Why the GDPR is a Valuable eDiscovery Signal for U.S. Attorneys

26 April 2020 by Anith eDiscovery GDPR attorneys

Why the GDPR is a Valuable eDiscovery Signal for U.S. Attorneys

Takeaways: Europe’s General Data Protection Regulation (GDPR) mainly affects EU law firms, but they are a valuable signal for U.S. attorneys, too. Clients are getting more concerned about data security and law firms need to evolve their data protection policies and systems proactively. Otherwise, they risk getting lost in the changing eDiscovery landscape.

The General Data Protection Regulation (GDPR) defines and protects EU citizens’ rights.

It came into effect in 2018 (it was recently updated) and it controls how companies in the EU handle their customers’ data. Here are some of the key points.

  • Personal data is defined as anything that helps identify someone. The obvious examples are your name, online user name or location. But there’s behind-the-scenes data collection, too, like IP addresses and cookie identifiers.
  • Sensitive personal data is defined as information about racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person’s sex life or orientation.
  • Right to access personal data. The GDPR outlines eight individual rights – for example, the right to request access to your data (Subject Access Request or SAR), as well as to request your data be deleted.
  • Right to prior consent before your data is collected and processed. So, companies have to explain their procedures (cookies, tracking technology, etc.) clearly and simply, before collecting any data. And users have to be able to say ‘no’ to any of these procedures. The companies have to guarantee to keep the data confidential, and users get to regularly renew their consent (every 12 months, for example).

The GDPR is important because it holds companies accountable.

It reigns in data controllers (I.e., the main decision-makers controlling why and how data is processed) and data processors (who act out the controllers’ decisions). But there are other consequences of the regulation.

1. It forces companies to collect as little data as possible

The concept of ‘data minimization’ isn’t new. But the GDPR forces organizations to decide the minimum amount of personal data they need to collect to meet their objectives. It’s just too complicated to hold and protect extra data, so why bother collecting it? For example, an online retailer may have thought it useful to collect people’s political loyalties when they sign up for an emailing list. But now, they’d doubt the risk/reward ratio.

2. It forces companies to take extreme ownership of the data they do collect.

Data security has slowly moved its way up priorities lists. Back in 1998, the EU’s data protection laws had ‘security’ as the 7th principal. The GDPR changes that. Now, companies have to guarantee that their customers’ data is protected from being stolen, lost accidentally, or destroyed/damaged. Of course, each company will decide how advanced their security needs to be (e.g., a bank will take more precautions than a home repair service), but they still have to take complete ownership of their data protection. This means things like encrypting the data and storing it under pseudonyms. If the data gets stolen, they’ll be judged and fined based on how thoroughly they tried to combat the breach.

But GDPR affects eDiscovery, too. It targets the ‘structured’ data law firms collect.

The GDPR is mainly concerned with protecting us from large data processing giants like Facebook and Google. But it affects eDiscovery, too. More specifically, the ‘structured’ data sourced from larger clients.

What’s the difference between structured and unstructured data? Think ‘emails’ vs ‘spreadsheets’.

We usually deal with two kinds of data

  • Unstructured data is everyday stuff like emails, PDFs, word documents, social media content, YouTube instructional videos, etc. These are the ways we humans engage with each other. It’s what we would call qualitative data.
  • Structured data is organized, categorized information like databases of customers’ contact details. Here, the data fits into separate fields (name, phone number, address, city, state, zip code, etc.), with just one entry for each field. It’s very rigid and focuses on setting up the data so it’s easy to search. It’s what computers use to process our data, so think of spreadsheets of neat little columns filled with values or codes. Or think of email metadata categories like Sender, Recipient, Time Sent, Time Received, Number of Characters, etc.

Most eDiscovery data is unstructured, but law firms do **collect structured data. And they need to learn to protect it.

Say a case deals with how an organization hires its employees. The quickest way to overview the data is to ask for a spreadsheet with categories for each hiring requirements. Larger clients may even have websites that track applicants’ resumes as they go from hiring managers to human resources. Whatever the system, having that information neatly organized makes it much faster to hone in on the important facts. It’s either this or read through thousands of job applications to get the same information.

Here are other examples of structured data law firms might collect

  • Web servers, e-commerce sites, point-of-sale systems and inventory tracking systems
  • Content/information management systems like SharePoint and Lotus Notes
  • Legacy systems that are maintained just to generate reports
  • Resource planning systems for accounting, HR, customer relations management, etc.

The GDPR doesn’t directly affect U.S. firms, but it’s a sign of things to come.

Unless you’re dealing with EU-based companies, it’s tempting to ignore the GDPR. But we’re beginning to realize the merits (and dangers) of structured data, so our legislation will evolve as well. Especially as cases like the Cambridge Analytica scandal become more common. Businesses and end-users want to know their data is safe and confidential. And so law firms dealing with structured data are going to increasingly be pressured to guarantee that data stays protected.

So, what can proactive attorneys everywhere start doing?

Law firms need to start thinking along these lines.

  1. Make a data collection plan to decide the kinds of data you’ll collect and cull. And if you’re collecting personal data, decide how much of it you’ll really need.
  2. Get consent where required. For example, get consent from individuals about their data when assessing the scope of litigation holds.
  3. Take responsibility for everyone that might directly or indirectly receive structured data you’ve worked with. This would include people like co-counsel, local counsel, eDiscovery providers, opposing counsel, etc.
  4. Make sure you have robust data security measures in place. For example, encrypting data and having a dependable redaction process.

Looking for eDiscovery software that protects your client’s data? Try GoldFynch.

It’s part of a new generation of eDiscovery applications tailored for small and midsize law firms.

  • It costs just $25 a month for a 3 GB case: That’s significantly less than most comparable software. With GoldFynch, you know what you’re paying for exactly – its pricing is simple and readily available on the website.
  • It’s easy to budget for. GoldFynch charges only for storage (processing is free). So, choose from a range of plans (3 GB to 150+ GB) and know up front how much you’ll be paying. It takes just a few clicks to move from one plan to another, and billing is prorated – so you’ll pay only for the time you spend on any given plan. With legacy software, pricing is much less predictable.
  • It’s safe. Your data is protected by bank-grade security. Perfect for small and midsize firms.
  • It’s quick to get started. GoldFynch runs in the Cloud, so you use it through your web browser (Google Chrome recommended). No installation. No sales calls or emails. Plus, you get a free trial case (0.5 GB of data and processing cap of 1 GB), without adding a credit card.
  • It’s simple to use. Many eDiscovery applications take hours to master. GoldFynch takes minutes. It handles a lot of complex processing in the background, but what you see is minimal and intuitive. Just drag-and-drop your files into GoldFynch and you’re good to go. Also, you get prompt and reliable tech support.
  • It keeps you flexible. To build a defensible case, you need to be able to add and delete files freely. Many applications charge to process each file you upload, so you’ll be reluctant to let your case organically shrink and grow. And this stifles you. With GoldFynch, you get unlimited processing for free.
  • Access it from anywhere. And 24/7. All your files are backed up and secure in the Cloud, so it’s perfect for when you have to work from home.

Want to find out more about GoldFynch?

Looking for articles that can help law firms like yours?