It has been nearly 2 months since updates to the General Data Protection Rules (GDPR)have taken effect. Despite the 2 years company’s were given to proactive prepare for the recent GDPR changes, there was still a scramble last minute to make necessary compliance updates before May 25, 2018.
There is no doubt we will continue to see the GDPR evolve as some of the legislative kinks are worked out. But in the meantime, there is still a heavy fine for any company found to be violating the updated regulations. Given the complex and ever-changing data landscape in the EU, here are some expert answers to commonly asked questions to help you understand the fundamentals of the GDPR and remain complaint under the recent updates.
What is the GDPR?
The GDRP is the data privacy regime for the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. The GDPR is currently being integrated into the 1992 EEA Agreement.
1. What is the difference between how the United states and the EU view data privacy?
eDiscovery Expert: David Horrigan | Relativity
The United States does have various federal and state laws addressing data privacy, and the Federal Trade Commission (FTC) has taken an active role in enforcement actions. However, In the U.S., we don’t have a comprehensive federal data privacy law, and historically, we have tended to put greater value on free speech—and the right to evidence in litigation—than we have for data privacy.
In fact, contrary to what many Americans think, there is no specific right to privacy in the U.S. Constitution. American courts have interpreted certain privacy rights from amendments to the Constitution. In the U.S., corporate email and communications are owned and controlled by the corporation. We take it for granted in the U.S. that we don’t have a personal privacy right to our business emails. Contrast that with Europe. From the beginning of Europe to the tragic history of World War II, privacy has come to carry greater importance there. In fact—unlike in the U.S.—privacy is a fundamental right in Europe under article 8 of the EU Charter of Fundamental Rights. Even a name or an email address counts as personal private information in the EU, and the consequences of disclosing these without consent could cost you money and jail time.
2. What is going to be changing with the most recent provisions in the GDPR?
eDiscovery Expert: David Horrigan | Relativity
“Here are the key things changing under the GDPR:
- Controller vs. Processor: GDPR article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organizational measures to ensure GDPR compliance. It’s important to note that—although processors act under the direction of controllers—they, too, have greater responsibilities under the GDPR. Organizations can’t shirk their GDPR responsibilities by saying they are mere controllers.
- Data Protection by Design and Default: Article 25 of the GDPR provides that organizations must implement appropriate technical and organizational measures for data protection.
- Hefty Fines: GDPR violations can result in fines of 4 percent of annual turnover (revenue) or 20 million Euro, whichever is greater.
- Consent: Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.
- Data Breach Notification: One of the more controversial provisions of the GDPR is that data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals.
- Right to Erasure: Known formerly as the “right to be forgotten,” these provisions were also controversial, giving data subjects the right to have information about them “erased.”
- Right to Access:The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed.”
3. How will the GDPR affect my current information governance policies?
eDiscovery Expert: John Patzakis | X1
“To achieve GDPR compliance and also EU data shield certification, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced.
What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results regarding PII leakage within minutes instead of days or weeks. The need for such an operational capability is further heighted by the urgency of GDPR compliance.”
4. What are some ways companies can benefit from leveraging experts on GDPR protocols and compliance?
eDiscovery Expert: Chuck Kellner | D4
“There are 3 ways companies can use experts to revise their protocols and remain compliant:
- In-House Expertise in GDPR: Attorneys can assist with writing, re-writing or implementing GDPR policies and procedures for US-based multinational companies. It’s important to ensure that the attorney assisting you has the right expertise for your organization.
- GDPR Compliant eDiscovery Protocols: GDPR attorneys and EU-privacy-experienced eDiscovery consultants can assist multiple legal teams in their procedures for obtaining consent and defensibly collecting ESI in GDPR jurisdictions.
- Onsite Assistance in GDPR Jurisdictions: Using an onsite vendor can help you collect and filter ESI in GDPR jurisdictions. Experts can help maintain proper procedures for litigation purposes.”