IST Discover-E White Paper:

GDPR Effective 5/25/18:

Are You Ready?

At IST Discover-E, we have years of experience helping our clients with their eDiscovery needs along with full scale legal support management systems.  We are expert in creating and customizing eDiscovery processes that best fit our client’s needs and expectations. Our model is uniquely transparent, easy to understand and effective in aiding our clients get the decision they want for their clients.

On April 27, 2016, the European Union Parliament adopted the General Data Protection Regulation (GDPR) with a scheduled enforcement date of May 25, 2018.  Many organizations initially see GDPR as a burden, stopping them from keeping their same old processes in place. They want to pay someone (or for some technology) to make it go away.  In reality, GDPR compliance requires a cultural change across the entire organization to one that embraces the notion, “these are the rights of the people we serve, our customers—and how do we best protect them?”

What is GDPR?

At its core, GDPR more solidly defines the extent of control EU citizens have over their personal data. It aims to make the European conception of personal data as private property clear and enforceable.  In comparison, US-based businesses view data on their customers as a commodity they own—and it’s a view they’ll fight to preserve, as tech giants like Facebook and Google are built upon it.


What is GDPR compliance?

Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners - or face penalties for not doing so.  Some of those rights include:

  1. Access their data whenever they want
  2. Request their data to be transferred to another party
  3. Demand to be “forgotten” or erased


Who does GDPR apply to?

GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. That ultimately means that almost every major corporation in the world will need to be ready now that GDPR has come into effect.  There are two different types of data-handlers the legislation applies to: 'processors' and 'controllers':

  • A controller is "person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data."
  • A processor is "person, public authority, agency or other body which processes personal data on behalf of the controller."


How does GDPR affect eDiscovery in the EU?

By empowering data subjects with basic rights regarding their personally identifiable information (PII), GDPR reconfigures the relationship between citizens and data custodians. In eDiscovery, there is a requirement to preserve (and eventually process) relevant data and this is typically done in response to a subpoena, section 2 notice or other court or enforcement agency issued demand for information.  Previously, responding to a subpoena in an investigation or litigation has generally been a cooperative effort across departments within a corporation and for multinationals, coordinated across regions. Under GDPR, sharing that information will present another challenge. Even custodian names can be deemed private. Organizations will have to reconsider their reporting requirements and reexamine their scrubbing techniques to protect and, in some instances, anonymize or pseudonymize certain personal data.  In order to support organizational efforts to comply with GDPR, technology must support both the roles and processes. The capabilities technology should include:

  1. Data Mapping
  2. Subject Access Requests (verified EU Citizens)
  3. Data Search and Sequestration (verified EU Citizens)


What are the risks?

The Regulation affords Supervisory Authorities with expanded powers, including to issue warnings of non-compliance, carry out audits, require remediation, and suspend data transfers to other countries. It also increases their investigative and corrective powers. Most important, however, is that the regulation empowers Supervisory Authorities to issue substantial penalties for non-compliance – depending on the violation, organizations could face up to the higher of  €20m or 4% of an organization’s global annual turnover.

Ultimately, litigation and the threat of litigation has until now, been the primary reason for eDiscovery.  The implementation of the GDPR add a very important driver.  Under the GDPR, any European data subject can execute their “right to be forgotten”.  This means that any data subject can request that all data a company holds on him or her will remove.  This makes the notion that you only need eDiscovery in case of litigation, obsolete.  All companies in the EU and all US companies doing business with the EU need to have a combination of data classification and eDiscovery in place.  At IST Discover-E, we are vigilant in protecting our clients’ most precious assets by continuously improving our processes to keep up with ever changing regulations both in the US and globally.


IST Discover-E Compliance

We are proud to report that IST Discover-E’s IT security team was well ahead of the curve by gaining our EU Privacy Shield Certification by May 2, 2018, making us GDPR compliant prior to enforcement date.

Talent Acquisition Team

Innovative • Service • Technology • Passion