Due to the volume of data that is held on individuals and the implementation of the GDPR (General Data Protection Regulation) businesses have a legal obligation to ensure that the data is being managed appropriately. Compliancy includes:
Individuals are now aware of their right to request personal data, so whether that’s because of a concern for their own privacy or as part of litigation, businesses need to be able to respond in a manner that is compliant, defensible and within a set period of time.
Subject Access Requests: using eDiscovery tools ensures compliancy and is cost effective
With the use of eDiscovery, Subject Access Requests (SARs) that involve electronic data can be managed quickly and efficiently, thus minimising the overall disruption to the business and costs involved in responding.
The Electronic Discovery Reference Model (EDRM) is a useful guide to follow to identify, isolate and extract data ready for disclosure to an individual.
Dependent on whether data is stored on multiple locations dictates what stages of the EDRM are required and in some cases parts of the process may need repeating or run simultaneously before everything can be collated. However as data is put through the EDRM process then volume decreases and the information extracted becomes relevant.
Information Governance balances the evaluation, creation, use, storage, archiving, security, compliancy and deletion of electronically stored information. (ESI). It also includes what an organisation has in place with regards to what policies, processes and standards (systems and procedures) it has adopted, thus ensuring efficient and effective use of data and mitigating risks and potentially unnecessary expenses.
Identification is a scoping exercise to establish (identify) general classed/sources of data that is relevant to the SAR. This might include such things as email accounts, the subject’s own PC, related/connected personnel, for example team members/ management, servers, (backup and cloud based as well) smartphones and tablets and accounting software. It will also include any hardcopy documents relating to the individual. These documents can be converted to electronic form if necessary and integrated with the ESI for further analysis.
Preservation and collection are processes that occur quite often simultaneously. Preservation ensures that any data identified as relevant is protected from any inappropriate alteration or destruction. Collection is pulling all the data together and collating it together ready to be processed by an eDiscovery provider. This may be as simple as putting the data onto an external hard drive, however if the SAR covers multiple and complex searches then it may require the input from a Forensic Data Team who will assist in identifying meaningful data.
Processing, Review and Analysis follows the following format:
Production and Presentation ensures that the data identified is presented in a way that is concise and clear.
If your organisation is presented with a SAR then using an eDiscovery provider to collate relevant data for disclosure is both practical and cost-effective.
For full information and guidance on all aspects of GDPR and SAR then visit the Information Commissioners Office (ICO) at https://ico.org.uk