Helen Geib, General Counsel at QDiscovery, wrote an article on the intersection of eDiscovery and GDPR for the ACEDS blog.
Excerpt from the ACEDS blog:
The General Data Protection Regulation (GDPR) poses significant new risks in copying, transferring and using EU-based data in US legal matters. The problem is acute for US companies with employees in Europe. The GDPR’s expansive definition of “personal” data to mean any identifying information – even a person’s name – makes it virtually inevitable that the regulation will apply. The good news is that proven eDiscovery strategies can be repurposed to minimize the post-GDPR risks of conducting discovery in EU countries.
Key provisions of the GDPR relating to US discovery
The GDPR, which took effect on May 25, governs the use and handling of “Personal Data” of EU residents. It applies to any company that falls within the definition of a “Data Controller” or “Data Processor.” Controllers determine the purpose and means of the processing; Processors perform the processing.
The similarity to eDiscovery terminology is purely coincidental. GDPR processing is far broader in scope than eDiscovery processing. In fact, it covers effectively all uses of data throughout the litigation lifecycle. This includes the EDRM stages of collection through production (inclusive of review), ongoing data storage and data destruction at matter close. In effect, litigants, law firms and service providers all come under the GDPR.
There are several GDPR requirements of particular relevance to discovery. Processing is only allowed within specific legal grounds defined by the GDPR. It cannot go outside the scope of the initial purpose. The data must be kept secure. There are restrictions on data transfer within the EU and additional restrictions on transfers to countries outside the EU. Finally, the GDPR has an extremely broad definition of personal data, even including name and work email address.