In ediscovery, privacy compliance means adhering to the laws and regulations, such as the CCPA and the GDPR, for every jurisdiction where an organization does business. Generally speaking, those obligations include:
- Protecting all of the data it possesses or controls.
- Preserving everything that may be relevant to anticipated or pending litigation.
- Being able to collect, process, and produce data on request.
Requirements that dictate an organization’s ediscovery obligations stem from three primary sources: U.S. rules and laws, foreign regulations, and data security standards.
Managing Ediscovery Data for Privacy Compliance
To ensure compliance with ediscovery requirements, a business should adopt the following general approach:
- Determine which ediscovery requirements might apply to the business. Some key rules and regulations controlling ediscovery are listed below.
- Read and understand each rule, beginning with the purpose of the rule.
- Decide whether that rule applies to the business’s specific use case. If it applies, the business must either comply with the rule or adapt its practice to avoid the rule.
- Establish processes and tools to ensure the company’s compliance with each applicable rule.
- Formalize this approach through a written policy, employee training, and any necessary technical or software support.
Data Privacy is Key to Staying Compliant
No matter where you are in your ediscovery process, it’s always worth taking another look at the data-privacy landscape, assessing your organization’s responsibilities, and forming a plan of action. Here are a few ways to stay on top of data privacy.
- Understand your responsibilities. It’s common sense but necessary to understand the implications for your organization. Regardless of where you are headquartered, do you do business in a jurisdiction or industry covered by a privacy law? Do you have customers in such jurisdictions? Are you growing and expanding into new markets? There is a lot of nuance in terms of who the laws apply to and what the scope of regulation is. For instance, companies below a certain size may be exempt from some provisions. Start to understand what you need to do to comply by the time regulation takes effect.
- Form an inter-departmental working group. Legal, privacy, and compliance functions will increasingly merge into a single, cross-functional team for handling data-privacy requests. These teams have long operated in silos but will need to work together along with IT and business groups to tackle data mapping for the organization. Everyone will benefit from closer collaboration and shared expertise to determine how different departments are collecting and storing information. There is no one-size-fits-all approach, but industry associations may have best practices or case studies to help you understand how other companies are approaching this process. That means determining what information you have and how you are using it.
- Know what information you’re looking for. Personal information can cover a broad range of data, including things like addresses, financial data, biometrics, geolocation, electronic activity like browser history, and even audio-visual assets. Make sure you have a handle on the range of personal data you might have and be aware that different departments may overlap in the information they collect, or they may have completely different types.
- Establish a consistent approach and pressure-test it. This may be challenging given that various privacy laws themselves are not consistent. But there are still some things you can do, starting with creating a standard way to receive privacy-related requests. Then make sure that you have a consistent approach to processing that intake. Always look at the same data sources, use the same systems to perform your searches, redact the same kinds of information, and report out in a similar format. Implement the same policies and procedures across your organization, communicate them properly, and train people. Put the process through a dry run or other stress-testing to identify and address bottlenecks
Choosing the Right Ediscovery Software to Ensure Privacy Compliance
Any ediscovery software you choose should be protected by the highest possible data security standards, such as those found in System and Organization Controls (SOC) 2® Type 2 certification.
These standards, issued by the American Institute of Certified Public Accountants (AICPA), ensure that data is secure, available, processed to protect its integrity, confidential, and private. To maintain data security compliance, businesses should only work with vendors and web hosting applications that have current SOC 2 Type 2 certification.
Finally, conduct a security audit. Your ediscovery software provider will have access to your company’s most sensitive data, it’s critical that they have the tools and systems in place to protect that data. At Zapproved, our software undergoes substantial security testing, maintenance, and monitoring, to keep your data safe..