No Further Transition Period for GDPR: What to Expect Post-May 25th

Bloomberg Law’s® extensive network of  reporters and editors delivers authoritative, timely coverage on federal, state, and international laws governing the discovery process for...

Lisa Hawke

By Lisa Hawke

Lisa Hawke ( @ldhawke) is VP Security and Compliance at Everlaw and the Vice Chair of Women in Security and Privacy.

It took approximately four years of preparation for the General Data Protection Regulation to be approved by the EU Parliament in April 2016, and now the May 25, 2018 enforcement date is nearly upon us. Law firms and companies who fall within the territorial scope of GDPR under Article 3 will be watching closely to see how courts and regulators in Europe interpret the sweeping regulation.

With enforcement on the horizon, speculation regarding what actions might come out of Europe is at a high. In March, the law firm McCann FitzGerald, in conjunction with IDA Ireland and tech companies including Twitter and Box, hosted Irish Data Protection Commissioner (DPC) Helen Dixon to engage with legal and tech community on GDPR readiness and what to expect post-May 25th.

This was a unique opportunity for US companies working on GDPR compliance to hear directly from Ireland’s top data protection regulator. Dixon joined Paul Lavery, head of McCann FitzGerald’s Technology and Innovation Group, for the talk, “Preparing for the GDPR: Compliance Challenges and Potential Solutions.” In addition to sharing insights regarding their observations on compliance activities, they provided the audience with the chance to pose questions about the regulation and enforcement.

What Can Firms Expect Once GDPR Enforcement Begins?

The overarching theme of the talk was that firms and companies currently implementing GDPR compliance will set the standards for how both large companies and startups behave under the regulation. Both speakers emphasized that GDPR reflects fundamental rights of individuals in this digital era.

Impacted firms and companies have had two years to prepare for GDPR, so there will be no further transition period post-May 25th. We are likely to see a lag in enforcement as EU regulatory authorities begin their investigations under the GDPR. Organizations may take a risk-based approach to compliance implementation; however, they will be accountable for their decisions and the technical and organizational measures they take to protect and secure personal data. According to Dixon, “accountability is the bedrock of GDPR.”

The Irish DPC is focusing on three major areas of concern under GDPR. The first is the principle of transparency. Dixon explained that organizations can’t demonstrate their compliance if they are not clear on how they are collecting and processing data. She also noted that data controllers and processors can’t “divvy up” their own obligations under GDPR so that who is doing what with the data becomes less transparent to the data subject. Furthermore, traditional privacy policies with “vague statements” are insufficient to meet the new standards.

The second area of concern is whether an organization has a lawful basis for processing data under Article 6, which sets out six possible bases. Dixon emphasized the obligation to be transparent with users about an organization’s legal basis for collecting and processing data. She cautioned against automatically using the legal basis of “necessary for the performance of a contract” when another legal basis would be the correct choice. In other words, if you are doing a “square peg, round hole analysis” or using “creative lawyering” to establish legal basis, you need to take a hard look at your reasoning.

And finally, the special protection of children’s personal data under Recital 38 is another area of concern. Dixon said children and teens are a huge constituency of the Irish DPC. She said she is concerned that organizations lack transparency about their data collection and processing practices, because they don’t describe these in language that young people can understand.

Based on the discussion, we can expect protection of children online, transparency for all users, and handling of data subject rights to fuel GDPR enforcement actions. Of note, Dixon mentioned that when organizations fail to deliver on the enumerated rights that the GDPR gives every data subject, higher fines should be expected. These individual rights include: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights in relation to automated decision making and profiling.

GDPR is a seismic change, and the regulators expect to see a meaningful change in how organizations describe their data collection and processing practices, and how they protect data. Tweaking around the edges won’t be enough. Dixon concluded her portion of the discussion by issuing the challenge: will your users see a change when they engage with your service on May 26th?

How Does GDPR Impact Cross-Border Transfers of Information for eDiscovery?

The ediscovery industry has been paying attention to potential implications of the GDPR. In 2017, Duke Law EDRM formed a GDPR project team to draft cross-border discovery guidelines for adapting to GDPR. This initiative aims to develop practical guidelines for cross-border transfer of information to help address conflicting requirements in the US and Europe for processing evidence during ediscovery.

According to the EDRM GDPR project team, the guidelines will address data transfers from Ireland to the US, as well as mitigating risk that “international litigation teams and ediscovery practitioners face when balancing US discovery obligations against European data privacy laws.” A draft of the guidelines was circulated to EDRM members in early March for comment, and the final document will be published in Judicature this spring.

For firms implementing process improvements in anticipation of GDPR, resources are already available from the EDRM team. EDRM’s Privacy & Security Risk Reduction Model can help firms establish a process for “reducing the volume of private, protected and risky data by using a series of steps applied in sequence.” As Dixon highlighted during the discussion in March, a key step in the risk model is identifying locations and types of “risky data”—which would include personal data under GDPR.

How Can Firms Establish Compliance?

The Privacy & Security Risk Reduction Model contemplates that an organization must understand the data in its possession. Since GDPR Article 30 requires that every organization subject to the regulation must maintain a record of data processing activities, law firms and companies that are preparing for GDPR compliance likely have a head start on documenting their data processing activities and resulting risk, including in relation to any applicable rights of the data subject. While it makes sense for firms to tailor data processing inventories to align with their own operations, there is guidance available.

For firms and companies looking to assess their own level of GDPR compliance and identify areas of major risk, McCann FitzGerald launched an innovative GDPR Gap Analysis app in February. The app uses AI to enable law firms and companies to quickly assess their own level of compliance and identify areas of risk. Everlaw open-sourced a GDPR Documentation Template that can be used as a starting point for records of processing activities, security of processing, and ability to respond to data subject rights. Firms can also take advantage of the the EDRM Security Audit Questionnaire to help evaluate the data security capabilities of cloud providers offering ediscovery products.

In addition to completing the necessary documentation and risk analysis activities, firms and companies should also be focused on cultivating an organizational culture in support of data protection and breach avoidance. Remember that, above all, GDPR is about giving people control of their personal data in line with the right to respect for privacy, and ensuring that personal data is secure.

To contact the reporter on this story: S. Ethan Bowers in Washington at sbowers@bloomberglaw.com

To contact the editor responsible for this story: S. Ethan Bowers at sbowers@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Try E-Discovery & Legal Tech News