Considerations when Selecting a Litigation Support Vendor
Regardless of which transfer method a company relies upon, the amount of data transferred should be the minimum necessary to achieve the purpose for which the data is being transferred, and appropriate technical and organizational processes must still be put in place to protect the relevant data. Responses to a discovery request or subpoena must be narrowed to focus on only the information and custodians directly relevant to the issue under consideration.
The GDPR imposes legal compliance obligations directly on processors in addition to those obligations of controllers. Processors are also required to process personal data in accordance with the controller’s instructions. As a result, controllers will likely require processors to comply with many of the requirements that apply to controllers.
Furthermore, data controllers may only appoint data processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure processing meets the requirements of the GDPR. As a result, many controllers will need to renegotiate their existing agreements with processors to bring those agreements into compliance with the GDPR.
The agreement between a data controller and processor must be in writing and cover the duration, nature and purpose of the processing, the types of data processed and the obligations and rights of the controller. Under Article 28(1) of the GDPR, under the written agreement between a controller and processor, the processor must agree to:
- Act only on the controller’s documented instructions;
- Impose confidentiality obligations on all personnel who process the relevant data;
- Ensure the security of the personal data that it processes;
- Abide by the requirements of the GDPR regarding appointment of subprocessors;
- Implement measures to assist the controller in complying with its obligations and the rights of data subjects;
- Assist the controller is obtaining approval from data protection authorities where required;
- At the controller’s election, either return or destroy the personal data at the end of the relationship; and
- Provide the controller with all information necessary to demonstrate compliance with the GDPR.
When selecting a litigation support vendor tasked with handling EU-protected personal data, companies should take into account the following considerations:
Data Protection by Design
Article 25 of the GDPR requires that data protection be designed into the development of business processes for products and services. A data processor must implement appropriate technical and organizational measures that are designed to implement data protection principles that comply with the GDPR through the whole processing lifecycle. This requires that privacy settings must be set at a high level by default. Among other things, the processor should implement measures for ensuring that, by default, only personal data that is necessary for each specific purpose of processing is processed and that personal data is only processed when necessary for each specific purpose.
Processors, like controllers, are required to implement appropriate security and organizational measures to protect personal data. What measures are considered appropriate are determined by a variety of factors including the nature and sensitivity of the data, the risks to individuals associated with any security breach, the costs of implementation, and the nature of the processing. These measures may be somewhat relaxed when working with anonymized or redacted data. Periodic testing of the effectiveness of any security measure is also required where appropriate.
Data Protection Officers
Both controllers and processors are required to appoint data protection officers (DPOs) in certain situations, including where the data processing activities require regular monitoring of data subjects on a large scale, or where the core activities of the processing involve large amounts of sensitive data or data relating to criminal convictions or offenses. The primary role of the DPO is to assist the processor with compliance with the GDPR. The DPO should be designated on the basis of knowledge of data protection laws and practices. The DPO must have a degree of independence and is the contact point for any data subjects and for the supervisory authority.
Restrictions on Subcontracting
In order for a data processor to subcontract under the GDPR, the processor must obtain the prior written consent of the data controller. While the GDPR gives data controllers a wide degree of control in terms of the ability of the processor to subcontract, the processor is still required to inform the controller of any new subprocessors, giving the controller time to object. The main data processor is also required to reflect the same contractual terms it has with the controller in any subcontract with a subprocessor and remains liable to the controller for the acts or omissions of any subprocessor.
The data processor must be able to demonstrate compliance with the GDPR. Processors are obligated to maintain a record of all categories of processing activities. This must include details of the controllers and any subprocessors of any personal data, DPOs, the types of processing being conducted, details of any transfers to third countries, and a general description of technical and organizational security measures. These records must be provided to the supervisory authority on request.
Transfers to Third Countries
Any transfer of personal data intended for processing after transfer to a third country is subject to specific restrictions in Chapter V of the GDPR. A controller or processor may transfer personal data to a third country only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available following the transfer. This is an area that should be clarified in controller/processor contracts. Appropriate safeguards may be provided in a number of ways including in the form of binding corporate rules, or standard contractual clauses.
Under the GDPR, the data controller is obligated to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours after becoming aware of the data breach (Article 33). Individuals have to be notified if an adverse impact is determined (Article 34).
The GDPR places significant burdens upon, and poses significant risks to companies engaged in litigation and investigations in the United States as well as other countries outside of the EU. Careful consideration must be paid to the GDPR’s limitations on use of personal data and transfers of personal data outside the EU to ensure that such uses and transfers are both permitted and of minimum necessary scope. Additional consideration must be paid to ensuring that any third-party litigation-support providers engaged to assist in litigation or document review outside of the EU comply with the obligations of processors and subprocessors under the GDPR.