The interplay between GDPR and eDiscovery

Authors: Jamie Brandes, Tobias Keller, Yvonne Lazarowicz, Justin Ridl

The European Union’s new General Data Protection Regulation (“GDPR”) comes into full force on 25 May 2018, and sets up a comprehensive regulatory regime for the manner in which personal and sensitive data of EU-citizens is processed, stored, collected and managed globally. As with most regulatory changes, entities falling within the scope of the regulation are panicking, and hustling to make sure they are compliant. Why the hustle, you might ask? The stakes are scarily high, with non-compliance potentially resulting in penalties of up to 4% of annual global turnover, or 20 million euro (whichever is higher).

Organisations worldwide are scrambling to find solutions to the GDPR risk, with many software platforms being developed to audit data, and highlight risk areas. One way that an organisation could manage their GDPR risks, is through the use of eDiscovery platforms.

eDiscovery is the process in which electronically stored information (or, “ESI”) is located, stored, managed, searched and reviewed; typically for use in litigation or investigation exercises. By its very nature, eDiscovery involves mass data processing; the very activity the GDPR seeks to regulate. Given the prevalence and rise in eDiscovery in recent years, it is imperative that parties engaging or undertaking eDiscovery processes be particularly wary of the way in which they handle their data.

Whilst traditionally a method through which a party can manage their ESI for litigation, these platforms can also be used to effectively sort an organisation’s data; and manage it, in terms of the GDPR requirements.

Through the GDPR, data subjects have been handed an arsenal of rights and entitlements, and organisations or data processors must stand at the ready for potential exercises of these arsenals.

With the implementation of the GDPR, any data subject may request that all the data you as a processor hold on them, be removed – they have “the right to be forgotten”. Organisations requested to delete data by data subjects, are obliged to do so; and to provide evidence that same has in fact been done. This, in today’s ‘cloud’ climate, means that an organisation must have knowledge of the whereabouts of all pieces of data which they have obtained consent to hold; and to be able to remove it from those various locations. Further to this, not only must you be able to locate any piece of data on a particular data subject, but you must be able to demonstrate that you have acted on their request; and deleted every spec of data you hold that relates to them.

Ironically, a way to manage this risk, is to manage all your organisational data through an eDiscovery system. Organisations will be able to manage all of their ESI ideally in one location, and be able to search for and delete data at a whim; and to provide reports to this effect for data subjects requiring the deletion.

Should a data breach occur, and should litigation arise from that data breach, you are conveniently ready with all your ESI already sorted. Two birds with one stone, they say.

If you would like to know more, Cognia Law provides a detailed and effective GDPR offering, including a full audit of your platform’s GDPR compliance. For more information contact Yvonne Lazarowicz on [email protected] or Justin Ridl on [email protected].

You can also follow us on Twitter and LinkedIn or visit us here: www.cognialaw.com