Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems. He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great. If you missed it, you can check out the replay here. Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes. Enjoy! – Doug
Tom’s overview is split into four parts, so we’ll cover each part separately. Part One was Monday, Here’s the second part.
Part Two: GDPR Definitions and Changes
A DEFINITIONAL BASELINE FOR GDPR
The first and overriding concept to be understood in dealing with the GDPR is how the regulation defines personal and sensitive data and then to determine how those definitions relate to data held by your organization. Once you understand those concepts, you can proceed to pinpoint where any data meeting the definitions is created managed and stored.
The GDPR considers personal data to be any information related to an identifiable natural person and calls such a person a “data subject.” That can include both direct identification such as a name or indirect identification which clearly points to a specific person. This includes online identifiers such as IP addresses and location data such as a mobile device ID or position, which the EU Data Protection Directive had previously been vague about.
Examples of information relating to an identifiable person include:
- Identification number such as SSN, INSEE code, Codice fiscal, DNI, etc.
- Location data such as home address)
- Online identifier such as e-mail address, screen names, IP address, etc.
- Genetic data such as biological samples or DNA, including gene sequence
- Biometric data such as fingerprints or facial recognition
- Health data
- Data concerning a person’s sex life or sexual orientation
There is also a general category which includes data which may reveal:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
All such sensitive personal data is afforded enhanced protections under the GDPR and generally requires an individual’s explicit consent where such data is retained or used.
Other pertinent definitions include:
Consent: Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
Controller: A controller alone or jointly with others, determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology. A controller is directly responsible for responding to data subject requests under the GDPR.
Data Breach Notification: Data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals.
Data Protection Officers: Companies must appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, although almost all public organizations must have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information must appoint a DPO.
Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.
Fines: GDPR violations can result in substantial fines of up to 4 percent of annual revenue or 20 million Euro, whichever is greater.
Processor: A “processor” processes personal data on behalf of a controller (e.g., Microsoft is a processor with respect to personal data that its commercial customers collect and Microsoft processes on their behalf through solutions like Office 365.)
A processor must ensure that its commercial customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to data subject requests under the GDPR.
Right to Access: The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.
Right to Erasure: Known formerly as the “right to be forgotten,” these provisions give data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.
IMPORTANT CHANGES AND ORGANIZATIONAL IMPACT
Among the key new elements of the GDPR are the following practical results:
- Requirement that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required;
- Significant penalties for non-compliance including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply;
- Changes to eDiscovery practice in the US.
DATA EXISTENCE AND GDPR COMPLIANCE
The GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required. Specifically, organizations must have in place procedures to ensure the personal data of EU residents is secure, accessible, and can be identified upon request.
Balance these requirements against recent IDG research which suggests that approximately 70% of information stored by companies is “dark data” in a distributed, unstructured format. If that figure is accurate, the new requirement will pose substantial legal risks.
To achieve GDPR compliance, organizations will need to develop explicit policies for handling personal information. This will need to include:
- Enterprise-wide Data Inventory: Identify the presence of personal data in all locations
- Data Minimization: Retain as little personal data on EU subjects as possible.
- Enforcement of Right to Be Forgotten: An individual’s personal data must be identified and deleted on request.
- Effective Response Time: The ability to conduct enterprise-wide searches and report on the extent of any data breach within seventy-two (72) hours.
- Accountability: Ability to create audit trails for all personal data identification requests.
Finally, and equally important, the company must be able to show that these policies are being enforced and followed throughout the enterprise. Failure in any of these areas will now lead to heavy fines.
FINES: THE POTENTIAL COST OF NON-COMPLIANCE
One of the biggest changes coming with the GDPR is the increase in fines for violations. Previously, under the Directive, each member state was free to adopt laws in accordance with the principles laid out in the Directive, which meant that there were differences in the way each member country implemented and enforced the Directive.
But the GDPR is a regulation that applies to all member states of the EU and as such provides a new uniform regulatory framework. This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to their own data subjects.
Under this new framework, a member state’s supervisory authority will operate in one of these ways:
- Lead Supervisory Authority: will act as the lead for the controllers and processors whose main establishments are located in its member state.
- Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
- Concerned Authorities: will cooperate with the lead supervisory authority when data subjects in their member state are affected.
Article 58 of the GDPR provides these supervisory authorities with the power to impose administrative fines under Article 83 based on several factors, including:
- How the regulator was told about the infringement
- Types of data involved
- Duration of the infringement
- Whether the infringement was intentional or negligent
- Policies and procedures deployed by the company
- Prior infringements by the controller or processor
- Degree of cooperation with the regulator
How is the fine calculated? There is a tiered approach with technical issues being separated from actual records management. Non-compliance on technical measures such as impact assessments, breach notifications and certifications can lead to a fine up to an amount that is the GREATER of €10 million or 2% of global annual revenue. If the breach involves key provisions of the GDPR (processing personal data, infringement of the rights of data subjects or transfer of personal data to third countries or international organizations that do not meet GDPR standards) the fine can be an amount that is up to the GREATER of €20 million or 4% of global annual turnover in the prior year. Finally, it is important to note that these rules apply to both controllers and processors which means ‘clouds’ will not be exempt from GDPR enforcement.
In part one and part two of this series, we have established a baseline for understanding the intent and impact of the GDPR. On Friday, in part three, we will look directly at the impact of the GDPR on eDiscovery.
So, what do you think? Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization. And, as always, please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.