The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. The GDPR applies to all 28 European Union (EU) member nations as well as Iceland, Norway, and Liechtenstein, non-EU nations that are part of the European Economic Area (EEA). For now, the United Kingdom is also subject to the GDPR, but that could change as Brexit is finalised.
The impact of the GDPR reaches far beyond Europe. Businesses in the United States and around the world are subject to the GDPR’s requirements if they interact with data of EU citizens. The penalties for violating the GDPR are severe: up to 4% of annual global corporate turnover or 20 million euros, whichever is greater.
Principles Underlying the GDPR
The GDPR reflects a European sensibility that is fundamentally at odds with the values and norms used in a U.S. based e-discovery context. Generally speaking, U.S. laws protect freedom of speech and capitalism, favouring litigants’ access to data during discovery, whereas European countries emphasise privacy and individual control over personal data.
That means the GDPR inherently conflicts with standard U.S. discovery and litigation practices. Whereas the U.S. court system expects that litigants will retain information that may be relevant to reasonably anticipated litigation, the GDPR demands that businesses only obtain and keep data for which they have gained explicit consent, give data subjects access to their data on request, and, when asked, “forget” an individual’s personal data.
GDPR Data Rules That Could Impact E-Discovery
Under the GDPR, “personal data” covers personally identifiable information, such as name, birthdate, address, etc. but goes even further. It also includes demographic information, health and biometric information, and even computer IP addresses. If data could be combined with other data and traced back to identify an individual, regardless of how difficult that identification was, it is probably protected personal data.
In the context of U.S. litigation and legal operations, the GDPR can have an impact. In the course of discovery, if one were to collect emails that include a European resident’s information, e.g., a name along with the email address, then storing that data and providing it to an opponent could put an organisation in violation of the GDPR.
The GDPR is regulated by the EU Parliament. In order to avoid being in violation of the regulation and accruing punitive fines, organisations should take these basic steps to comply with the GDPR:
– Limit possession and use of individuals’ personal data.
– Keep personal data secure, and give full control and ownership of personal data to the data subject, the individual person who the data is actually about.
These mandates apply to any business that offers goods or services to European residents or collects, processes, or maintains personal data about European residents.
Source: ZAPPROVED BLOG