from inside the EU. Various consulting firms and trusted advisors such as CloudNine can help provide guidance but don’t delay. Remember that given the Gartner figures above, organizations in compliance with the GDPR may find themselves have a true competitive differentiator on May 25, 2018.
So, what do you think? Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization. And, as always, please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
CloudNine empowers legal, information technology, and business professionals with eDiscovery automation software and professional services that simplify litigation, investigations, and audits for law firms and corporations.