“Just go ahead and collect the data, send it over to us, and we’ll look after it.”
Heard this before?
Gone are the days when international legal advisors could prioritize the free movement of data around the globe to best fit their strategies and resources over current-day compliance regulations that now exist on the very movement of that data. Unfortunately, despite existing penalties, European enterprises continue to allow unfiltered and unprocessed data transfer in jurisdictional proceedings outside the scope of GDPR.
In addition to protecting personal data that falls within the issues of GDPR-governed data, we, as eDiscovery consultants, are asked to advise our clients and their legal counsel on the methodologies available today.
In this context, it is a question of leveraging the right approach, the proper workflows, and the appropriate tools, each playing a crucial role in tackling the data privacy challenge. For example, communication is of the utmost importance. Who informs whom, by when, and what role do employees have?
This article presents a sensible structure for an eDiscovery process within international data privacy. We believe this process should reflect the following:
Stage 1: Data Mapping, Identification, and Scoping
Data Mapping
By involving all stakeholders early on, it’s usually possible to quickly identify and locate the relevant data sources. Some stakeholders to consider include:
- Data protection
- Data security
- IT
- Employee representatives
- The legal department
- Works Council (a shop-floor organization in many European countries that represents workers and functions as a local or firm-level complement to trade unions)
If available, we can reference data maps or interviews with stakeholders. At a minimum, a data map should include the following:
- Targeted data custodians
- Their geographies and jurisdictional requirements
- Their assigned devices or accounts
- Any information that needs to be discussed and treated concerning the data collection itself
Backup systems and data from employees who have left the organization’s employment are usually critical but problematic, primarily due to the time it takes to restore the data. However, we recommend that companies with a constantly updated and refreshed hardware setup automatically back up their devices from a specific hierarchy level onward via imaging (for example, in the case of hardware leasing).
Identification
Thanks to the ever-increasing use of centralized cloud systems such as Microsoft 365, we find ourselves increasingly in a position where data from the email server can be directly identified, backed up, and forensically extracted. In the U.S., this is a Legal Hold, a principle of “freezing” the email data to preserve evidence. We also see clients “self-servicing,” especially for more minor investigations, due to the increasing functionality offered via eDiscovery search tools in these cloud solutions.
Scoping
At an early stage in the process, the Works Council should be involved technically and in terms of content. It is common for the exploitation and use of data to require the oversight and approval of the Works Council.
The technologies used and engaged, especially in IT and forensics, usually have very profound effects on data designated as private (like a network folder with pictures from last year’s Christmas party). Therefore, it’s imperative to be transparent and open about the planned strategy, the possibilities for mitigating the processed data, its depth, and the methods of protecting data in case of any transfer.
In all respects, the Works Council plays a communicative role to the company’s employees deemed relevant to the investigation and a decisive role in achieving any success. The Works Council can easily allow or deny the data processing and transfer workflows for several reasons.
Regarding internal investigations, especially in Germany and Europe, it is essential to balance data protection, the use of the right forensic tools, priorities, and deadlines on the part of the courts. With the ill approach of “Just go ahead and collect the data, send it over to us, and we’ll look after it,” the investigation is already compromised. If we add Switzerland, with its banking secrecy and the blocking statutes, or France, with its newest anti-bribery/AML requirements, things can get complex, fast!
Stage 2: Extraction, Processing, and Ingestion
Extraction
After we outline the scoping of the data and the parameters for extraction, issues related to IT security need to be addressed, such as technical and organizational measurements to protect the data and any related documentation or workflows.
IT security is increasingly crucial for companies, addressing where data is processed, how, and by whom. Standards such as ISO27001 and others should always be in place and audited. It’s also advisable to conduct an initial audit of the forensic service provider regarding its own technical and organizational measures.
Various cloud offerings may be available in the forensics service provider environment. Since forensic service providers base their settings on systems such as Azure and AWS, the question of the data’s geographical location plays an important role. Therefore, providers should be cautious when they have supporting resources outside the jurisdiction of GDPR.
Processing
Once we have clear instructions and the “data custodian” consent has been obtained, we can begin the collection. In most cases, getting a copy of the data is advisable to ensure defensibility and admissibility in court.
We, as forensic consultants, usually generate a complete image by taking a full copy of a hard drive bit by bit, with the potential of being able to restore deleted data. Or we take a more targeted approach, sometimes the perfect response to data privacy concerns.
In 2021, the available tools could omit specific data (for example, the “Pictures” folder). Furthermore, during a case assessment, specific file types and predefined areas (like data ranges or case-specific keywords) can be included or excluded during extraction.
We work towards the goal of judicial usability, which is typical for data anonymization during extraction. Here again, the Works Council could be the ultimate holder of the anonymized data custodian names and their sources.
Ingestion
In the following step, ingesting data for classical data processing, otherwise referred to as “indexing.” At this stage, we can identify relevant personal identification Information (PII), including data such as religion, ethnicity, and gender.
As a service provider, the data culling process is initially successful if we significantly reduce the amount of data that later ends up in a document review platform. For example, de-nesting, deduplication, email threading, and other targeted metadata cullings can reduce data volumes by up to 90% based on our methods and experience.
However, the most critical factor is the transfer of personal data within the 10% remains. Within the remaining 10%, there can be false positives—always remember, it is not uncommon for the other side, in U.S. proceedings, to demand the release of the entire document review population (the data uploaded into the review data pool).
So, how do we simultaneously balance time constraints and data protection concerns?
Stage 3: Hosting, Review, and Preparation of the Data
At Sandline, we mostly rely on “in-country” processing and hosting, along with pre-filtering, to definitively exclude data privacy-violating transfer to a third country. Our server farms in Germany, Taiwan, and the U.S. process data, or we resort to a mobile instance or a cloud node.
The objective is to keep the maximum amount of data in the country and allow legal departments and lawyers outside the jurisdiction to analyze it. In doing so, our clients could always leverage technologies such as automated redaction and predefined machine learning models to detect review genuineness.
We also approach many cases with a balanced mix of technology and human review. For example, we leverage advanced technologies for the benefit of the case—including budget and human thought—with data privacy safeguards in place to reduce false positives during the document review.
What does this ultimately mean to you and your eDiscovery landscape?
Suppose you plan to partner with an eDiscovery consultant. In that case, it’s essential to start working with them at the beginning, when many decisions and requirements may shift, such as priorities, options, scope, and, most importantly, the geography and content of the targeted data.
It also helps to have a partner who has worked closely with the Works Council for small, medium, or large-sized organizations. As we discussed, knowledge of Works Council interworkings is vital for success.
At Sandline, we provide the experience, solutions, and support to help legal teams confidently navigate the complicated world of global eDiscovery and provide clarity that will ultimately take your cases further.
Are you interested in working with Sandline? Contact us today.
