Having spent more than 20 years in the eDiscovery and technology industry as both in-house and in an outside advisory capacity in the EU, I have seen many ways organizations develop & manage their eDiscovery programs. Not all eDiscovery programs are the same and it’s important to categorize the type of program in order to advise on critical improvements to determine what is the best approach for your organizations. I find there are two main camps of eDiscovery programs: Ad-Hoc eDiscovery Programs and Litigation Ready eDiscovery Programs. Let’s take some time to look at both of these approaches and see how they impact an organization’s eDiscovery program. Ad-hoc eDiscovery is treated as an unplanned exercise that may happen 1-5 times per year and involves departments or functions that do not communicate on regular basis. This reactive approach can be very painful and expensive for the organization. Organizations with an Ad-hoc mindset typically react when asked to discover unstructured information in email, SharePoint, or other data sources. Since the departments don’t have a centralized response approach, the people involved are often overwhelmed with the request and there is a feeling of the house is on fire. Ad-hoc programs usually rely heavily on their outside counsel to drive approach and decisions as well as pay a premium on their eDiscovery projects. Litigation Ready eDiscovery is for organizations that typically deal with 10 or more complex cases throughout the year that often have the same departments or people involved in similar matters. Litigation Ready programs understand that eDiscovery is a business process enabled by technology with the focus on reducing risks and controlling spend. I find Litigation Ready programs have their overall year-over-year eDiscovery spend reasonably predictable even as the number of matters increase. I [...]
What happens when a global pandemic intersects with corporate eDiscovery & IG initiatives? We’re curious about what’s happening with these initiatives as well. Please share your insight by taking the 2020 eDiscovery and IG Corporate Initiatives Survey hosted by the eDiscovery Advisory team. The survey is six questions and takes approximately two minutes to complete. A final report will be provided to participants that sign up at the end of the survey. One participant will be selected and $100 will be donated to St. Jude's Medical Center in their name. Share your insight and help a great cause!!! 2020 eDiscovery and IG Corporate Initiatives Survey Thank you from everyone at the eDiscovery Advisory Team!!!
In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests. Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance: Review and Update Privacy Notices and Policies The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to: Obtain certain information from the controller beforehand, and without asking for it Be made aware of whether a controller is processing their data and how it was collected Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data Demand that their personal data be erased and no longer processed (right to be forgotten) Ask the controller to restrict the processing of their data Receive their data in a structure, commonly-used format for transmission elsewhere (data portability) Object to the handling of their data at any time (in certain circumstances) Not be subject to decisions based solely on automated processing Withdraw consent at any time during processing In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018. Create and Implement a DSAR Process Your company needs to have a process in place to address: How you will enable DSARs, e.g., offering a standardized online [...]
In a previous post, I discussed what a DSAR is, the laws that such requests arose from, and the importance of having a systematic approach to dealing with a request. Now let us outline the process involved in the actual response to DSAR requests. An organization is required to provide a DSAR requester with a copy of any relevant information collected or stored. The time to prepare for these requests is before you receive your first DSAR and find yourself not knowing quite what to do with it. Here are the steps to follow when responding to a DSAR: Conduct a Data Inventory Before you answer a data request, you need to know where the requester’s data can be found within your organization and allow for easy access and retrieval of the requested information. The data can come in many different forms including structured data formats which will require planning on the appropriate output format such as a PDF or CSV file to meet the request requirements. Organize DSAR Requests You will need to implement a process to classify all incoming DSARs, including who will oversee receiving and organizing the requests. This might potentially be your chief data officer (CDO), who routinely manages, secures, assesses, and oversees the collection and analysis of data. There are technology solutions to help organize DSARs as well as other legal requests that can be implemented to manage the workflow from request to delivery. Fulfill the Request A standard process will need to be followed for identifying a valid DSAR request, verifying the requester’s identity, requesting more information, if necessary, determining if the organization possesses the requested data and if so, whether it must be provided, deciding whether charging a reasonable fee is justified (based on the administrative costs associated [...]
For any organization that deals with privacy issues in the European Union and other privacy-centric jurisdictions like the United Kingdom, an effective information governance program is a must. A program that includes a systematic approach to DSARs will significantly minimize exposure to risk. Several of my clients in the EU have been extensively working through the Data Subject Access Request (DSAR) process and how to best address such requests. The following is the first in a series of articles intended to unpack DSAR challenges. What is a DSAR? On its face, a DSAR is a simple written request that can lead to an extremely complex workflow. The request may be made to a company via email, an online form, or another form of communication. Upon receipt of the DSAR, the organization must track the request through to resolution within a specific timeframe, usually 30-45 days (after first verifying the requestor’s identity and existence in their data system). Under the provisions of two complex sets of laws, the EU’s General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA), a DSAR may be sent to any organization that processes the personal data of individuals residing in the EU. The General Data Protection Regulation The GDPR, which became effective on May 25, 2018, is a set of laws intended to standardize privacy regulations across Europe. However, the GDPR does not only affect organizations within the EU. Instead, it pertains to all organizations processing and storing the personal data of individuals in the EU, no matter where the company is located. According to the GDPR, a data subject is identified as “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online [...]