Is your legal tech GDPR ready?
Recently, the world saw a significant change in the approach to data protection /privacy when the European Union’s General Data Protection Regulation (“GDPR”) went into effect on May 25, 2018. Due to the exacting requirements, extraterritoriality, and wide applicability to both data controllers and processors (companies and their vendors), the GDPR truly is globally significant. There was much discussion leading up to the effective date (the GDPR was first proposed in January 2012 and adopted in April 2016), there remain many companies who are not yet fully prepared for or compliant with the GDPR – and many companies who are not even aware that the GDPR applies to them.
As in-house counsel, what are the issues facing your team (aside from ensuring the business units comply with GDPR)? In a study conducted by TrustArc in conjunction with the International Association of Privacy Professionals, the top compliance risks were meeting the requirement of reporting breaches within 72-hours, data inventory and mapping, consent requirements, and international data transfers (US/EU Privacy Shield, model contract clauses, binding corporate rules, etc.). As counsel, you may be involved in these efforts, but – have you considered your own department’s activities? Vendor oversight still comes into play, especially with the information shared to outside law firms, who must be GDPR compliant if they handle matters for you where GDPR data is disclosed – such as corporate officers, HR matters, the Foreign Corrupt Practice Act, and the various sunshine reporting requirements for payments to physicians.
But let’s talk about some really sensitive topics for in-house counsel: legal holds, record retention based on US laws, whistleblowing (internal investigations), and documenting risk decisions. Given the length of the blog, this will be brief, but hopefully will ring some alarm bells for you. A recent example was an EU bank, based in the US, who required the home address and information for an authorized signer in the EU. But when asked for the legal reason, retention period, and other personal data processing information to which the data subject is entitled to have, the bank could not provide that information. And yes, the GDPR applies to personal data in the business realm.
Legal holds: Under the GDPR, entities can retain data for legal reasons. If a lawsuit arises, certainly the information must be retained long beyond the time period it would have (should have) been deleted in the normal course of business. But be careful to limit your holds to that data which is absolutely necessary and that your legal hold technology allows you to document the rationale behind the hold.
Record retention: Related to legal holds, record retention is a viable concern. Often, companies develop record retention schedules that provide for a minimum retention period, but the GDPR requires a maximum retention period. No longer can you set retention periods based on the most conservative period in the regimes in which you operate. You must consider whether that retention period / that specific law applies to the EU personal data. The Foreign Corrupt Practices Act is a good example, due to extraterritorial provisions that the EU may not consider valid (yes … pot and kettle), companies often settle because of defense costs even if they try to argue lack of jurisdiction. But now… personal data of EU employees, EU foreign government officials, and EU third parties acting on behalf of US companies.
Whistleblowing: This is a sensitive subject in the EU anyway, because the EU does not like anonymous reporting or reporting of what EU countries may consider minor infractions (like sexual harassment). Once the allegation is investigated and settled, under GDPR, the company should destroy the information. Action has been taken, or not, so there is no longer a reason to retain the data. There may be some leniency in retaining the data to protect your legal interests, but you better be solid in that rationale. A potential, possible, somehow, future action related to a past investigation might not justify retaining the data. Does your matter management system allow for the automatic destruction of these categories of data following specific timelines?
Documenting risk decisions: The GDPR requires several iterations of documenting decisions based on risk, such as legitimate interests for a legal basis, whether a process is high-risk, mitigating risk, no residual risk, controller / processor processes, and many more. Legal departments are often reluctant to document a decision, because it becomes discoverable and may lead to trouble. Sorry. Privacy is a different beast. If it is not documented, it did not happen. So if you make a decision pertaining to GDPR-governed data, you should document it, preferably in a format that is easily produced upon investigation – not someone’s email in box that may no longer be with the company. Your decision may prove to be wrong in the long run, but if you document a deliberated process, with all the considerations, even if you are wrong, you likely won’t be in as much trouble as you would be otherwise. I have to caveat this one, because there are some less-wise decisions made that are in flagrant violation of GDPR and no amount of documentation will protect those decisions.
This is just a small taste of some of the very specific impact to in-house counsel that exist under GDPR. There are many more examples that come to mind, of which a full and boring piece of scholarship could cover each one – and will likely come to fruition. However, direct impact on in-house legal has not been a huge piece of news. Take these examples and scrutinize the activities and legal tech used in your department. Make sure that you are not overlooking your own plumbing because you’re fixing someone else’s leaking data pipes.