The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018 and has necessitated major compliance efforts by corporations doing business within the EU or (in most cases) processing the personal data of EU employees or customers. However, the GDPR’s effect on corporate internal investigations – both within the EU and abroad – has received much less attention, yet requires considerable planning to avoid problems down the road.
Like the EU Data Protection Directive before it, the GDPR covers a very broad range of personal data: “any information relating to an identified or identifiable natural person.” Thus, most of the information obtained during an investigation of EU-based employee communications or documents is affected – everything from emails and IMs to pseudonymized data, which by definition can still be related back to an identified natural person.
In this article, Jim Halpert, Dr Daniel Zapf and Carol A. F. Umhoefer take a look at the GDPR’s privacy requirements through the lens of internal investigations and litigation, click here to read more.
Jim Halpert is the Co-Chair of the US Cybersecurity Practice and Co-Chair of the Global Data Protection, Privacy and Security Practice at DLA Piper. He advises a number of Israeli clients on US federal and state security and privacy matters.