4 Ways to Leverage E-Discovery Workflows and Technology for GDPR Compliance

The deadline for GDPR enforcement is finally here. More than two years after its passage by the European Parliament in 2016, organizations worldwide now must comply with its requirements for data protection, processing, consent, and privacy.

Unfortunately, if survey results are to be trusted, many organizations—perhaps as many as one in three—will not be ready. Many organizations have conducted research into the topic, with ISACA.org's April 2018 study finding this 1/3 result being one of the most recently published efforts.

Therefore, it's safe to say that some readers of this article will be at organizations that still have work to do to ensure they're GDPR-compliant. While efforts to comply with GDPR must by their nature be organization-wide, e-discovery professionals may not realize that they're in a position to assist with GDPR compliance by leveraging processes and technology that are already in place. Four ways they can contribute to GDPR compliance include:

• Proactive data mapping and information governance strategies;
• Searching and providing data for subject access requests (SARs);
• Preparing for and implementing “Right to be Forgotten” requests; and
• Defensible deletion practices.

Data Mapping and Information Governance

While GDPR doesn't require businesses to map data, compliance with SARs and the right to be forgotten (as well as general best practices for information governance) requires it. In practice, organizations need accurate data maps and ways to keep them updated through a process of custodian interviews and data source crawling and cataloging.

Will Wilkinson, managing director of e-discovery and investigation solutions at Yerra Solutions, notes that data mapping is a fundamental element of GDPR compliance. “Data mapping at its heart is what have you got and where is it? In e-discovery, being able to rapidly identify data makes responding to a case much quicker, more seamless, and generally cost less. GDPR is just magnifying that.” The key to responding to data subjects' requests is understanding, in advance, where their data resides.

E-discovery professionals are already well versed in the benefits of data mapping—and they also understand the processes and technology required to maintain an up-to-date data map:

• Data visualization dashboards;
• Cross-departmental collaboration;
• Custodian interviews; and
• Continuous updating of data maps.

Organizations who map their data sources in order to meet e-discovery best practices have a head start on the data mapping tools and techniques that are the foundation of GDPR compliance.

Subject Access Requests

In response to citizens' requests for their data, businesses have one month to provide them with the data held, as well as information on:

• How and why it is being processed;
• Recipients to whom the data has been disclosed; and
• How long data will be stored.

Given time constraints, organizations cannot rely on ad hoc processes. They must have defined workflows and technologies to ensure they meet the one-month deadline, for while the notion of providing subjects access to their data is not new, the consequences of failure post-GDPR are much costlier.

The process for fulfilling a SAR corresponds to a generic e-discovery workflow rather directly.

1. A data subject request access to personally identifiable information (PII).
2. A data governance team verifies the subject's identify and validates the request.
3. The SAR is passed along to data custodians for completion.
4. Data custodians access, review, compile and produce data to subject.

Project managements software—specifically software that is integrated with data sources (and ideally a data map)—can streamline this process, removing complicated handoffs and data transfers that can potentially turn a routine request into a rushed scramble.

Right to Be Forgotten

Sometimes referred to in the GDPR as data erasure, the right to be forgotten takes GDPR one step beyond previous data protection measures. Data subjects can request that personal information stored on them be deleted, including items that are posted online by the subject themselves. To comply, organizations must erase data “without undue delay.”

Compliance with right to be forgotten requests will require accurate data maps, established workflows (essentially similar to SARs but with the added step of data deletion) and technologies in place. In that sense, organizations with strong e-discovery workflows and technology will be better prepared to meet these obligations than organizations who outsource all of their e-discovery work.

However, as Wilkinson explains, “If you don't know exactly where the data lives across the organization, where it might be stored, and where it might be backed up, it will be a nightmare. If I ask somebody to delete my data, they've conceivably got to go back over potentially decades of backup tapes.” Seasoned e-discovery professionals will recognize that the potential for an inadvertent error is quite real—and extremely consequential—all of which underscores the importance of the fourth way to leverage e-discovery processes for GDPR compliance: defensible deletion policies.

Defensible Deletion

Many lines of business have an attitude toward defensible deletion that can kindly be described as benign neglect. The reasoning goes something like this: Why delete data when there may be some time (typically nebulous) in the future when it may be valuable? Of course, e-discovery and legal professionals recognize that such data often poses substantial risks in return for potential value that may never be realized—not a good trade-off at all.

Strong information governance procedures that comply with regulatory requirements for data storage should include plans to dispose of data that is no longer (1) legally required to be stored or (2) valuable to the business. The courts have established that good faith policies to delete data are reasonable and defensible. Organizations with such policies have a head start on culling PII that is potentially lurking in the weeds and creating headaches when they receive a request to be forgotten.

Wilkinson continues, “If you don't need the data, why have you still got it? Defensible deletion within e-discovery touches on a real nerve under FRCP requirements, but if you don't need the data anymore, why are you paying for storage for it? This should be relatively easy for organizations to put in place, because it's at the bottom line an asset cost. However, most organizations that I've been working with so far don't actually have a policy in place. It's always been easy to keep the data 'just in case.'”

Key Takeaways

While the requirements of GDPR may be daunting, organizations that have strong e-discovery capabilities (especially in-house ones) are well-positioned to comply with many aspects of this regulation. There may be other areas of overlap for your organization, but as a starting point, you can:

• Use data mapping best practices to know in advance of requests where personally identifiable information exists and which custodians are responsible for it.
• Leverage existing e-discovery workflows to comply with both subject access requests and right to be forgotten requests.
• Understand the value of deleting data as a tool to minimize defined risks rather than preserving it for nebulous, frequently never realized, business value.

Joe Mulenex is Director of Solution Engineering at Exterro where, as a member of Sales Department, he heads up a team of solution consultants and subject matter experts that work directly with Exterro's clients to identify needs and the appropriate solutions for their E-Discovery and Information Governance programs. Joe has extensive experience in e-discovery, having provided service to both corporate and law firm clients in managing multiple e-discovery projects over the last decade.