The GDPR stands for General Data Protection Regulation and is the core of the European Union’s data privacy protocols. It was launched as part of the Union’s effort to prepare Europe for the upcoming “digital age”.
The agreement was in the pipeline for 4 years before it was finally enforced in 2018. It has sent shockwaves around the business world as companies hustle to make sure they comply with the laws. This is because penalties for non-compliance can rise by 4%of annual global revenue or twenty million euros.
But what are its exact effects on data privacy and organisations?
Let’s discuss that in detail:
Protecting Consumer Data
The GDPR was brought into effect to protect the public’s data privacy. Under its regulations, all organisations operating within the EU must ensure that they collect personal data under strict conditions and legally. The companies who collect data must protect it from exploitation or misuse and uphold the rights of data owners. Failure to do so results in a penalty.
This is especially important for firms that deal with ESI and eDiscovery. The already high eDiscovery costs will now be even higher as firms look to comply with the GDPR.
Article 12: Transparency and Communication
According to the GDPR regulations, companies need to publicly state how they collect data in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. They also need to provide avenues for individuals who want to make requests to them and respond to those requests on time.
Articles 13 & 14:Collecting Personal Data
New data privacy guidelines dictate that you cannot collect personal data from users without communicating a particular set of information to them. This regulation applies even when you do not collect data directly from the user.
We can clearly see that this is likely to make eDiscovery processes much longer and more strenuous. When collecting data from a user, an organisation will have to communicate all of the following:
- The contact details and identity of the controller and the controller’s representative (if applicable).
- The contact details, if applicable, of the data protection officer.
- The goals of the data processing for which the personal data is being collectedand the legal justification for the processing.
- The beneficiary or group of beneficiaries of the personal data (if any).
- (If applicable) The information that the controller plans to transfer to an international organisation or third country and the absence or existence of an adequacy decision by the Commission.
There are even more rules and regulations when it comes to informing the data owner that we can’t possibly fit into this article. However, the requirements mentioned above prove that companies performing eDiscovery will need to create more efficient mechanisms to provide this information to the plethora of data owners they work with in order to avoid mountain-high costs.
Transfer of information has always been a lengthy and costly endeavour, but the GDPR has now made it mandatory. Companies must adapt.
Article 15: Right of Access
Data subjects are the users whose data you collect. These users have certain rights of access when it comes to that information and your processing activities with it. They can ask you about the purpose of your processing, source of the personal data, the time period you will hold the data for, and other things. They also have the right to receive any of their personal data that you are currently using or processing.
Article 16: Accuracy
The accuracy of the information you hold and process is only indirectly related to data privacy, but it is nonetheless important. Users hold the right to correct any inaccuracies or holes in the data you are using.
This can hold a big significance in eDiscovery and might actually improve practices for some firms.
Article 17: Right to Erasure
Data subjects can, at any point, demand that you delete any of their personal data. The GDPR requires you to make the procedure to request an erasure easy for the data subject. There are five exemptions to this right. According to article 17, the right to erasure will not be applicable if processing is required for:
- Utilizing the right of freedom of information and expression.
- Performing a task in the public interest, for exercising the official authority vested in the controller or for adherence to a legal duty that requires processing by a Member State or Union law to which the controller is subject.
- Purposes of public interest regarding public health following Article 9(3) and points (h) and (i) of Article 9(2). This includes cases when
- “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”
- Archiving reasons in the public interest, statistical reasons or scientific/historical research reasonsto the point that the right to erasure is likely to seriously impair or render impossible the achievement of the objectives of that processing.
- The creation, utilisation or defence of legal claims.
Data privacy is a hot topic nowadays, and you can understand why the EU introduced the GDPR. It’s essential that all firms adopt the new regulations quickly to avoid any penalties or charges.