When it comes to the EU General Data Protection Regulation (GDPR), ignorance is not bliss. Organizations that fail to get up to speed with GDPR may face steep financial penalties.
Earlier this year, the French data protection watchdog group CNIL issued its first GDPR fine to Google. According to CNIL, Google did not comply with GDPR guidelines when Android users set up a new phone. This violation resulted in a $57 million fine.
While this case doesn’t pertain specifically to e-discovery, it does illustrate the severity of failing to comply with GDPR.
“A lot of people that weren’t paying attention to GDPR are paying attention now,” said Chris O’Connor, director of e-discovery strategy at Complete Discovery Source. “Most companies won’t survive a multimillion-dollar hit.”
With clients spanning the globe, CDS has worked with numerous organizations to ensure they are GDPR-compliant.
I chatted with the CDS team on best practices when it comes to GDPR.
#1: Do Your Homework.
When GDPR was first enacted, US corporations, in large part, were aware of GDPR and how it would impact their business.
“There wasn’t as much confusion on the corporate side because everyone feared the penalties that would ensue,” said Chris.
Working with attorneys, however, can be a different story. CDS has found that many fall prey to the mantra “out of sight, out of mind.” In other words, a large portion of American attorneys do not keep GDPR top-of-mind because it is an EU regulation.
In some cases, Chris noted US attorneys are often unaware that they are violating GDPR when accessing European data on a US server. CDS worked with a firm that needed to access files in London and wanted to pull them up on their server in the US. Since the attorneys were unable to travel to London to conduct the review, CDS recommended that they find local resources to conduct the review. They were able to leverage attorneys from their London office to accomplish this.
Failure to understand GDPR requirements could impact the attorney-client relationship, as clients could receive penalties for their attorneys’ lack of understanding.
“Attorneys need to be dialed into the rules,” Chris said. “If they’re not, we will see a lot more sanctions and penalties coming down the pipeline.”
(Interested in learning the basics? David Horrigan details what you need to know in this post.)
#2 Be Proactive.
GDPR has changed how quickly organizations must adhere to Data Subject Access Requests (DSARs)—written requests made by employees to their employers for personal information. GDPR requires organizations to provide the documentation relevant to the request within one month.
“We have seen a huge increase in DSARs since GDPR came into play,” said Mark Anderson, senior project consultant at CDS. “These requests can be quite complex, and it is difficult to get an extension.”
When facing a DSAR, organizations are tasked with providing enough information to adhere to the request without overproducing, which is a costly endeavor.
“The biggest challenge is pinpointing where data relevant to the request lives,” Mark explained. “If you have 10 employees, you can simply search everyone’s mailbox. But, if you have 4,000 employees, trying to find that data is extremely challenging.”
To make these requests less daunting, Mark said organizations as a minimum should centrally organize all their systems, identifying where data is held and track this information. Often, someone in the legal department will not know what systems the human resources department uses and vice versa. Upgrading existing software to centralized systems with compliance features allowing archiving, legal hold, and searching is the next logical step, but requires investment.
“It is crucial to have conversations between all the key stakeholders in each department to better understand the systems each department uses,” Mark said. “That way, organizations can track where data lives, which will prove beneficial when facing these types of requests.”
#3 Invest in Technology.
In this increasingly digital era, organizations must handle more and more data—and faster. Thus, they need to arm themselves with technology that can handle larger and more complex data sources.
Identifying the information relevant to a DSAR request, for example, requires flexible software that can scale up to handle huge amounts of data at once. Recently, CDS handled a broad DSAR request for a UK-based technology firm that spanned 1 million documents. The firm used RelativityOne to cull the data by upwards of 99 percent and review the documents within the mandated deadline.
“With in-house technology solutions, this would not have been possible. Our client wouldn’t have been able to search through this much data and meet their deadline,” Mark said.
Using highly scalable SaaS solutions accelerates this process, which will prove beneficial for institutions that handle a substantial number of DSARs.
“Data transfer speeds in the cloud cannot be matched by an on-premises solution,” Chris said. “As more data is leveraged in the cloud, cloud-to-cloud data transfer will soon be the norm.”