E-Discovery

Optimizing Subject Rights Requests

The ACEDS sponsored webinar by OpenText, Data Privacy for eDiscovery Pros – Strategy and Execution with Andy Teichholz covered the foundations of information governance to enable effective data privacy programs and the inter-play of data privacy with eDiscovery. The session discussed how eDiscovery workflows are optimal for specific types of subject rights requests (SRRs), including GDPR Data Subject Access Requests, when the response requires a process that resembles a document review workflow for litigation.

In this blog I will:

  • Expound upon some of the conversation in the webinar
  • Elaborate in more detail on the implications of an effective data privacy program for optimizing SRRs.
  • Examines the differences in process between SRRs with and without the use of eDiscovery platforms.

Reducing costs of fulfilling SRRs

SRRs are not a single thing but fall on a continuum of effort. For most organizations, the substantial majority of requests are relatively low effort. But high-effort requests, while less frequent, can be an order of magnitude more effort than routine requests. A holistic SRR response program should include good information governance to operationalize strong case management from SRR intake to fulfillment. Investments in privacy management solutions can go a long way to operationalizing mainstream requests within a holistic program that includes routing high-effort requests to a separate process where eDiscovery platforms are used because of their advanced analysis, review and production capabilities.

But you probably don’t need to invest much to reduce the cost of fulfilling high-effort subject rights requests. Most organizations have access to an eDiscovery platform, so the prescription for high-effort SRRs is about getting more value from existing investments. There may be a modest incremental cost associated with additional data hosted in your cloud-based eDiscovery solution, but these costs should be a fraction of what would be spent on manual effort if eDiscovery platforms are not used when they are required.

Hiring Managed Review experts to handle high-effort SRRs is also a valid option. The costs should be marginal or even a net gain given the efficiency that Managed Review experts deliver and the avoided expense on internal resources.

With High-Efficiency Managed Document Review and OpenText Discovery solutions you can take the cost and risk out of unpredictable document review.

Start with a solid information governance foundation

The root of good data privacy and eDiscovery is to utilize an information governance framework to address privacy risk and data management strategies. Forward-thinking organizations are tackling data sprawl and the proliferation of sensitive data outside of protected zones by knowing what types of sensitive data are stored where and controlling that data by classifying it and applying safe storage policies (access credentials, encryption, etc.). To minimize their sensitive data footprint, organizations also are assessing and remediating sensitive data wherever it conflicts with policy or does not support a business purpose.

Start with a solid information governance foundation

The root of good data privacy and eDiscovery is to utilize an information governance framework to address privacy risk and data management strategies. Forward-thinking organizations are tackling data sprawl and the proliferation of sensitive data outside of protected zones by knowing what types of sensitive data are stored where and controlling that data by classifying it and applying safe storage policies (access credentials, encryption, etc.). To minimize their sensitive data footprint, organizations also are assessing and remediating sensitive data wherever it conflicts with policy or does not support a business purpose.

Innovation is also a cornerstone of good information governance. Automation is increasingly being employed to reduce reliance on manual processes and reduce the effort of data privacy activities and workflows. Similarly, tools for discovering, classifying, and detecting sensitive or personal data are increasingly being integrated with security hardened repositories and processes to meet regulatory obligations with less friction and greater assurance of meeting timelines. Information governance itself is also evolving to provide greater transparency, link processes to critical content and apply effective case management to track and prioritize program activities. The application of case management to track performance across SRR activities from intake to fulfillment is a good example of this evolution.

Information governance (IG) implications for optimizing SRRs

SRRS WITHOUT IGSRRS WITH IG
No use of automation to limit data sprawl – same number of needles, much bigger haystackArchiving and deduplication to control data sprawl makes SRR data easier to find
Personal data is scattered with numerous systems to searchPersonal data footprint is minimized which leads to fewer systems to search
Files are not classified and there are no indicators whether they contain personal dataFiles are classified by personal data flags within metadata which improves the efficacy of search

Accommodate the variance in complexity of different SRRs

Subject Rights Request, including DSARs, vary substantially in their complexity and time to process. This is because they are initiated by people with different motivations and requirements, including customers, employees and ex-employees. SRRs from current and former employees often have larger volumes of data that is dispersed across a wider variety of systems, along with greater variance in data formats.

There are also multiple types of requests that can be submitted to the organization, these include:

  1. Right to know – involves providing a report of all personal data held
  2. Right to be deleted – is the permanent eradication of data which is not required for an ongoing valid right to process
  3. Right to have the data transferred to the individual – included in the majority of data privacy regulations; GDPR adds the requirement to transfer the requestor’s data to a third party.

All requests, regardless of who submits it, involve similar processes and reporting that is sent to the requestor. The bulk of the effort is in discovering and isolating data associated with specific individuals. The level of effort varies substantially depending on who has filed the request and the length and intricacy of the relationship with them. Instead of seeing SRRs as a single thing, they are better viewed on a continuum from low-effort to high-effort requests. High-effort requests can take the same amount of time as a hundred or more low-effort requests and require enhanced review management processes and tools to efficiently discover relevant data from within large and diverse volumes of irrelevant data.

The two types of SRR process

CRITERIAMANUAL PROCESSESAUTOMATED PROCESS WITH EDISCOVERY TOOLS
Number of systemsHigh variance between SRRs in number of systems, volume of data and variety of formats – same process for low and high-effort requests but varies from minutes to daysBuilt to handle high numbers and dispersion of systems, substantial volumes of data and significant variety of formats
Data extraction / data collectionSearch-centric process to find and extract specific data, one system at a time – easy to overlook systems and miss relevant dataData is collected expansively by search-enabled connectors – making it easier to include broad sets of systems and collect targeted data across all systems
Data staging / data portingRelevant data is posted to an unstructured staging area – high data volumes require significant effort to review, organize and prepare data for productionData is ingested into the eDiscovery platform where it is automatically deduplicated
Data identificationManual process to verify extracted data as relevant, accurate and complete Easy-to-use stackable search filters and analytics to home in on relevant data
Predictive search to use highly relevant documents to quickly find other relevant data
Detecting third parties and their data Finding the data of third parties that may be intertwined with the requestor’s data can require significant manual review because there is no list of who to search for
Redacting third-party data is typically manual
Automated detection of third parties
Pre-configured personal data detection libraries for common patterns and regular expressions (RegEx) for custom patterns
Automated redaction to remediate the personal data of third parties
Producing the relevant dataThe production process is typically manualProduction is automated, including auto-triggered quality control and redaction accuracy checks

Manual processes are typically applied to high-volume but lower effort requests. For these, a holistic SRR program founded on good information governance with strong case management from SRR intake to fulfillment is the best prescription. Holistic programs will also include the ability to identify high-effort SRRs to route them to a distinct process where the benefits of eDiscovery platforms can be applied.

Keep in mind that the substantial difference in workflows and the degree to which analytics and automation are brought into assist does not mean to imply that all SRRs are best processed through an eDiscovery workflow.

Stay tuned for part 2 of this blog series, which will provide a how-to guide for building a cost-optimized SRR response program tailored to the requirements of your organization. In the next blog we will look at how to determine which SRRs warrant the use of eDiscovery platforms and how to build an adaptive SRR workflow program.

Learn more about eDiscovery workflows for SRR fulfillment by reading Efficient data privacy compliance using eDiscovery workflows, and see how OpenText can help you fulfill high-volume SRR requests.

Published .