P2P

44 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S P R I N G 2 0 2 2 process that can be standardized and repeated in future matters. 2. Create a "Matter Data Protection Policy." This policy should be aligned with the highest legal standard applicable to the dataset (in most cases, this will be GDPR), to help ensure appropriate handling of personal data through the duration of a matter. Counsel should also draft and socialize a quick- hit sanctions policy that enforces safeguards and outlines the implications of non-compliance. 3. Establish and document a control toolbox to define and itemize every safeguard put in place. The toolbox should address matter-specific data handling training for all parties involved on the case, processes to intake reports of data misuse or loss and automated removal, redaction or anonymization of all personal data categories deemed non-responsive to the matter. Outlining the individual data categories the team is permitted to transfer, and likewise blocking transmission of data that is not permitted (or redacted), will support overall documentation and defensibility. 4. During transmission, establish and maintain all controls defined in the control toolbox, and add others that may apply as the matter evolves. Encrypt all datasets to the extent possible in transit and at rest using industry-approved encryption standards. Chain of custody procedures that document all instances of data duplication through transmission, and all individuals that physically handle hardware containing personal data, are highly recommended to maintain integrity at every step. 5. Once data has been transmitted and is in use for discovery purposes, a team member should be appointed to oversee ongoing privacy safeguards. This privacy controller should conduct frequent usage checks on the dataset and initiate disposal of any items not actively in use. As the matter continues, counsel should ensure disposition of all personal data is performed and logged upon the completion of review. Cross-border e-discovery teams are often under extreme pressure to move quickly in getting to the data. But with no Privacy Shield safety net, and increasing data protection scrutiny, the risks of not addressing data privacy in cross-border data transfers now outweigh the conveniences of a fast and loose approach. Thinking through the programmatic steps to safeguard data will show good faith with DPAs, support privacy compliance and ensure evidence remains valid in high-stakes litigation and investigations. ILTA Chris Zohlen is a Managing Director based in the LA office. As a senior member of FTI Consulting's Technology Information Governance, Privacy and Security Services (IGP&S) practice, Chris brings more than 15 years of experience in information governance and legal technology to help legal, records, privacy, IT and information security departments identify, develop, evaluate and implement in-house e-discovery, privacy, and data governance processes and programs. Relying on his background in applying technology to transform and solve business challenges, Chris works with clients to create solutions that produce the largest ROI while simultaneously reducing risk. F R O M T H E I N F O G O V C C T

• Cover