We use cookies to improve our site and your experience.

By continuing to browse on this website you accept the use of cookies.

Privacy Notice

Ensuring GDPR compliance in litigation

Ensuring GDPR compliance in litigation

By Lisa Rix - ELA Briefing - June 2019

Having just celebrated the anniversary of GDPR, now seems a good opportunity to reflect on the impact that it has had on litigation. Below, we explore the typical stages of the litigation process and consider what lawyers need to think about in respect of data protection obligations.

GDPR efforts should envisage potential litigation

When advising clients on their GDPR compliance, we should always aim to prepare clients – from a GDPR perspective – for any future litigation.

First, we should advise clients to set their retention periods to allow time to fight cases and defend claims. As most claims have a six-year limitation period, a seven-year retention period will usually be appropriate (allowing for the limitation period plus a ‘buffer’ year for the client to be made aware of any such claim). However, some potential claims may require clients to set a longer period; for example, where claims may arise in relation to a deed (where 13 years would be more appropriate).

Secondly, although strictly clients need not provide references to personal data being disclosed as part of legal proceedings in their privacy notices (due to an exemption in para 5(3), Part 1, Sch.2 DPA 2018), it is probably still good practice for clients to set out in their privacy notices broad references to:

  • lawyers and e-discovery platforms being potential recipients of the personal data;
  • the purpose of bringing, defending and carrying out litigation being a purpose for processing;
  • the legal bases for processing in relation to litigation; and
  • applicable retention periods, considering the possible limitation periods above.

You can read the full article here (Please note, this publication requires a subscription)