On May 25, the General Data Protection Regulation (GDPR) took effect in the EU, and the world has scrambled to demonstrate its compliance. With so much on the line, many companies have been turning to vendors experienced in multinational cross-border cases to better meet the standards and requirements of the new regulations. RVM’s clients are no exception, often having terabytes of data stored in physical and cloud servers around the world.
RVM recently completed its first in-country data privacy review since GDPR went into force. Our team was contracted by a U.S.-based multinational corporation that required onsite privacy culling to meet some of the guidelines set out in the new regulations. Through the process, RVM forensic engineers collected and reviewed custodian emails and file data in country by performing searches based on relevance and date. The data was exported to native and load-file formats for upstream hosting and review in the United States.
To ensure that the work being performed was in compliance with GDPR, RVM worked throughout the project with local and outside counsel – including Data Privacy Officers – to ensure all documentation and agreements were in place.
Document, Document, Document
There are a lot of moving pieces with GDPR, so it is important that all parties have an understanding of the prescribed rules and work in hand with the data privacy officers to build a process that meets both the business and legal requirements. The more you can demonstrate in writing, the better. Some of the documentation, like data privacy agreements, should be in place before your team ever gets on site. Documenting each step in the process ensures the safety of both the vendor performing the work and the client, and it can affect your ability to complete a project on time.
Avoid GDPR Fixation
There is no question that GDPR is new and important. However, the EU is not the only place that has rules and laws governing data handling and privacy. Large projects may involve data stored or moved between multiple countries and multiple jurisdictions. Satisfying GDPR regulation is important, but companies need to be aware of other regulations that may differ from or even supersede those of the EU. For this reason it is critical to be in communication with client counsel, other data processors, and the data controller where you are working to ensure compliance in all relevant jurisdictions.
Ask Before You Move that Data
In this example RVM experts were able to satisfy the GDPR requirements for data export to a third country when it ingested data that originated in the EU into a review platform in the United States. Through GDPR data containing personal information cannot simply be transferred outside of the EU. It is critical to work with the client counsel, other data processors, and the data controller to complete all expected processes and identify and obtain consent where required to complete the project.