Cybrain - Fotolia
At LegalTech 2016 in New York key issues for storage and compliance discussed included the monitoring of employee email plus EU data protection and the aftermath of Safe Harbour’s rejection by Europe.
In this podcast ComputerWeekly.com storage editor Antony Adshead talks with CEO of Vigitrust, Mathieu Gorge, about the key issues discussed at LegalTech 2016 and what organisations need to do to achieve compliance in a changing regulatory environment.
Antony Adshead: Legaltech 2016 just took place. What topics affecting data storage and compliance were covered?
Mathieu Gorge: This year’s edition of LegalTech was dominated by three major topics.
The first one was the idea of employee email being monitored, primarily in Europe, and how employee email could essentially become an additional evidence in discplinary cases and how people could access that information.
Obviously there’s an issue with storage and compliance on that front.
The second topic was the new EU [European Union] regulation that came out, and that included the impact of the General Data Protection Regulation (GDPR) that’s coming out of the EU that’s replacing the European Data Protection Directive.
Also there was the replacement for the EU Safe Harbour with the unveiling of the EU-US Privacy Shield, which was announced – coincidentally – during LegalTech.
Finally, there was the launch of digital paper, which is a new way of looking at taking notes with some major innovation coming out of Sony and which was unveiled at LegalTech. And again, that has some implication about how we’re going to work moving forward, how we’re going to store information, how we collect information and how we comply with any type of PII [personally identifiable information] regulation on both sides of the Atlantic.
Adshead: How should organisations prepare themselves to deal with the new regulations affecting data storage and compliance?
Gorge: So the first thing to realise is that the main change is around EU data protection with the new GDPR and then the unveiling of the new EU-US privacy shield, which is an agreement to replace the Safe Harbour regulating the framework for trans-Atlantic data transfer.
We shouldn’t see that as two separate things. I believe that every organisation should have a data classification policy, a data transfer strategy and a data protection strategy that covers both regulations. If you take them in silo you risk multiplying the work and doubling up on work, but you also risk being outside the regulations.
So the exact language for the EU-US data privacy shield still hasn’t been released formally, but what it actually means [is that] organisations will need to be able to demonstrate how they protect data pertaining to EU citizens.
The first thing to do is to be able to identify where the data is coming from, [whether] it pertains to EU citizens or not, and is it being transferred.
And then again if you look at GDPR, you are asked to take appropriate security measures for data and to do a data impact assessment in case the data you are custodian of could pose a risk to the citizens that own the data.
Read more about storage and compliance
- Learn how to comply with data storage compliance regulations such as the Data Protection Act 1998. We also tell you how to enforce data retention and access policies, and prepare for e-discovery requests.
- Data classification is key to efficient storage, security and compliance. In this podcast Vigitrust’s Mathieu Gorge talks about the fundamentals of a data classification policy.
Once again we go back to the basic concepts of data classification, storing the data with the appropriate level of security – whether encryption, two-factor authentication, logging, or whatever technology can be applied – and then looking at how we can get access to the data at the right time in case an audit is being requested, either by the EU authorities, the FCC, or indeed the new ombudsman that is being created in the US to allow EU citizens to have a point of contact in case they have any queries about data that has been transferred.
This is going to be very important in the legal industry, but not just there but also in financial services, healthcare. Anybody that is likely to transfer data across the Atlantic needs to be aware of that and should [do] a review of their data classification, a review of data storage and the security around it and then engage with legal counsels around whether they are in compliance with the new framework or not.
This is going to take time. That said, it is something we would urge organisations to get started with as soon as they can, because the regulations are here now and it’s no longer a case of being able to say, “We are waiting for guidance”.
Guidance is going to come out very quickly from the working group, from the article 29 working party, but in the meantime there is lots of very good information available in the public domain. So companies should get started with reviewing their policies and the technology that allows them to implement that policy for storing the data.