Interesting write-up of a fascinating webinar on how best to conduct e-discovery while complying to the GDPR.

It is important to note that in this context, GDPR does not necessarily prevent you from doing anything you could legally do under the old regime. It is more focused on ensuring that appropriate processes, protections and controls are in place. It is not something that is an anathema to litigation but equally it is not something that can be disregarded.

The approach taken is generally going to be decided by a balancing act between the rights of the individuals to be protected and the rights of the company to process the data for legitimate business interests or to comply with a legal obligation.

The exact steps that are taken need to be fully considered and documented but two key facts need to be kept in mind: (i) bulk data transfer outside of the EU will not (and has not been) permitted; and (ii) you cannot solely rely on consent anymore given the normal employee-employer relationship.

 As is rightly stated in this write up, GDPR is not a blocking statute, but processes and procedures must be implemented to ensure that the regulation is not breached. Therefore, it is essential that expert legal and technological views are considered at the start of any project.