At A&M, we believe privacy and data compliance issues are always relevant when performing electronic discovery. The core discovery questions of “who did what or who knew what when”, the explosion in electronic communications, the ever blurring of work and home boundaries and the need to potentially examine personal devices means that information linked to individuals is nearly always central to this exercise.

For UK-based discovery exercises, this prompts a range of considerations under relevant privacy and data protection rules, particularly, the General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA). In cases where discovery involves multinationals or the collection of data that resides across different jurisdictions, the data compliance complexities are further magnified. Depending on the jurisdictions involved, the nature of these obligations may change, as well as there being wider data compliance issues to consider, such as data localisation or sectoral requirements.

How can organisations address these issues? For organisations required to make disclosure for discovery purposes, or for service providers involved in the discovery process, we believe that preparation is critical.

Information governance: starting from a strong position

It is perhaps an obvious point, but organisations with good information governance are generally best placed to avoid data compliance issues in the discovery process. Where this is not the case, we have often seen the process of discovery bring data compliance issues to light as the extent and nature of data held by an organisation undergoes scrutiny for the first time.

Having a good understanding of what data is held where, the nature of data within datasets, and following good retention practices and effective governance practices, not only helps to limit the risk of issues arising during the discovery process, but can also put organisations on the front foot. This can bring benefits in targeting the discovery exercise and providing a stronger position to push back on requests and address contentious issues.

Establishing a framework: making compliance as easy as possible

Due to the volumes of personal data and contentious backdrop to discovery exercises, it would be unwise to ignore privacy and data compliance risks and obligations. From a privacy perspective, key considerations will include the legal basis for processing, the relationship between the parties concerning the data and, importantly, the responsibilities in relation to privacy rights and obligations, and managing purpose limitation, data minimisation, transfers and retention requirements.

In the case of the GDPR, requirements are risk-based and must be balanced against competing rights and obligations. There are also derogations to consider under national law, for instance, those under the UK DPA for activities linked to legal proceedings, advice or establishing, exercising or defending legal rights.

Having a deep understanding of relevant privacy requirements, identifying any issues early on, and having clear processes to deal with anticipated issues and decisions between competing requirements is crucial at the start of any discovery process. The key lies in performing an initial analysis to establish a clear position against any relevant considerations, which allows for quick and efficient decision-making when issues of privacy and data compliance arise, as well as clearly delineating where responsibilities lie between the parties. This can help reduce the risk of privacy and data compliance derailing the discovery process, and the time and effort in dealing with these issues and provides a repeatable framework for future activities.

Five practical steps for privacy and data compliance when beginning the discovery exercise

Organisations about to begin discovery are likely to want to know what immediate practical action they can take. Whatever the state of their preparation, here are five steps to help put organisations in a strong privacy and data compliance position.

Understand the responsibilities of the parties involved in the exercise, i.e., who are controllers, joint-controllers or data processors, and what privacy obligations (legal or contractual) apply to your organisation and any subcontractors, and the legal bases for the processing.

Clarify the likely data transfers ahead of the process, i.e., where data currently resides, preferred hosting locations during discovery, and the locations of parties it may be shared with, and identify what safeguards may be needed for transfers and what local privacy laws may apply.

Ensure there is awareness of privacy and data compliance considerations, flagging potential issues and requirements to senior management and project team members, to aid quick identification and resolution of issues and decision making.

Engage directly with the ‘data owners’, whether that be engaging directly with individuals or with the key stakeholders from relevant business units to understand what data is likely to be visible during the discovery process. Having an idea of what you may encounter will allow you to plan during the discovery process.

Before allowing any external parties access to the data, apply a set of filters that flag up data types deemed sensitive by the business. For example, criteria to capture personal data or state secret material could be used as a pre-filter process before discovery.

How A&M can help

Every organisation will have its priorities and challenges, considering the level of maturity of their data protection compliance and scope and complexity of the discovery requirements. With our Disputes & Investigations, Electronic Discovery and Privacy and Data Compliance teams, A&M has both the expertise and experience to face these challenges head-on.