The European Union’s widely anticipated General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Designed to provide EU citizens with better control over their personal data, this comprehensive reform of data protection in the EU has far-reaching implications. But how and to what extent will this new regulation affect electronic discovery in U.S.-based civil litigation? Organizations subject to the GDPR should think critically about what specific steps to take when handling personal data before, during and after litigation.
Before Litigation: Focus on Information and Organizational Governance
Before litigation ensues, you should understand everything you can about your organization’s data. Conducting data inventories and mapping allows you to identify potential information governance issues, such as what types of data your organization handles, where that data exists within your systems, and how information generally flows within your organization.
It is also imperative to assess your organization. Do you have a Data Protection Officer? Are you currently subject to the U.S.-EU Privacy Shield? Does your organization have binding corporate rules (BCRs), model contractual clauses or other adequate transfer safeguards in place? The GDPR changes the existing data transfer mechanisms available to organizations subject to it, and the applicability of these mechanisms may depend on the answers to these questions. [continued]