Applying eDiscovery workflows to data privacy compliance response
The digital world has long since changed from being a free-for-all frontier to a place for businesses and consumers to work, shop and play. In today’s complex digital environment, where concerns relating to data privacy regulations and compliance continue to rise, CIOs, CISOs, and Data Privacy Officers are increasingly turning to technology to keep their data—and their customers’ data—secure.
Savvy CIOs know that technology is only ever part of the solution. Expertise – knowing which technology to apply and how – is equally vital to success. That’s why we’re beginning to see CIOs borrow from their General Counsel counterparts and use electronic discovery (eDiscovery) tools to handle high-volume, fast-turnaround privacy compliance response such as Subject Rights Requests (SRRs), including Data Subject Access Requests (DSARs). Efficient eDiscovery workflows look similar to those of SRRs – that is, identifying, collecting and processing data, leveraging analytics, machine learning and review functionality to identify the relevant information (for DSARs, the requesting person’s PII), and production functionality for delivery of the relevant data to the requesting party.
There are no small mistakes
Driving efficient SRR processes begins at the outset with the collection of potentially relevant data. In eDiscovery, there’s a term called the snowball effect. This means that the less precise you are in data collection, the more data you have to process (e.g., make searchable), the more that’s going forward to review, and the longer you perpetuate a muddy mix of relevant and irrelevant data to sift through. eDiscovery solutions with search filters employed during collection limit the snowball effect by targeting data expansively, yet within narrowed confines of the date ranges, data sources and custodians involved in a matter. All forms of data can be collected selectively including email, chat and documents from any data source, including file shares, on-premises systems, and cloud-based applications and repositories.
Other collection methods include forensic disk images of entire contents of a hard drive or ‘drag and drop’ in which entire folders are typically selected with limited screening of the content. These methods are prone to overcollection, which means more data to review, more resources to conduct the review, and more time spent (and remember, SRR response has a 30-day deadline). Moreover, when there are more reviewers reviewing a document collection, the opportunity for misalignment and mistakes increases. That’s a lose-lose-lose situation.
eDiscovery analytics and machine learning means faster, better results for SRR response
For standard consumer subject rights requests, when that data sits in a single system (such as a CRM database), you can simply run a query, pull and deliver the results, and you’ve met your data privacy compliance obligations. Using an eDiscovery platform is probably overkill.
Situations in which eDiscovery tools should be leveraged for SRR workflows is in more complex situations, such as SRRs from employees that typically involve large volumes of data spanning multiple disparate systems. For these resource intensive SRRs, eDiscovery workflows quickly home in on relevant data from within large volumes of irrelevant documents. Automated analytics tools such as concept groups, phrase analytics and predictive filters help to quickly extract a narrow set of data to pass forward for closer inspection. When reviewing the refined set of data, machine learning and predictive search are powerful tools that automatically surface the data most related to the content, concepts and context of the data flagged as relevant or held up as examples of known relevant data.
What CIOs are finding out – as folks in the legal profession learned before them – is that sifting through data to determine what’s relevant takes time, money and resources. And, just as their colleagues in legal know, CIOs realize that the consequences of getting it wrong can be severe. That’s why powerful analytics, automation and machine learning must be part of high-volume SRR processes to effectively meet compliance obligations.
Protecting third-party data within SRR workflows
eDiscovery platforms also support two other key capabilities essential to efficient and effective SRR workflows. Because the names and data of third parties are often included in the same documents as the requestor’s data, there is the risk that those third-parties’ sensitive data will be exposed. Automated detection of people’s names allows reviewers to quickly see where third-party data is intermingled with the requestor’s data. Pre-configured personal data pattern libraries and RegEx tools for custom patterns locate the data that must be removed. Permanent redaction capabilities block out the names and all data associated to third parties to avoid infringing the data privacy rights of others while fulfilling the rights of the requestor.
Managing SRRs with cloud-based eDiscovery
Cloud-based eDiscovery makes it easy and cost-effective to manage high-effort SRRs. Many organizations already have access to on-demand eDiscovery, and including SRR workflows as an additional use case adds only a modest incremental cost of the extra data. For organizations with cloud-based eDiscovery subscriptions, the frequency and volume of SRR data may comfortably fit within the volume parameters that already exist.
There is no getting around the fact that SRRs are a legally enforced cost to organizations. But compliance with data privacy laws has substantial upside in attracting and retaining customers, and the costs can be contained by using cloud-based eDiscovery solutions to reduce the cost of the highest effort SRRs.
Everyone is looking for better, faster and more cost-effective results. That’s why it makes sense to use the best tools. Even outside of pure litigation, cloud-based eDiscovery tools can offer a better way to meet data privacy requirements quickly and efficiently, and ensure compliance every step of way.