publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1108621
I L T A W H I T E P A P E R | L I T I G A T I O N A N D P R A C T I C E S U P P O R T 43 T H E E V O L V I N G I D E N T I T Y O F C O R P O R A T E E D I S C O V E R Y A N D I N F O R M A T I O N G O V E R N A N C E and demonstrate the ability to delete that data upon request or when no longer necessary to retain. The GDPR further highlighted the ability for EU-based individuals and employees to submit data subject access requests (DSARs) to obtain personal data housed by a company within one month. Preparing for business in a post-GDPR world largely translated into an immediate emergency reprioritization across all multinational organizations to ensure in-scope departments could appropriately react to data subject requests (including deletion), ensure notices were in place where data was collected, and execute updates to internal- and external-facing privacy policies. The immediate deep- dive within each department to inventory systems, content, access controls, data lineage, retention rules, data disposition processes, data extraction ability, anonymization, pseudonymization, deletion processes, and audit controls signified the first step toward enabling a robust privacy program, depending on its existing maturity. The effectiveness of the privacy program depends on its integration into business lines so data protection impact assessments (DPIAs) can be delivered to mitigate risks, flag issues, and track data mishandlings. All said, the modern privacy program can only be successful if it is built upon a robust data governance foundation, ensuring the privacy team has the ability to drive change where systems fall short of the necessary requirements to keep data accessible, minimized, and purgeable. The new era of In many organizations, Security departments have established governance, risk, and compliance (GRC) teams which compliments the Legal Information Governance department. At a minimum or in-part, the information governance work involves inventorying all corporate systems housing structured and unstructured data, documenting the content held within each system — including personal data (PII), retention rules, system owners, data lineage, and APIs — and outlining the security controls from handling, storage, transmission, encryption, permissions, and exceptions. The work whether executed by Legal or Security also involves identifying processes and gaps within various departments that are out of compliance with Security, Retention, and Privacy policies, while developing a realistic pathway for them to become compliant. The Rise of Privacy Midway through 2017 it became apparent that Europe's new privacy law known as the General Data Protection Regulation (GDPR) was going to come into effect within a year's time, threatening fines as high as 4% of a company's global annual revenue in cases of non-compliance. The nutshell version of GDPR goes like this: In order to meet the requirements of GDPR, businesses that process the personal data of EU residents must understand where such data lives, why it's needed, who it is shared with, and how it is used. These companies must also rectify incorrect information, provide a dossier of the data, international Privacy laws generated the necessary institutional risk to drive an all-hands approach to governance by design, security by design, and privacy by design. Ultimately, however, it was not complex bet-the-farm litigation and repeated, high-profile data breaches, but in fact privacy regulations that drove these endeavors to executive and board-level visibility. Information Management This walk through history illuminates the different departments and various subject matter experts who have a hand in the protection of data within an organization. From the beginning (and to this day) litigation requires an in-depth awareness of where evidence resides so it can be defensibly preserved either in-place or by acquisition. But because discoverable data can come in any form — including entire systems, unstructured data buried in 100TB file shares, legacy content management systems, ERPs, email, chat, mobile devices/apps, wikis, cloud storage, proprietary databases, or logs — robust indexing platforms are necessary. Tools have been developed over the years to support those needs and rebranded where needed to support the ancillary information governance work. Now with the need to focus on personal data identification in the same storage locations, these same tools have rebranded again to target Privacy needs for DSARs. The true data governance platforms, not the classification tools, are designed to track asset inventories, attributes about each system (e.g., security