The post A Right Twist – The UK’s New Requirement for Messaging and Social Media in Subject Access Request Responses appeared first on Prosearch.

The post Employee DSARs Under CPRA: What You Need to Know Now appeared first on Prosearch.

The post Migrating eDiscovery to the Cloud: Plan for Success appeared first on Prosearch.

Ryan Costello, head of data privacy services at ProSearch, recently addressed the topic in his article A Balancing Act: Mitigating Data Privacy Risks in Cross-Border Discovery, published in Cybersecurity Law and Strategy Newsletter. The article offers three practical approaches to protecting sensitive information in accordance with data privacy regulations while meeting document production obligations. Download a PDF of the article from our Resources page.

If you have concerns about identification and protection of private data, ProSearch can help.

Contact us to discuss the options.

The post Mitigating Data Privacy Risks in Cross-Border Discovery appeared first on Prosearch.

The post A Balancing Act: Mitigating Data Privacy Risks in Cross-Border Discovery appeared first on Prosearch.

The post Practical Insights for Employee DSARs appeared first on Prosearch.

As originally published in ACEDS June 26, 2019.

Fifty years ago, on July 16, 1969, the Apollo 11 lunar mission sent the first astronauts to the surface of the moon. The computing technology used on that Apollo mission was revolutionary. The astronauts could control the spacecraft through a command module computer, and critical safety and propulsion mechanisms were controlled by software for the first time. Today the computing technology of the average cell phone far exceeds the computing power of the spacecraft that got humans to the moon and home safely. A single iPhone could guide 120 million Apollo era spacecraft to the moon, all at the same time!

With that kind of computing power in our pockets, it is no wonder so many of us take advantage of numerous mobile applications, social media, messaging, and collaboration workstream tools as often as we do. On average, each of us spends 4 hours a day staring down at our phone, often blurring the lines between business and private communications.

The universe of discoverable ESI (electronically stored information) is evolving rapidly. For many organizations, within three years of adopting an enterprise-level workstream collaboration platform, the volume of new data generated from that platform will eclipse the amount of data generated by email. Notably, Microsoft Teams is quickly becoming Office 365’s main collaboration tool and is on pace to become as prominent as Outlook. Messaging data and social media communications are routinely implicated in discovery requests and, with increasing regularity, submitted as critical evidence in legal proceedings. Data collections and discovery requests involving mobile, messaging, and collaboration applications often involve personal data and PII (personally identifiable information). Sensitive personal information might be there unintentionally, due to the nature of the applications for keeping people connected and perhaps a business culture that comingles business and personal lives. Other reasons may include the frequency at which many of us increasingly use these applications outside the traditional 9-to-5 workday and a lack of corporate guidance or use policies for new and emerging technologies. 

There is no doubt that redefining our eDiscovery processes, methods, and approaches is necessary for new technologies and the ESI they generate. Potentially responsive information likely exists in the candid communications common to messaging or collaboration applications, such as in chats, on virtual “white boards,” and in edited and re-edited versions of documents. But getting to this information, and along the way mitigating risks for personal data protection, is easier said than done. Emerging technologies are dynamic, context sensitive, and multi-dimensional. Every new content source requires its own method of collection, and they all behave just a little differently. It is likely that organizations will increasingly select discovery tools that can collect and process data across multiple cloud technologies or applications. This will ensure a reliable, defensible method of collection and processing compatible with conventional eDiscovery workflows already in place.

The implications for privacy and data protection, though, are considerable. Myriad multi-jurisdictional regulations require a balancing act to protect the data privacy of individuals while simultaneously meeting obligations for discovery. These regulations, such as the EU’s General Data Protection Regulation (GDPR), the Health Information Portability and Accountability Act (HIPAA), and the now imminent California Consumer Privacy Act (CCPA), cannot be ignored. A raised consciousness and awareness of privacy protections in discovery is required, in parallel with efforts to preserve and produce relevant, discoverable ESI with efficiency and precision. A serious regulatory risk exists for unintended personal data – particularly health or other similarly sensitive information – which may somehow find its way into collection and discovery. The risk is heightened when the appropriate data minimization controls have not been implemented or even considered, resulting in personal data being swept up in overly broad collection exercises.

The challenge of protecting personal data is increasingly being addressed by eDiscovery workflows designed specifically for mobile data and ESI from collaboration applications. Although these solutions are at a relatively early stage of development, well-defined guidance is available for how to embed data protection across workflows without sacrificing existing road-tested best practices, i.e. Privacy by Design.

The Privacy by Design concept has been around for quite a while, with inception as a Canadian thought experiment in how to ensure data protection across emerging technologies. But it has now been codified in Article 25 of the GDPR. Privacy by Design provides a solid roadmap for how to build data protection compliance into a product or workflow from the ground-up, as opposed to shoe-horning requirements into a process after it has already been developed. Privacy by Design-based approaches for discovery seek to integrate personal information protection over the lifecycle of all data handling processes. Importantly, the focus is on adaptation and evolution, not a zero-sum game that trades capability for over-restrictive data protection measures. Key attention is accordingly placed on relevance and materiality, from data collection through production, across the entire EDRM (electronic discovery reference model).

In practice, Privacy by Design throughout discovery could be as follows (see illustration):

• Information governance
  • Privacy compliance and legal teams become engaged when new content sources are evaluated for business use. These teams ensure that data collection can be carried out in a defensible way and that it incorporates security measures and data protection considerations, thus demonstrating accountability and a thoughtful consideration of these issues.
  • Well-defined use policies and clear requirements for employees are then implemented for enterprise devices and apps, particularly as processes and protocols evolve for eDiscovery. 
• Coordination with custodians
  • A collection process for more detailed, nuanced coordination with custodians is established – perhaps including some measure of self-collection for certain applications. However, self-collection will require a level of due diligence and assurance that the collections proceed properly, involving the right data, from the right custodian, for the right matter. In most cases, well-articulated, streamlined coordination with custodians will enable further insights into what unintended personal data or personal health data might be implicated in a collection. Again, this type of approach demonstrates accountability, a compliance requirement that could be crucial in the event of regulatory oversight.
• Extracting personal data from data sets
  • As data moves across the EDRM and enters into processing, review and production, solutions for indexing, entity identification, and extraction aimed at removing, redacting, or otherwise disposing of any non-necessary personal data, ahead of even the review process, may significantly mitigate risk.
  • As an added measure, this same entity identification/extraction process can be replicated and reused for data subject access requests and breach responses, further enhancing the organization’s regulatory compliance posture.
• Smart productions
  • At the very last stage of the discovery process, production quality control can serve as a last line of defense in eliminating non-material or unintended personal data. An emphasis on flawless productions is not only an essential part of the workflow, but should serve as the endgame of a truly well-developed eDiscovery playbook. The goal is to show every effort being made to ensure accountability for data protection compliance.   
• Data security across processing activities and transfers
  • It is absolutely necessary – at every stage of discovery – to ensure that technical and organizational measures for security and data protection are in place, including access controls, security processes, audits, and data transfer protections. Security protections are critical regardless of whether data is processed, hosted, reviewed, and ultimately produced in the EU, United States, or anywhere else. Data security can be the common thread for assuring data protection compliance across numerous regulatory frameworks, as well as for data transfers in cross-border litigation and investigations.

Our shifting global regulatory landscape for data protection, together with exponential growth in the use of mobile applications and collaboration workflow tools, is changing the way data collection is approached, how data is handled, and how organizations will be held accountable for the treatment of personal and sensitive data in the discovery process. Solutions will require a re-consideration of conventional approaches to forensics, data collection, and eDiscovery workflows.

Privacy by Design offers a useful model for embedding privacy protections into the discovery process. It enables organizations to chart a course in the new universe of data, including development of well-crafted information governance processes for new and emerging technologies, focusing on privacy risk mitigation throughout the EDRM, and ensuring an emphasis on data security each step of the way.

Technology doesn’t wait for anyone. While only 50 years separate the computers of the Apollo mission from today’s iPhones, the pace of technology advancement is exponential. eDiscovery processes must keep up.

The post Incorporating Privacy-by-Design into eDiscovery Workflows appeared first on Prosearch.

By Ryan Costello, Esq., CIPP/E, CIPM
As originally published in ACEDS March 21, 2019.

The implementation of the European Union (EU)’s General Data Protection Regulation (GDPR) has raised a number of questions as to how best to approach cross-border discovery. Friction between legal holds and the “right of erasure,” anxiety about the scope of collections amid data minimization requirements, and considerable financial and operational penalties for failure to comply with the GDPR have created an environment of trepidation about how, and where, to best process, host, and review EU data in connection with US-based eDiscovery. In particular, risk associated with data transfers and access to data have prompted a data location-centric and localized view toward the management of EU data that is subject to discovery.

But let’s stop for a moment and take a deep breath here.

The timorous approach of limited data transfer and localized-only management of EU personal data actually stands in contrast to what the GDPR is designed to do, which is ensure a high level of protection of personal data while ALSO facilitating the free flow of personal data both within the European Union AND to third countries (i.e. those countries outside of the European Economic Area).

Even with limited case law on the GDPR, and an enforcement picture that’s still developing, we have regulatory guidance which reflects an understanding of the need for data transfer in cross-border investigations and pre-trial discovery procedures provided by the Article 29 Working Party (WP29, the group of regulatory representatives now referred to as the Europe Data Protection Board under the GDPR).

By implementing appropriate data management across the EDRM that is adequate, relevant and limited to what is necessary in each discovery exercise, it is possible to strike a balance between discovery needs and EU data protection requirements.

More specifically, cross-border discovery success can be ensured by following a mindful approach to data transfer and access, steeped in awareness of not only the impacts and risks for data subjects and custodians, but also including the best practice methods and technical measures needed to ensure the security and confidentiality of data.

Such a mindful approach to cross-border transfer and discovery brings greater assurance and clarity, but is not without responsibility. It requires balancing data collection, processing, and data transfer requirements with an understanding of how best to approach the data protection rights of EU individuals. The key for gaining certainty in understanding resides in the following recommended practices:

Assessing the impact for data subjects

Though it predates the GDPR, WP29 guidance on pre-trial discovery for cross-border litigation strongly promotes balancing the obligations of the discovery process with the potential impacts to the rights and freedoms of data subjects. Considerations should include the necessity and proportionality of data collected for discovery and ensuring that adequate safeguards and protections are in place.

There is little to suggest that these considerations have changed all that much under the GDPR. In fact, the need for organizations to document their decisions and analyses related to cross-border discovery “balancing” is underscored by the accountability obligations of the GDPR, and particularly via the data protection impact assessment (DPIA) requirement. It is possible to demonstrate the necessary awareness of, and commitment to, the protection of EU personal data by carrying out a DPIA with analysis of impacts to data subjects and ensuring the documented measures are in place for remediation.

In the event discovery is subjected to a regulatory oversight inquiry, the DPIA provides the appropriate documentation of GDPR compliance considerations and balancing of EU data protection requirements with discovery, as well as solid evidence of good faith data protection efforts.

Applying technical and organizational measures for security

Article 32 of the GDPR lays out the framework for implementing the technical and organizational measures required to ensure a level of security appropriate to the risks presented for data subjects. For discovery processes, this will mean ensuring ongoing confidentiality, integrity, and resilience of data processing and hosting systems, and could even mean instituting an approved certification mechanism to demonstrate advanced security implementation, such as ISO 27001.

While risk adverse organizations may have taken to limiting/eliminating data transfers and following a localized, in-country approach to data processing, hosting, and review to avoid the specter of GDPR enforcement, it can be argued that the real risk is in failing to approach the technical and organizational measures required for security in a holistic and well thought-out manner. Think about it: data that exists in an insufficiently secure environment within the borders of a single jurisdiction is likely more at-risk than data that is securely protected in its place of origin, while in transit, and in a cross-border location that is also securely protected.

The crux of these requirements is protection for the data subject, not limitations around data movements.

Accordingly, a mindful approach to cross-border discovery will look to the interests of the client by focusing on robust security, and not choking off the flow of data, as the real means to ensuring success and cost mitigation under the GDPR.

Ensuring lawful and secure transfer and remote access to personal data

Given the spirit, purpose, and intention of the GDPR as a means of protecting an individual’s personal information while also fostering the free flow of data, a position to keep data localized in the EU simply because of the GDPR’s limitations on transfers to third countries outside the EEA would seem misguided. Reality is more nuanced.

A mindful approach to data transfer is focused on ensuring that the data protection guarantees enjoyed by individuals in the EU are not lost when the data is transferred overseas. Carrying out discovery requirements solely in-country misses the point, and potentially at considerable financial and logistical/operational expense.

The transfer requirements of GDPR Chapter V are not intended to prohibit data transfers entirely, but rather to ensure that the appropriate safeguards exist when transfers take place to countries (such as the US) where substantially equivalent protections have not been defined for individuals.

Accordingly, a mindful approach to data transfers, as with other elements of cross-border discovery, entails considering how data subjects can be protected throughout the process.

Despite some continued concerns about its efficacy, the Privacy Shield self-certification mechanism allows for the transfer of data to the United States, and does so by extending GDPR protections to EU individuals. It has now passed annual review twice. Intra-company transfers are allowable under the Privacy Shield, as well as transfers to other Privacy Shield signatory companies.

Those organizations that do not have a Privacy Shield certification in place, or fall outside the jurisdiction of the Federal Trade Commission or Department of Transportation (the US Agencies which oversee the framework), can select standard corporate contracts (sometimes called model contracts), or Binding Corporate Rules (which are subject to direct DPA approval) as a means of transfer.

What all these transfer mechanisms have in common is that they ensure the appropriate safeguards are in place for data protection, including the appropriate security measures, in addition to providing for enforceable data subject rights and effective legal remedies for individuals. As with the entirety of the GDPR, the focus is on the individual and protection of their rights, not curtailing global business operations for the sake of keeping data in the EU.

If there was any doubt about the legislative intent and enforcement prerogatives, we also have guidance from the European Data Protection Board (EPDB) on the derogations for data transfer under GDPR Article 49 in specific reference to circumstances for cross-border discovery and the necessity for transfer. The derogations are exemptions for limited, non-repetitive data transfers in specific situations where no other transfer mechanism applies, and Article 49(1)(e) provides an exemption for transfers “necessary for the establishment, exercise, or defense of legal claims.”

The EPDB guidance on this provision states that this derogation is intended to cover a range of activities, including for the purposes of formal pre-trial discovery procedures, civil litigation, and administrative investigations, such as in the anti-trust context. Accordingly, we have evidence here that not only are regulatory authorities aware of the fact that data transfers are an inevitable result of cross-border discovery, but they are in fact providing a clear means with which to carry out those transfers in a lawful manner, given the appropriate conditions and safeguards for data subjects.

It should also be noted that remote access to data located in the EU is considered a transfer under the best understanding we have at the moment through limited European Court of Justice case law and WP29 opinions that pre-date the GDPR. That said, given what we know about DPA awareness of cross-border discovery transfer requirements and the free flow of data under the GDPR, there is a strong argument to be made that limited access to EU data by US-based processing and/or IT service teams is permissible transfer, provided that access is adequate, relevant, and limited to what is necessary for the cross-border discovery process.

Clear implementation of protections for data subjects, documented considerations of risk remediation, and strictly limited access and oversight protocols will be substantial indicators of thoughtful consideration of the compliance requirements at play when determining an appropriate approach to remote access.

Serenity Now – Fostering Cross-Border Discovery through Careful Consideration of Data Protections

GDPR requirements are neither prescriptive nor proscriptive, and in a wave of uncertainty regarding what compliance frameworks should look like, how data transfers should be appropriately handled, and potential sanctions for non-compliant discovery operations, organizations have been quick to consider in-county processing, hosting, and review as the only answer to meeting GDPR compliance.

However, a compliant approach to GDPR really requires a carefully documented analysis and consideration of the impacts for data subjects, and implementation of the best-suited security protections and appropriate safeguards given an organization’s litigation profile and cross-border operational structure. A degree of assurance and certainty can then be achieved with these measures in place. While some in-country data processing may still be necessary to ensure that personal data subject to cross-border discovery is indeed adequate, relevant and limited, there is nothing to suggest a prohibition on transfer is necessary or required. Further, limiting cross-border litigation expense and operational impacts is possible through a mindful approach to discovery. Namaste.

The post The Mindful Data Transfer appeared first on Prosearch.

ProSearch Strategies, Inc., the visionary leader in corporate eDiscovery and legal data analytics solutions, today announced the appointment of Ryan Costello, Esq., CIPP/E, CIPM, as Head of Data Privacy Engagement Services. Costello is a US-licensed attorney and expatriate based in Rome, Italy, reporting to Dr. Gina Taranto, ProSearch Director of Applied Science and Accelerated Learning Solutions. As the company’s data privacy expert, Ryan will be lending his expertise on cross-border eDiscovery, compliance and investigatory matters, with a focus on assessing protective controls for personal data throughout the EDRM lifecycle.

Ryan has cultivated in-depth expertise in data protection and data privacy compliance through more than 12 years of experience in eDiscovery, litigation support, and international law. This includes working with myriad clients on managing their EU-based eDiscovery exercises while navigating General Data Protection Regulation (GDPR) and other multi-jurisdictional data protection compliance requirements. Ryan routinely assists clients by remediating their corporate discovery risks, with an eye toward solutions that utilize best practice technical and organizational measures, data management solutions and innovative technologies.

“We are excited to welcome Ryan to the ProSearch team where he will work with our Los Angeles and Dublin offices in support of cross-border engagements. Our US and multinational clients will appreciate his extensive expertise in processes and solutions for ensuring compliance with data privacy requirements,” said Taranto.

“I have long admired ProSearch and its focus on the delivery of innovative, high-quality solutions for electronic discovery and data analytics. It is an honor to join the team and I look forward to working with their global clientele in support of matters requiring the protection of personal and other sensitive information,” said Costello.

Ryan is a frequent speaker and writer on GDPR and other data protection compliance topics and challenges that impact organizations in the US, Europe and across the globe. He earned his BA in English and Communications from Elon University and his JD from Western New England University.[/vc_column_text][vc_separator css=”.vc_custom_1553015712053{padding-top: 40px !important;padding-bottom: 40px !important;}”][/vc_column][/vc_row][vc_row][vc_column width=”1/4″][vc_single_image image=”3065″ img_size=”654×930″ style=”vc_box_outline” image_hovers=”false”][/vc_column][vc_column width=”3/4″][vc_custom_heading text=”Ryan Costello, Esq” font_container=”tag:h2|font_size:30|text_align:left|color:%236a737b” google_fonts=”font_family:Kreon%3A300%2Cregular%2C700|font_style:300%20light%20regular%3A300%3Anormal”][vc_column_text]HEAD OF DATA PRIVACY ENGAGEMENT SERVICES
A US-licensed attorney and expatriate based in Europe for more than 10 years, Ryan has cultivated an expertise in data protection and data privacy compliance across a career in eDiscovery and litigation support. With a particular interest in the area where cross-border discovery and data protection intersect, Ryan has worked with a myriad of clients to manage EU-based eDiscovery exercises while navigating data protection compliance challenges on both sides of “The Pond.” With the implementation of the General Data Protection Regulation (GDPR) amidst other changes in the regulatory context, Ryan has assisted organizations in remediating cross-border discovery risks at every turn, with an eye toward solutions that utilize best practice technical and organizational measures, data management solutions and innovative technologies.

Ryan assists across a range of client engagements, with a focus on assessing protective controls for personal data across the lifecycle of the EDRM. He is also a frequent writer and speaker on the GDPR, as well as data protection compliance topics and challenges in the US and across the globe. Ryan received his BA in English and Communications from Elon University, and his JD from Western New England University.[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][/vc_column][/vc_row]

The post ProSearch Appoints Data Privacy Expert Ryan Costello appeared first on Prosearch.