Ignacio Chico, Iron Mountain

GDPR has ‘created legal uncertainty’ relating to consent and the destruction of data

The issue of document management raises questions about how law firms and companies can be sure they are ‘not retaining data unduly’ when archiving information

The EU’s General Data Protection Regulation (GDPR) has led to uncertainty in areas such as “consent, legitimate interest and the destruction of data” and these issues need to be further analysed, attendees at a recent Iberian Lawyer event in Barcelona heard.
Participants in the debate – which was held in collaboration with Ecija and Iron Mountain – also said that the fact such analysis was still required was a concern, given that the regulations have now come into force. In addition, another concern expressed by attendees was that there are different criteria applicable to data protection – depending on the sector – and that this has created legal uncertainty.
Destruction of data is another problematic issue, participants argued, partly because companies need to ensure compliance but also be selective, and this means knowing which data to destroy. This also applies to document management in the sense that law firms and companies archive information and the new regulations raise the question of how they can be sure they are not retaining data unduly.

‘Costly process’
Furthermore, companies need to have an inventory of their information stockpiles, but carrying out such an inventory, or digitising archives is a costly process – one panellist highlighted the example of the health sector, in which there are vast, confidential archives of patients’ medical histories.
As the GDPR is now in force, companies need to ensure they have well-designed systems and processes in place for data management, and also need to analyse how to maximise investment in such processes so that they are effective and comply with the new regulations.
Another issue attendees raised in relation to GDPR was the importance of document management. Specifically, there are doubts about how companies can implement internal mechanisms that minimise risks and costs, as well as what structures are required as a bare minimum. In addition, there is uncertainty among clients about what measures need to be taken when it comes to obtaining consent.
Panellists said that, given the GDPR’s continental reach and its application to all companies and sectors, it can be interpreted in a number of ways and that this has created uncertainty. Meanwhile, data protection is also a new theme for many sectors, having previously only been something that concerned IT companies, panellists heard.
While the regulations give companies the opportunity to justify their actions with regard to data, according to event participants, the application of the law also brings complications. For example, some sectors are more sensitive than others to the theme of data protection, panellists agreed. However, the fact that the new regulations have been designed to be flexible to embrace all types of companies and sizes, and not just for multinationals working in various jurisdictions, is seen as a positive step.

Event: Implementing the GDPR in Three Steps
Location: Barcelona
In collaboration with: Ecija and Iron Mountain