Optimizing Subject Rights Requests: Minimizing Risks and Costs Through Adaptive eDiscovery Workflows – Part 1

Opentxt: with padlock

As it will be discussed, Subject Rights Requests (SRRs) are not a single thing but fall on a continuum of effort. For most organizations, the substantial majority of requests are relatively low effort. But high-effort requests, while less frequent, can be an order of magnitude more effort than routine requests. A holistic SRR response program should include good information governance to operationalize strong case management from SRR intake to fulfillment. Investments in privacy management solutions can go a long way to operationalizing mainstream requests within a holistic program that includes routing high-effort requests to a separate process where eDiscovery platforms are used because of their advanced analysis, review and production capabilities.

SRRs from current and former employees often have large volumes of data that is dispersed across a wider variety of systems, along with greater variance in data formats.

Team Opentext

But you probably don’t need to invest much to reduce the cost of fulfilling high-effort subject rights requests. Most organizations have access to an eDiscovery platform, so the prescription for high-effort SRRs is about getting more value from existing investments. There may be a modest incremental cost associated with additional data hosted in your cloud-based eDiscovery solution but these costs should be a fraction of what would be spent on manual effort if eDiscovery platforms are not used when they are required. 

Hiring Managed Review experts to handle high-effort SRRs is also a valid option. The costs should be marginal or even a net gain given the efficiency that Managed Review experts deliver and the avoided expense on internal resources. 

Start with a solid information governance foundation 

The root of good data privacy and eDiscovery is to utilize an information governance framework to address privacy risk and data management strategies. Forward-thinking organizations are tackling data sprawl and the proliferation of sensitive data outside of protected zones by knowing what types of sensitive data are stored where and controlling that data by classifying it and applying safe storage policies (access credentials, encryption, etc.). To minimize their sensitive data footprint, organizations also are assessing and remediating sensitive data wherever it conflicts with policy or does not support a business purpose. 

Innovation is also a cornerstone of good information governance. Automation is increasingly being employed to reduce reliance on manual processes and reduce the effort of data privacy activities and workflows. Similarly, tools for discovering, classifying, and detecting sensitive or personal data are increasingly being integrated with security hardened repositories and processes to meet regulatory obligations with less friction and greater assurance of meeting timelines. Information governance itself is also evolving to provide greater transparency, link processes to critical content and apply effective case management to track and prioritize program activities. The application of case management to track performance across SRR activities from intake to fulfillment is a good example of this evolution. 

Information governance (IG) implications for optimizing SRRs

SRRs without IGSRRs with IG
No use of automation to limit data sprawl – same number of needles, much bigger haystackArchiving and deduplication to control data sprawl makes SRR data easier to find
Personal data is scattered with numerous systems to searchPersonal data footprint is minimized which leads to fewer systems to search
Files are not classified and there are no indicators whether they contain personal dataFiles are classified by personal data flags within metadata which improves the efficacy of search

Accommodate the variance in complexity of different SRRs

Subject Rights Request, including DSARs, vary substantially in their complexity and time to process. This is because they are initiated by people with different motivations and requirements, including customers, employees and ex-employees. SRRs from current and former employees often have large volumes of data that is dispersed across a wider variety of systems, along with greater variance in data formats.

There are also multiple types of requests that can be submitted to the organization, these include:

  1. Right to know – involves providing a report of all personal data held
  2. Right to be deleted – the permanent eradication of data which is not required for an ongoing valid right to process
  3. Right to have the data transferred to the individual – included in the majority of data privacy regulations;  GDPR adds the requirement to transfer the requestor’s data to a third party. 

All requests, regardless of who submits it, involve similar processes and reporting that is sent to the requestor. The bulk of the effort is in discovering and isolating data associated with specific individuals. The level of effort varies substantially depending on who has filed the request and the length and intricacy of the relationship with them. Instead of seeing SRRs as a single thing, they are better viewed on a continuum from low-effort to high-effort requests. High-effort requests can take the same amount of time as a hundred or more low-effort requests and require enhanced review management processes and tools to efficiently discover relevant data from within large and diverse volumes of irrelevant data. 

The Two Types of SRR Process

CriteriaManual processesAutomated process with eDiscovery tools
Number of systemsHigh variance between SRRs in number of systems, volume of data and variety of formats – same process for low and high-effort requests but varies from minutes to daysBuilt to handle high numbers and dispersion of systems, substantial volumes of data and significant variety of formats 
Data extraction / data collectionSearch-centric process to find and extract specific data, one system at a time – easy to overlook systems and miss relevant dataData is collected expansively by search-enabled connectors – making it easier to include broad sets of systems and collect targeted data across all systems
Data staging / data portingRelevant data is posted to an unstructured staging area – high data volumes require significant effort to review, organize and prepare data for productionData is ingested into the eDiscovery platform where it is automatically deduplicated
Data identificationManual process to verify extracted data as relevant, accurate and completeEasy-to-use stackable search filters and analytics to home in on relevant dataPredictive search to use highly relevant documents to quickly find other relevant data
Detecting third parties and their dataFinding the data of third parties that may be intertwined with the requestor’s data can require significant manual review because there is no list of who to search forRedacting third-party data is typically manualAutomated detection of third-partiesPre-configured personal data detection libraries for common patterns and Regular Expressions (RegEx) for custom patternsAutomated redaction to remediate the personal data of third parties
Producing the relevant dataThe production process is typically manualProduction is automated, including auto-triggered quality control and redaction accuracy checks

Manual processes are typically applied to high-volume but lower effort requests. For these, a holistic SRR program founded on good information governance with strong case management from SRR intake to fulfillment is the best prescription. Holistic programs will also include the ability to identify high-effort SRRs to route them to a distinct process where the benefits of eDiscovery platforms can be applied. 

In the next blog we will look at how to determine which SRRs warrant the use of eDiscovery platforms and how to build an adaptive SRR workflow program. 

Stay tuned for part 2 of this blog series, which will provide a how-to guide for building a cost-optimized SRR response program tailored to the particular requirements of your organization. 


  • TEAM OpenText™

    OpenText™ is a Guardian Trusted Partner of EDRM. OpenText™ delivers the competitive advantage to corporate legal departments and law firms with end-to-end eDiscovery software and services that lower cost, risk and inefficiency at all stages of the EDRM workflow. See their partner page here: https://edrm.net/partners-opentext/

    View all posts