Local Privacy Laws Not Ready for Prime Time: Enterprises that process or store the personal information of EU citizens will also need to heed EU member states' local privacy laws. GDPR has also allowed local data protection authorities to individually interpret some aspects of the law and add requirements. However, a lot of local privacy laws are not yet set in stone. 

It took less than a day for the General Data Protection Regulation to crop up at Legalweek 2019. Tuesday's "Cross-Border Investigations: Protecting the Privilege and Meeting Privacy Expectations" panel explored the difficulties that lawyers and e-discovery professionals now face in collecting and reviewing data that spans multiple jurisdictions.

Moderator Adam Shoshtari, an attorney with Shook, Hardy & Bacon LLP, got the ball rolling by asking each panelist how they prepared their organization for the GDPR.

For some, the process was easier than others. Linda Johnson, lead e-discovery manager at global healthcare company GlaxoSmithKiline said their process did not change much in the wake of the GDPR. They did, however, revisit data transfer agreements with certain countries.

"We definitely worked on updating our data privacy policy to beef it up and make sure it contained a lot of the language we thought the GDPR would totally include," Johnson said.

The overall vagueness of the regulations presented a challenge to panelist Jack Thompson, who as senior manager of e-discovery and legal operations at Sanofi US was charged with revamping the company's established protocols to suit the GDPR. This involved everything from adjusting their consent form regarding daily data collections to structuring deals with the law firms handling that information.

"My hair started turning white," Thompson said.

Now that companies and e-discovery specialists have had some time to catch up to the GDPR, collecting data for international investigations can be a matter of identifying and collaborating with the right authorities.

With so many different data laws present on the world stage, establishing jurisdiction is critical. It's hard to follow the letter of the law if you're not sure whether the alphabet you're working from is French or American.

"From my perspective it was where is the investigation really centrally localized and getting that established first and foremost," Thompson said.

Once the jurisdiction is established, reaching out to local contacts can be advantageous. According to Johnson, Sulfi collaborates with local compliance authorities where necessary.

If the company has to collect data related to an internal investigation from an employee who resides in a different country, they typically involve the regional manager so that the notice isn't coming from a faceless entity.

"We're just trying to be aligned [with privacy laws]. I think on a global basis it's hard as heck, but we do try and do that," Johnson said.

Companies may be looking to simplify their approach to compliance worldwide, but Thompson doesn't see much fat to trim, especially when it comes to help navigating the different privacy regulations clashing at borders across the world.

"There's a lot of complexities in each country, and there have to be resources available," Thompson said.