Editor’s Note: As I noted last week, the team at Exterro has given me the opportunity to be a guest author on their excellent blog, and my three-part series started last week. Likewise, Ron Rambo, the Content & Communications Manager for Exterro, has provided a two-part blog series for eDiscovery Today! Enjoy!
With evermore complex regulatory schemes continuing to challenge Legal and Compliance departments at businesses around the globe, General Counsel and Chief Legal Officers—along with their counterparts in Privacy and Security—have recently adopted more serious approaches to reviewing their data management and information governance practices.
For several years now, the converging priorities among Legal, Privacy, Compliance, Security, and IT teams within global enterprises has meant that organizational data has increasingly come under the microscope. Why? Because the vast majority of business risk is tied to the way an organization stores, manages, and shares its data. This has always been true for litigation and e-discovery, but now, with the launch of the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA), it is true for consumer and employee data as well, along with other business-related data.
In looking at how organizations store their data, it’s clear that they can’t simply keep everything anymore; the GDPR, for example, has stated retention periods for data that doesn’t have a business use. But for about the last two decades, the exponential growth of data has meant that businesses that don’t remediate their legacy data have seen the size of their digital universes double every two years, at minimum.
The big issue: The vast majority of the data an organization holds is not data that has a business use. Rather, it simply heightens potential risk or litigation liabilities.
Take, for example, the recent COVID-19 pandemic, and the related risks surrounding remote employees working on unsecured WiFi networks. Or other organizations that have seen their use of videoconferencing software vastly expand in recent months. Businesses that have never needed to use videoconferencing software might now need policies in place for storing that data—which is considered discoverable ESI under FRCP 34(a)(1).
“Tech enables the existence of a database, the process for collecting customer data brings about business benefit from the data analysts learning about customer behaviors, but unless you want to throw that all away and expose your carefully curated data, you also have to limit the risk,” said Marie Bradley in a recent interview with Exterro. Bradley is the Operational Compliance Director at advertising firm Adam&Eve. “Risks tend to form independently and then when large enough or mature enough they converge to be governed and regulated through compliance activities.”
The proliferation of organizational data creates risk everywhere, including e-discovery. Exterro’s 2020 Judges Survey found that nearly 4-in-5 federal judges felt that e-discovery costs would continue to increase, in part due to the volume of data and the complexity of remediating it against consumer rights to delete their data, as granted by the GDPR and CCPA.
Said one federal judge: “I advise parties make an extensive effort to determine what data their parties store and how it’s stored, and revisit this information when responding to discovery requests and appearing at a hearing about a discovery dispute.”
In other words: Organizations must amplify their efforts to remediate their legacy data before it gets out of hand. With the CCPA having gone into full effect on July 1, regulators have given business and legal department leaders all the impetus they need to enact sweeping changes in how they manage their legal governance, risk, and compliance challenges.
Getting Your Data House in Order
Because most of the legal and regulatory business challenges that companies face are tied to how they manage, store, and share their data—and because those challenges now span organizational units—enterprises that take the time to ensure their data houses are in order will stand to benefit the most.
This is true for two reasons: Legal and regulatory compliance becomes easier, less costly, and more efficient; and organizations that take data privacy seriously hold a competitive advantage with consumers who care about having their personal information protected rather than sold or easily accessed during a data breach.
The business challenges surrounding data governance typically breakdown into three major areas:
- New data privacy laws that grant consumers new rights over their personal data
- Data breaches and the resulting fines and reputational risk involved
- Ensuring preservation of relevant data for criminal or civil litigation
To best answer these challenges, organizations must consider a centralized technology framework that orchestrates the tasks, activities, and stakeholders involved in critical data privacy, data security, data retention, litigation, and legal operations. This means utilizing technology that can connect to all of the data sources across an enterprise and provide a central, transparent location through which all of your organizational data are visible. This centralized framework will allow you to answer five questions:
- Where does your data live?
- Who owns it?
- Which regulations govern it?
- Which third parties have access to it—and how do they use it?
- How much data do you really have?
The conclusion of Ron’s series will be published next week. Stay tuned!
Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.