Good to see familiar faces at ILTACON17 and catch up on the hot topics impacting the legal technology arena. As expected, there was no shortage of the latest and greatest predictive coding innovations, the next generation of advancement to litigation support services, and the newest gadgets to email, print, redact, and affix a Bates stamp to almost anything.
However, ILTACON17 was also noteworthy for its increased emphasis and focus on something that doesn’t always rise to the top of legal technology conference agendas – data protection. Sure, the topic of what to do in the event of data breach is not a new one, and was covered with the urgency and priority that the topic deserves. But what appeared to grow in prominence at the show was the broader topics of data security and data privacy – and focusing more on the day-to-day operational elements that law firms, corporate legal departments, and litigation service providers need to have in place in order to minimize the likelihood and impact of bad events before they happen. This makes perfect sense: think about the sensitivity of data that legal teams and services providers interact with on a daily basis.
Nowhere was this better demonstrated than a session I participated in on the EU’s General Data Protection Regulation (GDPR). The session was packed with roughly 120 attendees – no small feat considering the challenge of a Day 3 9:00 am start in Las Vegas following a very late Day 2 finish for many, and the competition from several other concurrent sessions.
(For those unfamiliar with GDPR – when implemented in 2018, it will serve to harmonize a variety of data privacy regulations across the EU and create a set of criteria that can be assessed to determine if a firm – along with its services providers – are providing adequate protections of the personal data of EU citizens. The two kickers surrounding the regulation: 1) it applies to any firm that may possess or control the data of an EU citizen – even if that firm does not have operations in the EU, and 2) the penalties for violating the GDPR are severe – up to 4% of annual turn-over of 20 million Euros for the first instance of violation. Not a big surprise that legal staff from multi-national corporations, services provides working on cross-border eDisclosure projects, and others would find this topic of interest).
For those that weren’t quite finished with Day 2, here are some of the key discussion points that were raised during the session that might be worth exploring further:
- Many firms remain unprepared – the panel seemed to concur that many organizations have not yet taken adequate steps to prepare for GDPR. The reasons are unclear – although it appears that firms that are EU-based or multi-national firms with significant EU presence have grown accustomed to dealing with a variety of strict data privacy mandates and will look to adjust existing processes to meet new GDPR demands. For US-based firms, action may be driven by the first set of significant fines levied by EU regulators. No surprise here.
- Firms that are acting are scouring networks, systems, and applications for personal data – crawling tools, data mapping exercises, and investment in tools to encrypt sensitive data seem to be popular areas of focus today. Making sense of your in-house data to identity where personal data lives – and how you can protect it – will not be a quick nor easy exercise for most.
- You are responsible for your services providers – GDPR clearly identifies the responsibilities of data controllers and data processors which may be external to a firm. Some examples include if a firm uses a cloud services provider to host archived email, or a litigation services provider to process data for eDiscovery. In these cases, firms need to ensure that services providers are also adhering to the provisions of GDPR.
- Right of Access and Right to Erasure will be difficult – any firm – along with its services providers – must ensure that they can respond to an EU citizen who believes that their personal data may have been used inappropriately. For those that successfully make this case with the regulators, their data must be disposed (hence, “the right to be forgotten”). Clearly, many firms and services providers are not ready for this. Perhaps when firms complete #2, they’ll be more comfortable meeting these specific GDPR provisions.
- Data Privacy by Design and Default is a differentiator – one of the central tenants of GDPR (Article 25) states that firms must have built-in safeguards demonstrated by documented processes, third party audits, and the presence of staff that understand GDPR and other data privacy requirements.
The last point was a key point for attendees to take-away to the exhibit hall at ILTACON17: GDPR provides an opportunity for firms and services providers to demonstrate that they take data privacy seriously. Given the nature of the data that law firms, corporate legal departments, and services providers deal with, you should expect no less.
Learn more about GDPR via our infographic here