Imagine this. You’re sitting in a session focused on information governance and retention, and you start out talking about old school reasons to have a proper IG, and them delve into some of the more recent reasons, things like client audits, security risks, etc. and they begin talking about the GDPR.
You think to yourself, oh yeah I mean if you’re doing work representing firms with EU-based employees then sure, you’ve got to consider the kinds of information you might have in your eDiscovery cases, or just communication between EU-based clients and the firm, sure.
Kathleen Jimenez from White and Case starts talking about how you wouldn’t have thought a US law firm would be among the first places to get a request based on the GDPR, but that would be wrong. She goes on to suggest something like this:
It (the demand) can come from anywhere, the ex-spouse of an ex-employee could be an EU citizen, and you need to locate any information you have. (ed note – for example, in HR databases, old email archives with emails sent to them, etc.) And you have 30 days to comply.
So yeah, maybe we don’t represent any companies based in the EU, but is someone, anyone, connected to, or communicating with, an EU citizen? You might have some obligation under the GDPR. Does the eDiscovery you collected from your client contain any email addresses or other information about EU citizens? You might have some obligation under the GDPR.
Do you even know if any of the above applies to the data sitting in your firm’s environment right now, and could you locate it all within 30 days?
Yeah, um about that.
Which got me thinking. I’m fairly sure over the years that I’ve seen plenty of emails in the Enron data between Enron employees, and either Enron employees, partners, law firms, etc. based in the EU. Are we all violating the GDPR by having those email addresses without their permission?
Has anyone thought about this? Are there any GDPR experts who want to weigh in?