Having spent more than 20 years in the eDiscovery and technology industry as both in-house and in an outside advisory capacity in the EU, I have seen many ways organizations develop & manage their eDiscovery programs. Not all eDiscovery programs are the same and it’s important to categorize the type of program in order to advise on critical improvements to determine what is the best approach for your organizations. I find there are two main camps of eDiscovery programs: Ad-Hoc eDiscovery Programs and Litigation Ready eDiscovery Programs. Let’s take some time to look at both of these approaches and see how they impact an organization’s eDiscovery program. Ad-hoc eDiscovery is treated as an unplanned exercise that may happen 1-5 times per year and involves departments or functions that do not communicate on regular basis. This reactive approach can be very painful and expensive for the organization. Organizations with an Ad-hoc mindset typically react when asked to discover unstructured information in email, SharePoint, or other data sources. Since the departments don’t have a centralized response approach, the people involved are often overwhelmed with the request and there is a feeling of the house is on fire. Ad-hoc programs usually rely heavily on their outside counsel to drive approach and decisions as well as pay a premium on their eDiscovery projects. Litigation Ready eDiscovery is for organizations that typically deal with 10 or more complex cases throughout the year that often have the same departments or people involved in similar matters. Litigation Ready programs understand that eDiscovery is a business process enabled by technology with the focus on reducing risks and controlling spend. I find Litigation Ready programs have their overall year-over-year eDiscovery spend reasonably predictable even as the number of matters increase. I [...]
What happens when a global pandemic intersects with corporate eDiscovery & IG initiatives? We’re curious about what’s happening with these initiatives as well. Please share your insight by taking the 2020 eDiscovery and IG Corporate Initiatives Survey hosted by the eDiscovery Advisory team. The survey is six questions and takes approximately two minutes to complete. A final report will be provided to participants that sign up at the end of the survey. One participant will be selected and $100 will be donated to St. Jude's Medical Center in their name. Share your insight and help a great cause!!! 2020 eDiscovery and IG Corporate Initiatives Survey Thank you from everyone at the eDiscovery Advisory Team!!!
In my latest post, I outlined the process involved in the actual response to DSAR requests. In my last article of this series, I will discuss the best practices and workflows that your organization should follow when responding to DSAR requests. Generally, “controllers” are responsible for responding to DSARs, and “processors” assist them in handling the requests. Here are my recommendations for best practices in responding to DSARs to ensure General Data Protection Regulation (GDPR) compliance: Review and Update Privacy Notices and Policies The GDPR requires organizations to inform data subjects of their rights. Companies need to make sure that their existing policies comply with the new entitlements given to data subjects by the law, including the right to: Obtain certain information from the controller beforehand, and without asking for it Be made aware of whether a controller is processing their data and how it was collected Request that inaccurate personal data about them be rectified, with communication regarding the rectification made to each recipient of the data Demand that their personal data be erased and no longer processed (right to be forgotten) Ask the controller to restrict the processing of their data Receive their data in a structure, commonly-used format for transmission elsewhere (data portability) Object to the handling of their data at any time (in certain circumstances) Not be subject to decisions based solely on automated processing Withdraw consent at any time during processing In certain circumstances, EU member states may pass legislation to limit DSAR requests under local law. One example of this is the UK’s Data Protection Act of 2018. Create and Implement a DSAR Process Your company needs to have a process in place to address: How you will enable DSARs, e.g., offering a standardized online [...]