Interesting write-up of a fascinating webinar on how best to conduct e-discovery while complying to the GDPR.
It is important to note that in this context, GDPR does not necessarily prevent you from doing anything you could legally do under the old regime. It is more focused on ensuring that appropriate processes, protections and controls are in place. It is not something that is an anathema to litigation but equally it is not something that can be disregarded.
The approach taken is generally going to be decided by a balancing act between the rights of the individuals to be protected and the rights of the company to process the data for legitimate business interests or to comply with a legal obligation.
The exact steps that are taken need to be fully considered and documented but two key facts need to be kept in mind: (i) bulk data transfer outside of the EU will not (and has not been) permitted; and (ii) you cannot solely rely on consent anymore given the normal employee-employer relationship.
As is rightly stated in this write up, GDPR is not a blocking statute, but processes and procedures must be implemented to ensure that the regulation is not breached. Therefore, it is essential that expert legal and technological views are considered at the start of any project.
GDPR includes much of the information that is generally processed during e-discovery, and that any EU data collection done by U.S. attorneys would likely have to comply to GDPR standards... Denise Backhouse, shareholder at Littler Mendelson, said that in the pretrial context, bulk collection of data isn’t OK because counsel is required to comply with GDPR protocol even when they’re transferring to the U.S. She said attorneys must do everything they can to transfer only the information that is necessary for discovery.