There is a lot in here – preparations for the GDPR, the growing realisation of the implications of holding the data of other organisations, contractual certifications of GDPR compliance, unwitting indemnification of other parties, WP249 and its assertion that discovery may amount to the “monitoring” of employees, the balancing of one set of obligations against others, and improvements in security in discovery review.
At Relativity Fest 2016 I asked Patrick Burke, then at Bennett & Samios LLP and now Director, Financial Services Innovation at the New York State Department of Financial Services, about the motivation of organisations who were preparing for the General Data Protection Regulation. What was the most compelling factor which drove them towards compliance?
Most people, at that stage, would have answered “The fear of 4% fines”. Patrick Burke’s answer was “They want to keep doing business”, something I have been quoting ever since. I put the question to him again at Relativity Fest in 2017.
Patrick Burke said that he is now seeing more of the same readiness, willingness and aspiration as the year before, but exaggerated. It is now, he said, the CIOs and senior tech people who are hearing about GDPR requirements and investigating the extent of personal information held by them which would be caught by the GDPR. They are finding a lot of it.
Organisations are now engaging in anticipatory projects, Patrick Burke says. They are preparing for certification under the EU-US Privacy Shield. They are developing new protocols for handling data, for dealing with security issues and for planning to meet the 72-hour breach notification imposed by the GDPR. These do not amount to an obligation to give complete information about the breach, but organisations will be expected to describe it, to summarise its scope and likely effect, and to say what they are doing about it. The latter in particular is something to prepare for, not to dream up within 72 hours.
Patrick Burke observes that many organisations are realising that they hold a great deal of data from other companies. They now need to know what the purpose was for collecting the data and for holding it, and to know how long it should be kept.
Organisations are facing more than the requirements of regulators. Many of them have been signing contracts with riders which not only certify their own compliance with the GDPR but indemnify others. It is becoming clear that data required under these conditions cannot merely be shoved on a laptop or a shared drive.
Patrick Burke talks also about the implications of WP249 published by the Article 29 Working Party on monitoring employees in the workplace. We have all felt reasonably clear hitherto that eDiscovery collections do not amount to “monitoring”, but eDiscovery is listed in WP249 among processing operations resulting from monitoring IT usage at the workplace – the exact words are “eDiscovery technology, which refers to any process in which electronic data is searched with the aim of its use as evidence”.
It therefore becomes necessary, Patrick Burke says, to do an impact assessment before embarking on a new discovery collection, to do an analysis of proportionality, and to assess whether the organisation has a legitimate interest in the data.
This point led in turn to a discussion about the theme of balance which runs throughout the GDPR – many of its terms do not impose an absolute standard but require companies to balance one set of interests against another. Patrick Burke says that Germany, for example, wants organisations to investigate wrongdoing and the GDPR should not be seen as a blanket ban on that. What is required is a definition of limitations and the description of the least intrusive way of conducting the investigation.
Another significant feature is security of data, and not just because of the 72 hour breach notification requirement. Andrew Sieja, CEO of Relativity, had devoted part of his keynote speech that morning to talking about Relativity’s improved security, with passwords being replaced by two-factor authentication, single sign-on provisions, and the use of Microsoft Azure.
As a final point, he observes that RelativityOne, with its ability to compartmentalise data within a jurisdiction, has potentially implications for those responsible for managing data within and across borders.