eDiscovery Daily Blog

Think That Your Firm Isn’t Subject to GDPR? You May Be Wrong About That: eDiscovery Trends

We’re getting closer and closer to the implementation of the General Data Protection Regulation (GDPR) standard designed to strengthen and unify data protection for all individuals within the European Union (EU).  It goes into effect in about eight months (May 25th of next year, to be exact).  Do you think GDPR doesn’t apply to your firm?  You may be wrong about that.

This JD Supra article (GDPR Applies to US Firms, written by Stanislaw Kastory)* discusses instances where GDPR can apply to firms and companies that are not established in the European Union.  According to the author, the GDPR applies to processing of personal data of data subjects who come from the European Union, by a controller or processing entity not established in the European Union if the processing activities relate to:

  1. a) the offering of goods or services to such data subjects in the European Union and
  2. b) the monitoring of their behaviour. (or “behavior”, depending on who’s reading it) – :o)

Oh, behave!

Here are examples of US companies that may be subject to GDPR requirements:

  • A US insurance company not based in the EU will be subject to the GDPR (and all the requirements thereunder) if it offers its insurance products to entities in EU countries.
  • The new GDPR will also apply to all companies offering “suggestions” used for example on YouTube, Instagram or Spotify. Suggestions that you may like someone’s profile or music are based on processing of personal data. If a US company makes such suggestions to EU citizens, it will automatically fall under the ambit of the GDPR.
  • Even if you’re just a local whisky producer in Kentucky and you send 10 bottles to a client in France, you’re still subject to the rules of GDPR.

So, it’s not just cloud providers, it impacts any organization that might have a market of customers in the EU.  According to the article, more than 50% of US companies will be required to implement the GDPR requirements, including having to process personal data in compliance with the EU regulation. They will therefore be directly required to ensure they have the appropriate legal basis for data processing, to meet the requirement of informing data subjects and to implement new procedures and documents under the GDPR.

Fines can reach up to EUR 20,000,000 or 4% of global turnover, so failing to comply could be costly.  For those that are fined at some level, I’ll bet the “GD” in GDPR may no longer stand for “General Data”.  :o)  Anyway, it’s clear that GDPR will be a big topic of discussion in our industry in the coming months and I expect that we’ll have quite a bit more coverage of it during that time.

BTW, just a reminder that, on Wednesday, August 30 at noon CST (1:00pm EST, 10:00am PST), CloudNine will conduct the webcast On Premise or Off Premise? A Look at Security Approaches to eDiscovery.  This one-hour webcast will discuss different on-premise and off-premise eDiscovery solution options and considerations for each. I’ll be presenting the webcast, along with eDiscovery thought leader Tom O’Connor.  To register for it, click here.

So, what do you think?  Is your organization preparing for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

*Hat tip to Rob Robinson’s Complex Discovery site for the tip on the article.  Here’s two other articles he has covered in just the past two weeks on the topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.