publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/973671
64 WWW.ILTANET.ORG | ILTA WHITE PAPER LITIGATION AND PRACTICE SUPPORT GDPR and Privacy Law Evolution in the EU issues addressed in the GDPR will impact any company dealing with EU data: management of consent, data breach notification, and privacy by design. Consent In order for EU data subjects to have ultimate control of their data, companies must provide them with a mechanism for obtaining and managing their consent. According to the GDPR Articles, consent must be given freely by the EU data subjects, who must be clearly instructed about the consent they are giving. Data subjects can request to see any data collected about them and can revoke consent at any time; they can also choose to have their data returned to them. If data must be obtained from an EU data subject, the data controller/data processor - the company using the data - must have processes, procedures and technology in place to manage all the variables around an EU data subject's consent. For example, for handling GDPR consent as it relates to ediscovery data collection in litigation, it is recommended that EU data subjects be given notification much like a litigation hold notice that details the data sought, the reasons for requesting the data and when the data will be erased aer use. Data from EU data subjects cannot be re-used for purposes other than those initially intended unless additional consent is obtained from the data subject. All data controllers/data processors must develop ways to erase or return data in instances where an EU data subject has revoked initial consent. Managing consent of EU data subjects will be a critical element in developing techniques to comply with the GDPR. Data Breach Notification The GDPR requires that companies who possess data of EU data subjects must inform the EU's supervising authorities of any company data breach within 72 hours of becoming aware of the breach and must also inform the individual EU data subjects of the breach in a timely manner. The 72-hour data breach notification timeline can be extraordinarily short and will require the data controller/data processor to have processes, procedures and technology in place to comply with the immediate data breach reporting requirements. The GDPR has outlined very detailed information that a data controller/data processor company must provide as part of breach notifications to both the supervising authorities and the EU data subjects.