The European Union (EU) General Data Protection Regulation (GDPR) took effect on May 25, 2018, and caused companies around the world to reevaluate how they handle personal data, including in the context of corporate investigations and due diligence exercises.
Although the GDPR has been in force for over six months, many companies are still in the process of adjusting their compliance programs and investigations work to its parameters. It may be the first time that some companies have given significant thought to data-protection issues in these contexts, either because they were not previously subject to the EU’s data-protection regime or due to a lack of awareness about the applicable requirements. The GDPR leaves companies subject to its rules with no excuse for failure to consider data protection in these areas. International oil trading company Trafigura, for example, is currently embroiled in legal wrangling in the Brazilian courts surrounding the impact of the GDPR on its ability to produce email to Brazilian prosecutors in connection with its investigation into bribery allegations involving Petrobras.
This article explores how the GDPR may be relevant in the contexts of (1) due diligence and background checks, (2) production of EU-sourced documents to U.S. authorities, (3) compliance and fact-finding interviews, and (4) structuring of compliance processes and investigations.