Three Steps to Tackling Data Privacy Compliance Post GDPR

Recently we took Lighthouse’s legal technology podcast series Law and Candor on the road and broadcast a special live edition to our audience straight from Legaltech. One episode focused on the issue that’s at the forefront of the eDiscovery and information governance world: data privacy compliance in the post-GDPR world. Our distinguished Law and Candor hosts spoke with special guest Kelly Clay, global eDiscovery counsel and head of information governance at GlaxoSmithKline (GSK), about the key challenges or “opportunities” that GDPR, CCPA, and other burgeoning laws around data privacy have presented, and subsequently how the associated risks have permanently shifted the legal landscape.

With the two-year anniversary of GDPR’s first day of implementation right around the corner, it’s a perfect time to reflect on where we are now. Organizations around the world have become more comfortable with the idea that data governance, privacy, and security are more than just new challenges they are being forced to solve. Businesses are beginning to see the new opportunities that come from data privacy regulations as they realize the benefits that come from cross-functional stakeholders working together across all of their internal support functions.

So what are organizations doing to get a handle on the information governance side of the house and ensure compliance in this post-GDPR era? Here are three steps to take on the road to continual compliance:

1. Understand where your data resides. It might seem obvious, but the number one place to start (and some would argue the most important) is taking a detailed look at your data and understanding all of the different types your organization generates, and the various locations where it all resides. Many who have already embarked on this journey have found silos during the process and encountered complications in understanding the full extent of their data and where it is. Now’s the time to use the information you gather to create a detailed and comprehensive data map that can be easily and automatically updated as new locations and new data are constantly created.
2. Focus on the general principles. It’s easy to get overwhelmed in the data mapping process, especially if you’re a large organization whose employees utilize many different communication methods and IT has traditionally employed disparate storage methods for that never-ending mountain of data. Once your data map is in place, take a step back and realize you can’t tackle every potential compliance issue at the same time. Instead, continue to focus on the overall general principles like understanding where the data is flowing from and where it’s going, whether it’s email, chats, or data in the Cloud.
3. Change the narrative. Historically, Legal and IT have operated separately and handled data based on the nature of their specific job functions. For example, Legal views data and information through the lens of risk management, while IT has a different approach in how it views managing and archiving data within an enterprise. With GDPR, CCPA, and likely many more privacy regulations to come, organizations need to handle data differently and understand everyone is accountable and must work cross functionally. Key players from the technology group to the procurement team to the business strategy group must change their mindset and be mindful of how they deal with data while keeping legal risk at the forefront.

Ultimately, the post-GDPR era is here to stay and organizations should treat these dramatic changes in how we view and handle data as an opportunity not a challenge. Getting a handle on how to create an effective compliance program is a team effort that requires everyone to get on the same page, and it’s particularly important to involve your key stakeholders early on in the process.

More on this topic can be found in this article, How GDPR and DSARs are Driving a New, Proactive Approach to eDiscovery.