An informational overview on the GDPR presented in four parts by eDiscovery expert Tom O’Connor.
- Part One: What is the GDPR? A Primer for Understanding
- Part Two: GDPR Definitions and Changes
- Part Three: eDiscovery and the GDPR
- Part Four: Now That I Understand the GDPR, What Do I Do?
Part One: What is the GDPR? A Primer for Understanding
Europe’s General Data Protection Regulation (GDPR) is set to take effect in less than 200 days. It is important to understand the changes this new set of regulations will impose, but it is also important to understand that even if you don’t have a physical business presence in Europe, the GDPR may apply to you. Any organization that retains personal information of any EU individuals must act to comply with the GDPR.
HOW DID WE GET HERE?
To put the provisions of the GDPR in context, we should first point out the differing concepts of privacy between the United States and Europe. The US tends to place a high emphasis on the concept of free speech more so than privacy and this emphasis is carried over into the litigation arena.
In the US, we view privacy rights as constitutional in nature, but there is actually no right to privacy enumerated in either the body of the Constitution itself or the Bill of Rights. In fact, it wasn’t until 1965 that the US Supreme Court set out an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.
In Europe however, privacy is considered a fundamental right. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). And Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence,” subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.
In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.”
- Notice—data subjects should be given notice when their data is being collected;
- Purpose—data should only be used for the purpose stated and not for any other purposes;
- Consent—data should not be disclosed without the data subject’s consent;
- Security—collected data should be kept secure from any potential abuses;
- Disclosure—data subjects should be informed as to who is collecting their data;
- Access—data subjects should be allowed to access their data and make corrections to any inaccurate data; and
- Accountability—data subjects should have a method available to them to hold data collectors accountable for not following the above principles.
The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe. In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.
But the European Commission realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and since privacy rights were declared in article 8 of the EU Charter of Fundamental Rights, acted to propose a Data Protection Directive. All seven of the OECD principles were incorporated into the EU Data Protection Directive (officially the European Union Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data) which was adopted in 1995.
However, European directives are guidelines which propose certain results but leave each Member State free to decide how to transpose them into national laws The EU currently has 28-member states, and a total of 31 nations comprise the European Economic Area (EEA). Over the years, they have made different laws that sometimes contradict each other.
A regulation, on the other hand, is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Since the 1995 Directive was only able to provide overall guidance in this area, the GDPR is designed to effectively harmonize European data protection laws. It was adopted in April 2016, and will officially supersede the Data Protection Directive and be enforceable starting on May 25, 2018.
The United States, however, while endorsing the OECD‘s recommendations, did nothing to implement them within the United States. Part of the issues is the diversity of laws in our federalist structure of government. With 50 states, 94 federal judicial districts, including at least one district in each state, the District of Columbia and Puerto Rico and additional territorial courts and courts of special jurisdiction such as bankruptcy, having a unified privacy directive similar to the GDPR is problematic here.
IMPACT BEYOND THE EU
First, we should note that the GDPR affects more than merely the EU. The regulation applies not just to the 28 member states of the EU but is also being integrated into the 1992 EEA Agreement and thus applies to the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein.
Second, as noted above, you do not have to have a physical presence in Europe to be covered by the GDPR. It applies to not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals, regardless of the organization’s location.
Activities to deal with the upcoming implementation of the GDPR have been slowly building momentum. Groups such as The Sedona Conference and the EDRM have been studying best practice principles for US attorneys but numerous questions remain on how to proceed.
The important point is to be prepared. The GDPR demands, not requests, data privacy compliance and places strong emphasis on organizations to act more responsibly in their data governance practices. More than ever, you need to identify what privacy-related content you possess, why it’s there, and who has access to it.
Failure to adequately prepare for the changes can have severe ramifications, including much higher fines than under the current regulatory environment. These include penalties of up to 4% of the organization’s global gross revenue for non-compliance, a point we will discuss in more detail in following parts of this overview.
For the remainder of the overview, we will highlight key elements, evaluations, and events in the planned implementation of the GDPR. Key elements to be covered will include:
- Discuss definitions for common terms used in the GDPR
- Discuss changes in practice to be made under the GDPR
- Set out distinctions to be made between obligations for a specific company as opposed to service providers
- Discuss steps to take to insure compliance with the GDPR
Part Two: GDPR Definitions and Changes
A DEFINITIONAL BASELINE FOR GDPR
The first and overriding concept to be understood in dealing with the GDPR is how the regulation defines personal and sensitive data and then to determine how those definitions relate to data held by your organization. Once you understand those concepts, you can proceed to pinpoint where any data meeting the definitions is created managed and stored.
The GDPR considers personal data to be any information related to an identifiable natural person and calls such a person a “data subject.” That can include both direct identification such as a name or indirect identification which clearly points to a specific person. This includes online identifiers such as IP addresses and location data such as a mobile device ID or position, which the EU Data Protection Directive had previously been vague about.
Examples of information relating to an identifiable person include:
- Identification number such as SSN, INSEE code, Codice fiscal, DNI, etc.
- Location data such as home address)
- Online identifier such as e-mail address, screen names, IP address, etc.
- Genetic data such as biological samples or DNA, including gene sequence
- Biometric data such as fingerprints or facial recognition
- Health data
- Data concerning a person’s sex life or sexual orientation
There is also a general category which includes data which may reveal:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
All such sensitive personal data is afforded enhanced protections under the GDPR and generally requires an individual’s explicit consent where such data is retained or used.
Other pertinent definitions include
Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
A controller alone or jointly with others determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology.
A controller is directly responsible for responding to data subject requests under the GDPR.
Data Breach Notification
Data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals.
Data Protection Officers
Companies must appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, although almost all public organizations must have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information must appoint a DPO.
Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.
GDPR violations can result in substantial fines of up to 4 percent of annual revenue or 20 million Euro, whichever is greater.
A “processor” processes personal data on behalf of a controller. (EG, Microsoft is a processor with respect to personal data that its commercial customers collect and Microsoft processes on their behalf through solutions like Office 365.)
A processor must ensure that its commercial customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to data subject requests under the GDPR.
Right to Access
The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.
Right to Erasure
Known formerly as the “right to be forgotten,” these provisions give data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.
IMPORTANT CHANGES AND ORGANIZATIONAL IMPACT
Among the key new elements of the GDPR are the following practical results:
- Requirement that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required.
- Significant penalties for non-compliance including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply.
- Changes to eDiscovery practice in the US.
DATA EXISTENCE AND GDPR COMPLIANCE
The GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required. Specifically, organizations must have in place procedures to ensure the personal data of EU residents is secure, accessible, and can be identified upon request.
Balance these requirements against recent IDG research which suggests that approximately 70% of information stored by companies is “dark data” in a distributed, unstructured format. If that figure is accurate, the new requirement will pose substantial legal risks.
To achieve GDPR compliance, organizations will need to develop explicit policies for handling personal information. This will need to include:
- Enterprise-wide Data Inventory: Identify the presence of personal data in all locations
- Data Minimization: Retain as little personal data on EU subjects as possible.
- Enforcement of Right to Be Forgotten: An individual’s personal data must be identified and deleted on request.
- Effective Response Time: The ability to conduct enterprise-wide searches and report on the extent of any data breach within seventy-two (72) hours.
- Accountability: Ability to create audit trails for all personal data identification requests.
Finally, and equally important, the company must be able to show that these policies are being enforced and followed throughout the enterprise. Failure in any of these areas will now lead to heavy fines.
FINES: THE POTENTIAL COST OF NON-COMPLIANCE
One of the biggest changes coming with the GDPR is the increase in fines for violations. Previously, under the Directive, each member state was free to adopt laws in accordance with the principles laid out in the Directive, which meant that there were differences in the way each member country implemented and enforced the Directive.
But the GDPR is a regulation that applies to all member states of the EU and as such provides a new uniform regulatory framework. This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to their own data subjects.
Under this new framework, a member state’s supervisory authority will operate in one of these ways:
- Lead Supervisory Authority: will act as the lead for the controllers and processors whose main establishments are located in its member state.
- Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
- Concerned Authorities: will cooperate with the lead supervisory authority when data subjects in their member state are affected.
Article 58 of the GDPR provides these supervisory authorities with the power to impose administrative fines under Article 83 based on several factors, including:
- How the regulator was told about the infringement
- Types of data involved
- Duration of the infringement
- Whether the infringement was intentional or negligent
- Policies and procedures deployed by the company
- Prior infringements by the controller or processor
- Degree of cooperation with the regulator
How is the fine calculated? There is a tiered approach with technical issues being separated from actual records management. Non-compliance on technical measures such as impact assessments, breach notifications and certifications can lead to a fine up to an amount that is the greater of €10 million or 2% of global annual revenue. If the breach involves key provisions of the GDPR (processing personal data, infringement of the rights of data subjects or transfer of personal data to third countries or international organizations that do not meet GDPR standards) the fine can be an amount that is up to the GREATER of €20 million or 4% of global annual turnover in the prior year. Finally, it is important to note that these rules apply to both controllers and processors which means ‘clouds’ will not be exempt from GDPR enforcement.
Part Three: eDiscovery and the GDPR
Initial hopes were that the GDPR would promote eDiscovery cooperation between the US and Europe by standardizing data protection laws and regulations among the 31 EEA nations and the US But instead, some sections of the new regulation emphasize even further the difference between US law and the European countries mentioned above in the Introduction.
US discovery comes from the UK common law system, but the other EU countries do not share that background and typically have no discovery at all or it is only available through specific requests to a judge. The regulations tend to favor that approach and thus make things difficult for US eDiscovery practitioners in several areas set out below.
First and perhaps most important is the issue of litigation holds. In the US, data being held pursuant to a litigation hold is not considered to be data undergoing “processing”. The GDPR definition of processing, however, is much broader and makes no provisions for holding personal data for an unlimited period of time simply because of the possibility of impending litigation in the US.
Other areas of disconnect include:
There are concerns that when a company must create a DPO position, it will exacerbate relations with any US concern seeking data by institutionalizing the resistance to data requests under the new GDPR compliance structure.
Privacy Impact Assessment (PIA) Obligation
Data that is inadvertently deleted and is potentially relevant to an ongoing investigation or litigation in the US could result in a request for a company to produce data audit information. But the company’s compliance with the GDPR’s PIA requirements would appear to create a shield against any such discovery request.
Transfer of Data to Third Countries
Article 48 of the GDPR expressly states that orders or judgments by non-EU courts and administrative authorities requiring transfer or disclosure of personal data are not a valid basis for transferring data to third countries. Article 48 states, rather, that such orders or requests will be recognized only in so far as they are based on international agreements or treaties between the third country and the EU or member state, such as The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters.
It would appear then at first blush that no request for a data transfer to a third country outside the EU will stand unless supported by a treaty or trade agreement. None of those options is well suited for a US-based discovery suit.
Data Portability Rights
Custodians who request the deletion and/or transfer of their own data, especially during a government investigation or litigation, may create a conflict between US preservation requirements and the GDPR right to forget provisions.
The new GDPR privacy requirements may push US litigants to early settlements rather than proceed with litigation discovery that may lead to high fines in Europe or ethical issues with regards to preservation or “complete” discovery under FRCP Rule 26(g) in the US
As noted in the Introduction, the GDPR covers not only data stored in the EU but also any data created or stored in the US that concerns an EU citizen.
THE BUSINESS OF THE GDPR: CONTROLLERS AND PROCESSORS
The GDPR defines two distinct roles for business entities, that of “controller” and that of “processor”. A “controller” determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology, whereas a “processor” actually processes the personal data on behalf of a controller.
An organization cannot be both a controller and a processor of the same data, but it can be a controller of one set of data and a processor of yet another. For example, a software company such as Microsoft or IBM may be a controller with respect to personal data that it collects from its employees but can also be a processor with respect to personal data that its commercial customers collect and the company processes on their behalf through their own solutions such as Office 365 or Watson.
With respect to datasets where the company is the controller, they are directly responsible for responding to data subject requests under the GDPR. When they are a processor, they must ensure that its customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to such requests.
Any organization that decides on how personal data is processed is essentially a data controller. Companies which are primarily controllers will be concerned with addressing all aspects of the GDPR. Regardless of the specific business structure, every controller will need to be sure that:
- Compliance policies and procedures are in place
- Business management controls are implemented
- Users are properly trained
- Data is properly secured
- IT properly implements a secure system
Service providers acting as data processors have increased obligations to meet the GDPR privacy standards. As such, a processor who demonstrates compliance with the heightened GDPR standards will likely be recognized as a preferred provider within the industry.
Processors should also have audit trials for all processing activities including:
- Data quality control
- Purpose limitations
- Data relevance
as well as demonstrate accountability and transparency in all decisions regarding personal data processing activities to maintain compliance for both present and future personal data processing activities.
Third-party service providers which are only data processors should also meet these standards. The GDPR standards require proper data subject consent and that consent and consent withdrawal must be documented scrupulously. Implied consent will no longer be accepted as an approval method.
Part Four: Now That I Understand The GDPR, What Do I Do?
All companies should start by doing the following:
Determine Their Role Under the GDPR
Any organization that decides on why and how personal data is processed is essentially a “data controller”, regardless of geographic location.
Appoint a Data Protection Officer
This is especially critical if the organization is a public body or is doing regular large-scale processing.
Prepare for Data Subjects Exercising Their Rights
These include the right to data portability and the right to be informed as well as the right to be forgotten.
And then continue by taking the following steps:
- Build a data map
- Identify all privacy-related data
- Analyze all privacy-related data
- Conform all data handling practices to GDPR standards
- Ensure compliance policies and procedures meet GDPR standards
- Secure all systems against data theft
- Obtain ISO 27001 Certification
- Hire a Consumer Data Ombudsman specifically for dealing with requests and complaints from data subjects.
This new GDPR regulatory framework will be the strictest privacy doctrine in the world and appears to be on a collision course with some US based discovery rules.
Bart Willemsen, research director at Gartner, recently commented that, “The GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe and with the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”
Despite this warning and even though many organizations have been monitoring and preparing for the GDPR during the past few years of negotiation, more than a few have not. Gartner predicts that on May 28 of next year, more than half of companies affected by the GDPR will not comply fully with its requirements.
So immediate preparation is essential. Keep in mind that the goal of the GDPR is not to punish business entities but rather the public policy purpose of ensuring that companies and public bodies increase their ability to detect and deter breaches.
Fines are designed to be proportional to the effort by companies to comply with the new regulations and will focus on those which systematically either fail to comply with the law or disregard it altogether. They can be avoided by companies which are transparent in their policies and procedures, make a good faith effort to develop that transparency and report any data breaches swiftly.
Prepare now to put into place policies and procedures for both compliance and reporting, especially if you have multiple business locations and/or handle data from inside the EU. Various consulting firms and trusted advisors such as Cloud 9 can help provide guidance but don’t delay. Remember that given the Gartner figures above, organizations in compliance with the GDPR may find themselves have a true competitive differentiator on May 25, 2018.
About the Author
Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems. Tom’s consulting experience is primarily in complex litigation matters.
- EU GDPR Portal