publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1186592
I L T A W H I T E P A P E R | C O R P O R A T E L E G A L D E P A R T M E N T S 5 H O W C O U N S E L C A N F I N D S O L I D F O O T I N G I N T H E E - D I S C O V E R Y , P R I V A C Y B A L A N C I N G A C T Data subject access requests (DSARs) require extensive workflows to operationalize, and in certain circumstances, may impact e-discovery. can take to balance conflicts between e-discovery and privacy needs, and mitigate the cost of complying with data protection laws while collecting and processing personal data of citizens in Europe, California and other governed jurisdictions. • Understand the Data Map: In operationalizing for compliance, the data privacy office will have completed an inventory of the organization's structured and unstructured data sources and personal data stores. E-discovery practitioners must work with the company's data privacy office and leverage the data map to navigate any special handling certain data may require during preservation, collection, processing, review and production, to remain in accordance with regulations. If a formal data map does not exist, organizations should secure necessary resources and buy-in from senior management to invest in creating one. Having a readily available data map will help achieve compliance as well as time and cost savings of identifying data sources for future matters. • Get a Grip on Legal Holds: A great deal of enterprise data on legal hold resides in structured business systems. Historically, it was easiest for the legal team to take a broad approach and put entire systems on hold, rather than parse the data within them. Now, many systems are in the cloud, and records for U.S. and European citizens are often co- mingled in global databases. From a legal hold perspective, this means that the legal team must take a targeted approach to identifying the specific data within those systems that must be preserved. While it is easier to take a targeted approach towards preservation of email, doing so for structured business systems requires teams to work with various business unit owners and the data privacy office to separate legal hold records from the rest, and ensure that records for anyone protected by privacy laws are preserved in a compliant way. This may include obtaining valid consent from custodians under the GDPR for processing (which includes placing on legal hold) an employee's personal data. Any necessary exceptions to this approach must be addressed in close collaboration with the chief data privacy officer. More, teams in the U.S. should examine their existing legal holds and assess if they are overly broad and need to be right-sized to strengthen the organization's privacy posture. They might also consider updating their legal hold policy to include the procedures the teams will employ when implementing a cross-border legal hold. • Be Prepared for DSARs: GDPR introduced extensive data subject rights, including the right to be forgotten and rights for citizens to demand information about the scope of their personal data an organization is storing and how it is protected, processed, etc. Data subject access requests (DSARs) require extensive workflows to operationalize, and in certain circumstances, may impact e-discovery. For example, a custodian whose data is in scope for