Ediscovery demand within the Netherlands is developing quickly as companies expand, data volumes grow and regulatory activity increases. As multinational organisations with headquarters in the Netherlands take a more proactive approach to compliance and litigation, they will likely transfer more data across borders, often to the U.S.
When a legal matter crosses borders, whether in reaction to upcoming litigation, an investigation or through the performance of corporate due diligence, litigation teams face additional challenges: multilingual data, cultural norms and unfamiliar laws to name just a few. Before transferring data across borders for any reason, think carefully about the risks associated with transferring data, especially when legal restrictions differ in between jurisdictions. While perhaps more natural for U.S. legal teams, general counsel should pay special attention to certain compliance demands involved with data transfers.
Here are our top 5 tips to keep in mind when you transfer data to the U.S. as part of your next Ediscovery Matter:
- Prepare for the GDPR. The General Data Protection Regulation (GDPR) is the law by which European countries will strengthen data protection for individuals, coming into force on 25 May 2018. The U.S. has very different data protection laws, so compliance within the EU is a must for corporations transferring data outside their jurisdiction.
- Read up on requirements within the EU-U.S. Privacy Shield. The Privacy Shield provides a framework for exchanges of personal data for commercial purposes between EU member countries and the U.S. Meant to protect European citizens, this set of regulations enables U.S. companies to receive personal data from organisations within the EU.
- Consider using onsite Ediscovery technology. Onsite technology allows for onsite collection and processing in a compliant and cost-effective manner, which means that data can be more carefully culled by business and compliance experts before removing it from the country or the organization premises.
- Find out where your provider has data centers. Having additional data centers within the EU means organisations might not have to engage in transatlantic data transfer, providing an additional safeguard for the data and less compliance oversight needed.
- Invest in local expertise. In-country experts are more knowledgeable about local data protection laws and can help minimize risks associated with data transfer. Additionally, local experts have language skills that will prove valuable when reviewing data that might contain personally identifiable information (PII).
- Review and redact your data. When corporations have data that must be transferred, first conduct a privacy review of the information. If there is any personal data, use technology, like KLDisovery’s AutoRedaction feature, or contract review lawyers, to redact it before transfer to the US.
Consider this case study involving a Spanish bank facing a large cross-border litigation matter that required data to remain onsite.
The challenge: Given the nature of this highly sensitive matter and data protection regulations, all data must remain on premise. Contract review lawyers with English and Spanish language expertise will be based in Madrid and Brussels.
The goal: Protect the business’ private financial information, comply with all in-place data protection regulations and execute a solution that meets time and budget requirements.
The approach: First, map and identify data locations, including data custodians. Use onsite Ediscovery technology to process data onsite. Then, isolate proprietary, sensitive company and customer data. Finally, utilize flexible technologies to review documents from multiple geographies while keeping data on premise.