The first real job in my formative years was as a line cook at a Big Boy family restaurant in north-central Indiana. I learned many lessons about working with people, teamwork, customer service, inventory management, and managing a business. In the kitchen, I remember the grizzled cook that had been there for many years telling me when there was a break in the dinner rush: “If you've got time to lean, you’ve got time to clean”. That mantra stuck with me for the rest of my career. In a conversation today with my partners, Jason Thompson and Michael Epstein, we were discussing the dusty data landscape of Microsoft Teams and other collaboration sites. Every organization, including Kindato, struggles daily with ensuring their team members accidently don’t use erroneous chats and meeting notes. Naturally, the conversation then led towards how to manage SharePoint and shared folders across a myriad of cloud platforms. My career in technology allows me to play with terabytes (and sometime petabytes) of unstructured data. Now I’m spending quite a bit of time in Microsoft Teams, Slack, Trello, and a few other collaboration technologies across the different projects we are engaged. These tools are amazing at providing the foundation for remote teams to continue working together especially in the middle of a pandemic. The challenge is that collaboration technologies often become a “data dumping ground” for all sorts of data such as meeting notes, files, meeting recordings, and chats. This makes it very difficult to manage on a day-to-day basis as well as raises the risk of retaining large volumes of unknown data. Building data hygiene and data management into the culture of your organization is a healthy way to manage the exploding volume of data that is stored across these [...]
Last week the Los Angeles Chapter of Women in eDiscovery invited me to moderate a discussion with some amazing women leaders in the Information Governance space about the challenges & solutions related in identifying users and data as part of the eDiscovery process. In our conversation with Susan Bennett of Information Governance ANZ and Justine Phillips of Sheppard Mullin we covered topics around: Securing and locating data with personally identifiable information (PII) for eDiscovery identification stage in relation to cross borders (e.g. tokenization and legal approaches) Compliance and benchmarking within an organization for identifying relevant data Using identity management for acceptable risk and understanding risk profiles As part of this discussion, Justine and Susan provided materials to share with our broader audience. Justine shared with us some great insight on the California Consumer Privacy Acct (CCPA) and California Privacy Rights Act (CPRA) as organizations continue to understand the different types of “Personal Information” (PI) required to be protected. She shared what is considered to be Personal Information by the CCPA and CPRA. Susan supplied us with her knowledge related to data privacy in Australia and around the globe with the General Data Protection Regulation (GDPR) as the gold standard privacy protection regulation. Susan has written an article explaining the InfoGovANZ Information Governance model and framework that I suggest people review as part of their IG learnings: Information Governance: optimising the lifeblood of organisations - InfoGovANZ There is also a section on law and eDiscovery in the recently released InfoGovANZ Hindsights and Insights Report - Information governance reflections on 2020 and insights for 2021. Thank you to the wonderful Women in eDiscovery — Los Angeles Chapter for the opportunity to learn and facilitate an interesting conversation with Justine and Susan. It can be overwhelming with the [...]
Early on in my career as a consultant in the eDiscovery space, I felt it important to have an agnostic approach and be independent with my recommendations for solutions, technologies, and providers. Even in my earliest days running the advisory practice at Renew Data where we had our own technology and service offering, there were many situations where I advised clients to go another direction because of the specific scope of a project. As much as this frustrated our salespeople, I understood that there is plenty of business out there and it was good karma. In 2010 Barry Murphy, Greg Buckles, and I founded the eDJ Group, a boutique analyst firm covering the electronic discovery and information governance space. The eDJ Group stayed above the fray at all cost looking at what was really in the best interest of a client based on their specific scenarios. We tried our best as analysts to take an agnostic approach. I founded the eDiscovery Advisory practice on the same agnostic approach to technology and providers. That means passing up the lucrative referral or sales relationships with technology and service providers that pervade our market. Maintaining the integrity to advise clients based on their needs is key to the eDiscovery Teams strategic vision and achieving our desired state of KinDato (Knowledge and Intelligence through Data). As the eDiscovery Advisory team continues to build on this agnostic approach, I had the opportunity to reunite with my previous business partner and very independent consultant, Greg Buckles. Greg still runs the eDiscovery Journal as well as the eDJ Group consulting practice. JV: You and I have spoken many times over our careers about really taking more of an agnostic approach to looking at legal technology and legal service providers. Maybe we could start at the beginning by sharing why you chose to be independent and your experiences working independently. GB: In my role as a corporate buyer of eDiscovery technology and services at El Paso Corp., I started finding conflicts inherent within the relationships between my service and tech providers. I would find out they would get points off a deal or if I chose a piece of technology, the sales rep would get 7.5%. When I went from there to being a product manager, everybody around me was selling technology except for me. I was the person who owned the development of the technology, [...]
Having spent more than 20 years in the eDiscovery and technology industry as both in-house and in an outside advisory capacity in the EU, I have seen many ways organizations develop & manage their eDiscovery programs. Not all eDiscovery programs are the same and it’s important to categorize the type of program in order to advise on critical improvements to determine what is the best approach for your organizations. I find there are two main camps of eDiscovery programs: Ad-Hoc eDiscovery Programs and Litigation Ready eDiscovery Programs. Let’s take some time to look at both of these approaches and see how they impact an organization’s eDiscovery program. Ad-hoc eDiscovery is treated as an unplanned exercise that may happen 1-5 times per year and involves departments or functions that do not communicate on regular basis. This reactive approach can be very painful and expensive for the organization. Organizations with an Ad-hoc mindset typically react when asked to discover unstructured information in email, SharePoint, or other data sources. Since the departments don’t have a centralized response approach, the people involved are often overwhelmed with the request and there is a feeling of the house is on fire. Ad-hoc programs usually rely heavily on their outside counsel to drive approach and decisions as well as pay a premium on their eDiscovery projects. Litigation Ready eDiscovery is for organizations that typically deal with 10 or more complex cases throughout the year that often have the same departments or people involved in similar matters. Litigation Ready programs understand that eDiscovery is a business process enabled by technology with the focus on reducing risks and controlling spend. I find Litigation Ready programs have their overall year-over-year eDiscovery spend reasonably predictable even as the number of matters increase. I [...]
What happens when a global pandemic intersects with corporate eDiscovery & IG initiatives? We’re curious about what’s happening with these initiatives as well. Please share your insight by taking the 2020 eDiscovery and IG Corporate Initiatives Survey hosted by the eDiscovery Advisory team. The survey is six questions and takes approximately two minutes to complete. A final report will be provided to participants that sign up at the end of the survey. One participant will be selected and $100 will be donated to St. Jude's Medical Center in their name. Share your insight and help a great cause!!! 2020 eDiscovery and IG Corporate Initiatives Survey Thank you from everyone at the eDiscovery Advisory Team!!!
In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests. Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance: Review and Update Privacy Notices and Policies The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to: Obtain certain information from the controller beforehand, and without asking for it Be made aware of whether a controller is processing their data and how it was collected Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data Demand that their personal data be erased and no longer processed (right to be forgotten) Ask the controller to restrict the processing of their data Receive their data in a structure, commonly-used format for transmission elsewhere (data portability) Object to the handling of their data at any time (in certain circumstances) Not be subject to decisions based solely on automated processing Withdraw consent at any time during processing In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018. Create and Implement a DSAR Process Your company needs to have a process in place to address: How you will enable DSARs, e.g., offering a standardized online [...]
In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests. An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR: Conduct a Data Inventory Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information. The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements. Organize DSAR Requests You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data. There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery. Fulfill the Request A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated [...]
For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk. Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges. What is a DSAR? On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system). Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU. The General Data Protection Regulation The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located. According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online [...]