The General Data Protection Regulation (GDPR) intends to strengthen and unify data protection for individuals within the EU, but how will this affect the eDisclosure industry and what new challenges does it present? James Merritt, Director of Forensic Technology & eDisclosure at CityDocs, discusses.
What is the GDPR?
Regulation (EU) 2016/679 of the European Parliament protects a person by imposing strict conditions on the gathering of personal data, the processing of personal data and the movement of personal data. Persons or organisations that collect and manage personal information must protect it from misuse and must respect certain rights of the data owners, which are guaranteed by EU law.
What is the EDRM?
The electronic discovery reference model (EDRM) represents a conceptual view of the eDisclosure process and summarises the various areas of industry practice. The EDRM portrays an iterative mechanism, with one stage repeated numerous times in order to refine results and produce more precise data. It is normal to cycle back to earlier stages, refining the approach as a better understanding of the data emerges, or as the nature of the project changes over time.
As eDisclosure is primarily concerned with the handling of data, the GDPR has a huge impact on the industry. Understanding the impact is one thing, but fulfilling the challenges it creates, is entirely another.
The Challenge of Implementation
The GDPR was designed to reinforce and strengthen the protection of personal data but in the specific case of eDisclosure, which already has strict guidelines around the collection, management and transmission of data, it has created a new set of challenges.
Although the GDPR is clear enough in law to understand the guidelines and how to follow them, its application into eDisclosure creates situations of misunderstanding and change.
The collection of forensic data, for instance, now must adhere to the additional obligations of the GDPR, such as data minimisation. In addition, the data controller is wholly accountable for the processing of personal data and liable for any damage resulting from a violation of the GDPR rules. Where a controller processes personal data jointly with another controller, they could be jointly and severally liable towards the individual.
Already, the impact of the GDPR on the EDRM is profound. The data collector(s) will have to adhere to more rules and governance, with strict penalties applied to misuse, which will make projects harder to complete and more difficult to manage effectively.
I see the main challenge being an implementation issue. How will organisations adapt to the new regulation quickly and effectively? How will this impact each stage of the EDRM? How will eDisclosure adapt to meet the increasing demands set by regulation and policy?
An eDisclosure vendor will become the joint data controller during the processing of data as there will be consent and a contractual basis for the firm having the data, however all the data in their possession should have been collected for a specified, explicit and legitimate purpose, in this case it would be for a eDisclosure investigation.
The collections will become more targeted and the previous mind-set of sweeping everything up to make sure that nothing has been missed will become a thing of the past. It will mean that, together with the Law Firm, the eDisclosure vendor must make the right decisions during the identification stage to make sure that appropriate date ranges and keyword culling is applied to gather only pertinent information relevant to the case, to limit the processing and therefore data minimisation.
Operational compliance may become a real issue. It will be undoubtedly harder to manage, while specific future cases and situations might create grey areas for misunderstanding.
Every eDisclosure/eDiscovery firm will need to hire or have a role of a Data Protection Officer (DPO). The role of this person is similar to that of a Compliance Officer, but differ in that they are also expected to be proficient at managing IT processes, data security (including dealing with cyber-attacks) and other critical business continuity issues around the holding and processing of personal and sensitive data.
The appointment of a DPO will be a challenge, as well as for the individual concerned, due to the myriad of governance that will need to be addressed and given the nature of the role. The skill set required from the DPO also spans far beyond just understanding legal compliance with data protection laws and regulations. In addition, the post holder will need to implement their own support team and will be responsible for their own professional development, as they need to be independent of the company that employs them - effectively as an independent regulator.
There is only a 2 year period to become compliant, before the GDPR comes into effect. This will fly by, so eDisclosure companies who are not ready in time will be in breach of the new regulation and therefore, could face stiff financial penalties.
(Source: Written by James Merritt, Director of Forensic Technology & eDisclosure at CityDocs)