I have found over the years, whether generally advising European clients on how to deal with data privacy or, more recently, parsing specific provisions of the onerous General Data Protection Regulation (GDPR), that my work ultimately falls under three areas of consideration: people, process, and technology. Looking at the lessons learned from across the pond, US companies should always keep these three areas in mind during any eDiscovery collection process that may implicate GDPR or other data privacy laws.
Over a three-part series, I take a high-level look at those factors and share how corporations and law firms can move away from the “collect everything” mindset and towards a more focused approach. In Part I, I review the “People” aspect, or, simply put, who the custodians are and what data needs to be collected.
Collection is the most open, non-governed part of eDiscovery because it includes people and departments who are not otherwise directly involved in the matter. A good example of this indirect involvement is the human resources department and their many documents (i.e., employee work reports, exiting employee forms, new employee forms, etc.) that may be needed for collection. Outside of HR, there are business personnel who have access to information security, administration, and network details, all of which expand the “who” footprint in collection. Even when dealing with a custodian, the custodian’s project and task activities may implicate other business areas, and it is critical to understand the time and location of such activities and who has access to the data surrounding them.
Overcollection without focus has a greater chance of involving a custodian’s personally identifiable information (PII)—adding greater legal and business risk!—and can be prohibitively expensive and time-consuming. It is therefore even more important to know exactly who will be able to view the data along the collection process.
In addition to knowing who will be able to view the data, it is imperative to know when consent is specifically required by law. Police investigations and outside country requests demand permission, for example.
When defining the people involved in the collection process it is also key to ask if the request received meets the six reasons for data processing under GDPR or other data privacy laws and regulations.
As I’ve laid out here, understanding the “People” part of collection and respecting the process and PII is the first lesson of GDPR. Knowing who will see the data and what indirect custodians should be excluded minimizes risk, and saves time and money. Better still, find and map data types, index, and filter the data prior to a litigation to provide only the data that is necessary (how? Contact us!). Stay tuned for Part II in which I explore GDPR Process.