The zero hour for GDPR compliance–May 25, 2018–is nearly here and how it applies to eDiscovery is being hotly debated.
Because the regulations are so far reaching and GDPR is not just impacting legal or eDiscovery, it can be unclear who really needs to know all the details–and who exactly is responsible for compliance.
What is clear: to be compliant, any company that has or will have information about an EU citizen needs to know where their data lives, who has access to it and what the lifecycle of that data looks like. Governance of personally identifiable information is paramount, and companies are left questioning how best to implement a solution or solutions.
GDPR In Brief
At the core, GDPR is designed to provide the citizens of the European Union (EU) control over their personal data in the ever-changing digital age. The vast majority of the services we use in today’s world collect our personal data. Analysis of that personal data is at an all-time high and can be stored by companies indefinitely. The reforms are, in a sense, a catch-up to the digital age–a way to match up the laws and obligations around personal data, privacy and consent to reality.
Since 1980 different organizations, commissions and councils have worked toward a uniform data privacy law across all of the EU but in January 2012, the European Commission set out to make uniform data protection reform real. The hope was that a more homogeneous regulation would not only result in better privacy for individuals, but also create a system that was much easier to navigate for businesses. No matter where companies did business, they would only have to work with one set of standards and one regulator.
While the regulations are technically “restricted” to the EU, US companies that have collected or plan to collect any information on EU citizens must have a strong data governance practice. And fines for non-compliance or breech are very steep–20 million euros or four percent of total annual revenue, whichever is greatest.
PII, Analytics and eDiscovery
At the heart of GDPR is personally identifiable information or PII–information related to an individual that could be used to identify them either directly or indirectly. The GDPR’s right to erasure (or what many are calling the right to be forgotten) allows any EU member to execute their right to request that all PII a company holds on them be “removed.” Companies will need to demonstrate they can anonymize or pseudonymize PII to comply with this right to erasure.
In response to these new demands, a wave of eDiscovery software companies are promoting their tools as must-haves in this new age of GDPR compliance. They’re not wrong:
- Software that can identify PII can report on it as well.
- With machine learning training, the supervised analytics capabilities of eDiscovery software could be used to categorize data that might have PII.
- The popularity of cloud deployment means data doesn’t have to leave its country of origin and compliance when processing is almost concrete.
In these ways, eDiscovery software can be used as a valuable text mining tool for GDPR compliance. If there is a litigation or investigation in progress or a company already has an eDiscovery platform and they are unsure about compliance, leveraging the existing technology to ID PII, run categorization and double or triple check they are providing some type of anonymization makes perfect sense. But should a company invest in eDiscovery software specifically for GDPR compliance? The answer to this question is not as straightforward.
Compliance efforts clearly need to go well beyond just discovery and GDPR is turning a mirror on businesses that aren’t looking holistically at how they’re handling personal data. Leading eDiscovery technology will obviously comprise one essential aspect of a responsive and evolving approach to compliance and privacy, but how it can best be leveraged in the short and long term will be unique and varied. Companies must know where their data is before it can be governed. Then, corporate processes, policies and solutions pre-litigation should include broad strategies that will strengthen information governance across the organization.