The General Data Protection Regulation (GDPR)’s arrival is imminent. On May 25, the new regulation governing data privacy for citizens of the EU’s 28 member countries becomes enforceable as law. For data collection and transfer – for example, eDiscovery initiatives related to cross-border litigation and investigation, it imposes severe restrictions on handling the personal data of European nationals, regardless of their location.
Non-compliance could result in large fines and penalties – up to 4 percent of annual worldwide turnover or 20 million Euros. Although it remains to be seen whether the regulators will have an appetite for enforcement, ignoring the potential risk commercial and reputational of a breach is highly ill-advised.
In eDiscovery, there is a requirement to preserve (and eventually process) relevant data and this is typically done in response to a subpoena, section 2 notice or other court or enforcement agency issued demand for information. Previously, responding to a subpoena in an investigation or litigation has generally been a cooperative effort across departments within a corporation and for multinationals, coordinated across regions. Under GDPR, sharing that information will present another challenge. Even custodian names can be deemed private. Organizations will have to reconsider their reporting requirements and reexamine their scrubbing techniques to protect and in some instances anonymise or pseudonymise certain personal data.