Law firms have grappled for quite some time with the Gordian Knot that is the intersection of data protection laws and disclosure in all its forms. As the data privacy laws become more nuanced, and data breach becomes distressingly more commonplace, the advent of the GDPR (General Data Protection Regulation) has added another challenging layer to the intersection between data protection and disclosure. Although the GDPR was approved by the EU Parliament, its effects extend beyond the EEA (European Economic Area).
The EU Parliament approved the GDPR on April 14, 2016, and enforced on May 25, 2018. A year on and we can see that the GDPR is not just a passing fancy. It’s also inspiring many countries to develop stricter privacy laws. The GDPR aimed to establish stronger rules on data protection, accountability, and consistency while helping people have more control over their personal data. It is not about how personal data is processed, it is an evolution of the current legal framework that handles data.
Rights under the GDPR
The GDPR applies whether the data monitoring or processing, the goods, and services offered to EU data subjects takes place to those located within the EU or not. Even if an organization that operates outside of the EU, but is processing EU citizen’s personal data, the GDPR applies.
Under the GDPR, the definition of personal data includes anything that contributes to or links to identifying an individual, where it relates to private, professional, or public life. Also included under the definition of personal data includes information commonly found in medical records related to “genetic data” and “biometric data” that allows for the unique identification of a person.
The GDPR broad definition of “processing” is linked to any operation that is performed on personal data, especially activities involving the collection, use, disclosure by transmission, and dissemination of or otherwise making personal data available.
The GDPR is adapting and expanding since May 2018, clarifying and strengthening aspects of its regulation. The EU provided for a transitional period of two years for the data controllers to familiarize themselves with the new rules. The GDPR provides for stronger data protection rules, giving the data subjects more control over their personal data. For more information, check out the European Commission’s overview of the GDPR.
Some of the rights include:
- Right to Access - data subjects have the right to obtain confirmation from the data controller as to whether or not personal data is being processed, where and for what purpose.
- Date Erasure - also known as the right to be forgotten, in which the data subject has the right to have the data controller erase their personal data. This also includes data that is no longer relevant to the original purposes for processing.
- Data Portability - the right for the data subject to receive the personal data concerning them, and the right to transmit that data to another controller.
- Privacy by Design - the data controller shall implement from the onset of the designing of systems, rather than as an afterthought, appropriate technical and organizational measures to protect the rights of the data subjects.
- Transparency in the Request for Consent - companies will no longer be able to hide behind legalese when it comes to a request for consent. Consent request must be clear, easily accessible, and distinguishable from other matters. It must also be easy to withdraw consent.
- Notification and remediation of Data Breach - Data processors are required to notify their customers without undue delay, within 72 hours, after becoming aware of a data breach.
How does the GDPR affect litigation cases in the US?
With the GDPR, organizations and law firms also need to think and take critical steps when handling personal data during and after litigation. Before litigation starts, one must assess their organization to understand everything they can about how they handle data. It’s crucial to conduct data inventories and mapping to identify any governance issues.
Because the GDPR changes the mechanisms of how data is transferred and also governs the movement of data across borders under U.S. discovery obligations, it’s essential to do your due diligence to see if one is ready to move forward with litigation. It’s best to keep in mind that any transfer of personal data that is undergoing or is intended for processing after being transferred to a third country or an international organization is affected by the GDPR.
As part of your due diligence in preparation for a litigation case, it’s vital to identify the scope of relevant personal data that will be preserved for legal hold, while assessing alternative ways to secure relevant evidence through alternative means (i.e., interrogatories and/or deposition testimony.) This helps to minimize the scope of personal data that will need to be handled and protected.
Explicit protocol requirements regarding the handling and protection of personal data need to be prepared. These should state what personal data shall be collected, produced, preserved, and processed for litigation. All personal data needs to be handled and processed transparently and used only for explicitly specified purposes of the lawsuit. Diligent attention shall be given to the appropriate technical and organizational security of the personal data, and as soon as it is deemed unnecessary for the litigation, it is to be deleted.
Issues on custodial consent are also to be taken into account. With the GDPR data consent requires that request for consent be given in clear, informed, and unambiguous language. Data subjects also must be told that they can also withdraw their consent at any time. ‘Consent-by-default’ and ‘mass opt-out’ consent strategies for multiple data subjects should no longer be pursued.
For the organizations and law firms, it is important to anticipate these rights, have the necessary protocols in place, and also know the location of personal data within the document universe that is subject to litigation. If the case arises, the counsel must be able to isolate and carefully handle the data to comply with the data subject’s rights under the GDPR.
After litigation, follow-through is vital, as law firms, organizations, and third-parties involved still need to continue taking appropriate measures for handling the personal data even after litigation is concluded. Once the case is done, it’s essential to determine how much longer the data needs to be held, and if no longer necessary, how to properly dispose of it, either through returning or destroying it in compliance with the GDPR.
In short, it’s best to keep this in mind: if you are not able to protect, do not collect.
How does T-Scan approach the GDPR?
Despite it being an EU regulation, we have taken its core elements as inspiration to keep our data security and compliance architecture in shape. We believe it’s better to be at the forefront than lag behind.
Here at T-Scan, we believe that to be thought leaders in our field; we have to stay ahead of the game. With that in mind, we have taken the necessary steps to comply with data privacy. Check our views on privacy, data privacy compliance isn’t something we do when the matter arises. Our approach is proactive and timely.
The GDPR is the tip of the iceberg of the reality of a more globalized and mobile world. This poses challenges and yet exciting elements in the legal field. A business cannot afford to be insular and believe that all is well within their jurisdiction. It’s essential to understand the changing landscape of data privacy and security.
We may be local, but we think globally - that’s the T-Scan way.