Finding Data So You Can Comply with GDPR

November 28, 2017


Increasingly privacy laws around the world expect organizations to locate the personal information they possess and manage it in ways that were not anticipated at the time the information was collected. Organizations need new tools to find this scattered information. 

Expectations for Privacy Compliance Are Rising

At the forefront of these laws is the European Union’s new General Data Protection Regulation, which goes into effect May 25, 2018. Although many of the basic principles of GDPR are not new in EU privacy law, GDPR reflects a major elevation in expectations for privacy compliance. GDPR threatens the possibility of massive fines – up to 4 percent of global revenue for a multinational corporation.

What is more, GDPR imposes an impactful new trigger for investigations into privacy compliance. It requires organizations that suffer a data security breach to give notice of that breach to legal authorities and affected individuals in Europe. This requirement to give notice is largely new within the EU.

But experience in the US suggests that the delivery of notice in the EU will cause a chain reaction of investigations. When an organization announces it has a breach, numerous authorities across the EU will focus their regulatory attention on that organization. Further, collective actions in court (like class action lawsuits in the US) will likely arise against the organization. See, Benjamin Wright, “Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners,” February 2017. These diverse investigations will likely expand in scope to cover more than just the failure of security that caused the breach. They will likely probe invasively into all aspects of the organization’s compliance with GDPR.

GDPR requires an organization to document what personal data it possesses, and document what it is doing with the data. It requires the organization to explain to an individual data subject what data the organization possesses about the individual. And it requires the organization to comply with requests by the individual to restrict the use of data or erase it.

These requirements will pose tremendous challenges. Many organizations have collected data for many different purposes over many years. The data are scattered in different silos and platforms. Often the required documentation on this data is lacking.

It Is Imperative That the Data Be Located

Without an advanced search tool, the search for personal data could be very labor intensive and therefore costly.

A powerful search tool can expedite searches by using pre-configured data sets, such as a data set for passport numbers or insurance account numbers.

Federated Search Helps Create Persuasive Evidence of Compliance

After an organization locates data, it can undertake the process of creating the required new policies and documentation about the data.  Modern tools can be used automatically to apply the necessary policies and documentation to particular units of data. Those policies and documentation might be applied by way of a data tagging function.

NetGovern Search automatically creates audit trails to show what searches were executed, when they were executed and which data repositories were searched. These audit trails could be persuasive evidence to a court or regulatory authority that the organization is applying the required effort to find data that is not easy to find. The audit trails allow supervisors to review search efforts and identify deficiencies so they can be addressed.

GDPR Spearheads Tightning of Privacy Laws Around the Globe

GDPR broadly applies to many organizations, including any in the world that are selling products or services into the EU, even if they do not have a physical presence in the EU. GDPR’s breadth of scope will surprise organizations around the world that never thought previously about complying with privacy law in Europe.

GDPR is likely to be influential beyond the jurisdiction of the EU. The EU has long been recognized as a leader in privacy law, and countries outside EU – notably those in Asia-Pacific and Latin America -- have adopted laws inspired by EU privacy law. It is reasonable to anticipate that GDPR will likewise inspire laws and regulatory expectations far beyond the EU.

Perfect compliance with privacy laws like GDPR will rarely be possible. But authorities will be more tolerant of organizations that are making a diligent effort to achieve and maintain compliance. Evidence of that diligent effort can be demonstrated through responsible use of a modern search tool.

This is the third in a series of blog articles about new advances in eDiscovery.

Read the previous blog articles here:

  1. A New Vision for ''Hostile eDiscovery''
  2. InfoSec for eDiscovery
  3. Finding Data so You Can Comply with GDPR
  4. Improve Legal Outcomes by Marking Your Data with Labels
  5. Be Proportionate in Your Management of Data

    Benjamin Wright is a practicing attorney based in Dallas, Texas, and an instructor at the SANS Institute teaching a 5-day course titled “Law of Data Security and Investigations.”