eDisclosure and Brexit: GDPR come what may?

The GDPR (General Data Protection Regulation) plans to unify and strengthen personal data protection within the European Union, but how will this affect the eDisclosure industry?

eDisclosure, or electronic disclosure, is the process of managing the commercial activities around electronically stored information (ESI). The resulting information can then be used by lawyers as evidence in civil or criminal legal cases. Often, eDisclosure services are referred to by the electronic disclosure reference model (EDRM), created in May 2005 by George Socha and Tom Gelbmann to address the lack of standards and guidelines in the eDisclosure marketplace.

• The EDRM concerns the identification, preservation, collection, processing, review, analysis, production and presentation of ESI. It provides a common, flexible and extensible framework for the development, selection, evaluation and use of eDisclosure products and services.
• Identification – distinguishes and classifies potential sources of ESI, while understanding its scope, depth and breadth.
• Preservation – ensures the ESI is protected against inappropriate modification or destruction. It secures the effective isolation and protection of potentially relevant data through forensically sound, legally defensible and auditable means.
• Data collection – is carried out in a permissible manner from electronic storage mediums such as computers or servers, to ensure a defensible chain of custody.
• Processing – takes a large volume of data and reduces it down to only the data relevant to the litigation case.
• Document review – is traditionally carried out manually by teams of trained lawyers. eDisclosure enables review to be undertaken automatically, greatly increasing speed, reducing costs and improving accuracy.
• Analysis – involves understanding the facts and identifying the potential evidence for litigation cases so that lawyers can make informed decisions on reliable and verified data.
• Preparation and production – compiles data into a presentable and appropriate state for lawyers to present in court or in legal proceedings.

Click here for a graphic showing the relationship between these functions.

GDPR: strict conditions

As eDisclosure concerns the handling of data during litigation cases, the GDPR will have a dramatic impact on the industry moving forwards. There will be many challenges to overcome with the introduction of the new regulation, and the industry will have to evolve and adjust in order to comply. It seems that understanding the GDPR has not been as easy as first thought.

After three years of discussion across many levels, new European data protection guidelines were finally agreed on 27 April 2016. They take the form of a regulation – the GDPR – which will replace the current directive and will be directly applicable in all EU member states without the need for implementing national legislation. It will enter into application on 25 May 2018, but it contains some onerous obligations that will have an immediate impact.

The GDPR will enforce strict conditions on the collection, processing and management of personal data in order to enhance the protection of individuals. In today’s technological environment, this has been identified as paramount. Persons or organisations that handle personal data must ensure it is not mistreated, and complies with certain rights of the data owner.

The primary objective of the GDPR is to give individuals back control of their personal data. By introducing a single regulation across the whole European Union, the regulatory environment will become more streamlined for international business, with universal standards clearly established.

One of the key changes in the GDPR is that data controllers have direct obligations and are wholly accountable for the processing of personal data, with liability placed on their shoulders for any damage resulting from an infringement of the GDPR. Where a data controller manages personal data jointly with another controller, they will be collectively liable towards the individual.

The challenge for eDisclosure

The effect on eDisclosure could be dramatic. Organisations will need to establish how their current eDisclosure activities need to adapt to comply with the GDPR, before it comes into effect. Operational compliance will become a real issue, with projects becoming harder to manage.

Data collection will have to adhere to the additional obligations of the GDPR, such as data minimisation. Forensic collections will become much more targeted: organisations will have to make the correct decisions during the identification phase to ensure that appropriate date ranges and keyword culling are applied, in order to gather only data relevant to the case.

eDisclosure companies will become joint data controllers with the hiring company during the processing of personal data. All data in possession will need to be collected for an explicit and legitimate purpose, creating contractual terms for both organisations having access to the data. The data controllers will have to comply with further guidelines, with stern penalties resulting from misuse in data management. Limiting data processing will also be a key consideration due to data minimisation guidelines. eDisclosure projects will undoubtedly become much more difficult to complete, due to stricter guidelines being imposed by GDPR.

Any organisation handling data will need to have a data protection officer (DPO) who is proficient at managing IT processes and data security. This appointment could become a real challenge, due to the nature of the role and the level of new regulations involved. The DPO will need to manage their own support team, remaining separate from the organisation who employs them and acting as an “independent regulator”.

Adoption of the GDPR during the next two years will be a challenge for all eDisclosure organisations. Those companies who fail to comply before 25 May 2018 will be in breach of the GDPR and will face hefty financial penalties. The sooner the new regulations are implemented, the better for organisations. The GDPR will not be an overnight introduction and I can see many teething issues coming to light once the decision is made to introduce the GDPR in eDisclosure organisations.

Post-Leave: what difference?

Now the UK has voted to leave the EU, what will become of this regulation and what effects will it have on eDisclosure?

I think the answer to this question will be determined by how we separate ourselves from the EU. We could remain part of the European Economic Area (EEA), in which case nothing with regard to the GDPR would change. eDisclosure vendors will still need to comply with the GDPR. An alternative answer could be that the UK does not remain a member of the EEA. This would create a lot of uncertainty and raise some distinct questions:

• Will the UK create its own version of the GDPR?
• The GDPR would have no direct effect on UK eDisclosure vendors for UK based cases with UK data.

In my opinion, it makes sense that UK eDisclosure vendors should be prepared to comply with the GDPR until told otherwise. The risks of not complying are too costly, and hiding behind “Brexit” will not be a sensible approach. There are so many EU nationals in the UK, whose data should be protected under GDPR, that not complying and/or transferring data to the UK from the EU which would contravene the regulation could land an eDisclosure vendor in deep trouble.