What’s happened since the GDPR became effective? And what does it mean for U.S. eDiscovery?

Hear that? It’s the sound of thousands of companies breathing a sigh of relief: May 25, 2018, the effective date for the EU’s General Data Protection Regulation (GDPR), has come and gone—and much like Y2K, nothing too dramatic has happened. At least not yet.

But that isn’t to say that the transition was smooth or that we don’t all still have serious questions about the future of the GDPR. Let’s look at what happened around May 25 and what we can expect for the rest of the year.

Mistakes Were Made

 Even if you didn’t know about the impending GDPR, it was hard to miss the influx of emails announcing changes to privacy policies in the lead up to May 25. So far this year, May 24, or GDPR Eve, has been the highest-volume day of the year for email.

With all those messages being sent out, it may have been inevitable that someone would slip up—but it’s still ironic that Ghostery, a privacy browser extension, made one of the most serious errors. While sending its updated privacy policy to batches of customers, Ghostery managed to carbon-copy 500 users, exposing their email addresses, instead of blind copying them.

But wait, there’s more. The European Commission, which created the GDPR in the first place, promptly violated it, leaking “more than 700 records including names, addresses and professions” on its website. Conveniently for the Commission, it has declared that it’s not subject to the GDPR, so it will be spared a potential €20M fine.

What’s Coming Next?

Companies should expect—and be prepared to handle—requests from individuals for their personal data to be deleted. Some predict that this “right to be forgotten,” one of the hallmarks of the GDPR, will result in “a flood” of deletion requests.

If you haven’t been taking the GDPR seriously because it only applies to the data rights of European residents, you might want to reevaluate the long-term viability of that position. Senator Ed Markey (D-Mass.) has surmised that now that Europeans have greater privacy rights, “The American people are going to wonder why they’re getting second-class privacy.” If so, a U.S. version of the GDPR could be in the works before long.

For all the predictions of radical changes, consumer complacency may be the bigger take-home message. Most people probably aren’t reading the updated privacy policies they’ve been inundated with. Whether the GDPR will turn out to be a Y2K repeat where a huge buildup is followed by a whimper or the beginning of a new era of global data privacy remains to be seen.

 We’re going to assume that you’ve already taken the steps we laid out in our last GDPR post. The interplay of the GDPR and U.S. eDiscovery obligations is still far from clear, but you’d be wise to at least adjust your customer-facing policies and communications and be prepared to delete personal data that isn’t subject to a legal hold.

If you still have questions about how you should handle eDiscovery in the post-GDPR era, iDiscover can help. Our proven systems can help you meet your data privacy obligations while complying with eDiscovery. Please contact us to learn more.