When your “Compliance” and eDiscovery Processes Violate the GDPR

Time to reevaluate tools that rely on systemic data duplication

The European Union (EU) General Data Protection Regulation (GDPR) became effective in May 2018. To briefly review, the GDPR applies to the processing of “personal data” of EU citizens and residents (a.k.a. “data subjects”).” Personal data” is broadly defined to include “any information relating to an identified or identifiable natural person.” That could include email addresses and transactional business communications that are tied to a unique individual. GDPR is applicable to any organization that provides goods and services to individuals located in the EU on a regular enough basis, or maintains electronic records of their employees who are EU residents.

In additional to an overall framework of updated privacy policies and procedures, GDPR requires the ability to demonstrate and prove that personal data is being protected. Essential components for such compliance are data audit and discovery capabilities that allow companies to efficiently search and identify the information necessary, both proactively, and also reactively to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement through an effective eDiscovery information governance platform.

However, some content management and archiving tool providers are repurposing their messaging with GDPR compliance. For example, an industry executive contact recently recounted a meeting with such a vendor, where their tool involved duplicating all of the emails and documents in the enterprise and then migrating all those copies to a central server cluster. That way, the tool could theoretically manage all the documents and emails centrally. Putting aside the difficulty of scaling up that process to manage and sync hundreds of terabytes of data in a medium-sized company (and petabytes in a Fortune 500), this anecdote underscores a fundamental flaw in tools that require systemic data duplication in order to search and manage content.

Under the GDPR, data needs to be minimized, not systematically duplicated en masse. It would be extremely difficult under such an architecture to sync up and remediate non-compliant documents and emails back at the original location. So at the end the day, this proposed solution would actually violate the GDPR by making duplicate copies of data sets that would inevitably include non-compliant information, without any real means to sync up remediation.Desktop_virtualization

The same is true for the much of the traditional eDiscovery workflows, which require numerous steps involving data duplication at every turn. For instance, data collection is often accomplished through misapplied forensic tools that operate by a broadly collecting copies through over collection. As the court said in In re Ford Motor Company, 345 F.3d 1315 (11th Cir. 2003): “[E]xamination of a hard drive inevitably results in the production of massive amounts of irrelevant, and perhaps privileged, information…” Even worse, the collected data is then re-duplicated one or often two more times by the examiner for archival purposes. And then the data is sent downstream for processing, which results in even more data duplication. Load files are created for further transfers, which are also duplicated.

Chad Jones of D4 explains on a recent webinar and in his follow-on blog post about how such manual and inefficient handoffs throughout the discovery process greatly increase risk as well as cost. Like antiquated factories spewing tons of pollution, outdated eDiscovery processes spin out a lot of superfluous data duplication. Much of that data likely contains non-compliant information, thus “polluting” your organization, including through your eDiscovery services vendors, with increased GDPR and other regulatory risk.

In light of the above, when evaluating your compliance and eDiscovery software, organizations should keep in mind these five key requirements to keep in line with GDPR and good overall information governance:

  1. Search data in place. Data on laptops and file servers need to be in searched in place. Tools that require copy and migration to central locations to search and manage are part of the problem, not the solution.
  1. Delete Data in Place. GDPR requires that non-compliance data be deleted on demand. Purging data on managed archives does not suffice if other copies are on laptops, unmanaged servers and other unstructured sources. Your search in place solution should also delete in place.
  1. Data Minimization. GDPR requires that organizations minimize data as opposed to exploding data through mass duplication.
  1. Targeted and Efficient Data Collection: Only potentially relevant data should be collected for eDiscovery and data audits. Over-collection leads to much greater cost and risk.
  1. Seamless integration with attorney review platforms, to bypass the processing steps which requires manual handoffs and load files.

X1 Data Audit & Compliance is a ground-breaking platform that meets these criterion while enabling system-wide data discovery supporting GDPR and many other information governance requirements.   Please visit here to learn more.

Leave a comment

Filed under Best Practices, compliance, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, GDPR, Information Governance, Information Management, Uncategorized

Live Demo of Relativity and X1 Integration Creates Significant Buzz

Last week we hosted a webinar with Relativity and D4, which highlighted the very compelling integration of our X1 Data Insight and Collection solution with the Relativity platform, including RelativityOne.  This integration is important as it provides game-changing efficiencies in the eDiscovery process by accelerating speed to review, and enabling more intelligent decision making.

The webinar featured live demonstration showing X1 quickly collecting data across multiple custodians and seamlessly importing that data into RelativityOne in less than two minutes.

This tweet from D4 is representative of the public and private reactions we received:

D4 Tweet July 18 v3

With the ability to search and collect emails and documents across up to thousands of endpoints and network sources with industry-leading speed, X1 Insight and Collection revolutionizes enterprise eDiscovery. For example, X1 empowers legal and consulting teams to iterate their search parameters in real time before collection, providing a revolutionary true pre-collection early case assessment capability. Additionally, with its intelligent collection capability, X1 performs instantaneous data processing (culling, de-duplication, text and metadata extraction, etc) in a fully automated manner.

Webinar speaker and D4 Director Chad Jones reported on his blog post that “In a matter of a few minutes X1 collected, processed, uploaded and published data from 5 custodians into a Relativity One (Relativity’s cloud offering) workspace. This functionality, built into a collection tool, has a chance to revolutionize the current eDiscovery process by collapsing the many hand-offs built into the current EDRM into a few short steps managed by one or two people.”

Barry O’Melia, a senior product manager at Relativity, advised the webinar attendees that “when we were planning the webinar I said that I wanted us to do a live demo into an empty Relativity workspace, as it is unbelievable without seeing it with your own eyes.”

The X1 and Relativity integration addresses several pain points in the existing eDiscovery process. For one there, is currently an inability to quickly search across all unstructured data, meaning eDiscovery teams have to spend weeks or even months to collect data as required by other cumbersome solutions. Additionally, using ESI processing methods that involve appliances that are not integrated with the collection will significantly increase cost and time delays.

So in terms of the big picture, with this integration providing a complete platform for efficient data search, eDiscovery and review across the enterprise, organizations are going to save a lot of time, save a lot of money, and be able to make faster and better decisions. When you accelerate the speed to review and eliminate over collection, you are going to have much better early insight into your data and increase efficiencies on many levels.

View the on-demand webinar see first hand the capabilities of X1 and Relativity by clicking here.

Leave a comment

Filed under Uncategorized

Assessing GDPR 30 Days In: A Report from the Field

Enforcement of the EU General Data Protection Regulation (GDPR) began May 25, 2018, and this new development is significantly reshaping the information governance landscape for organizations worldwide that control, process or store the data of European residents. Yesterday, X1 hosted a live webinar featuring GDPR experts Jay Kramer, a partner at Lewis Brisbois in the firm’s cybersecurity and privacy group, and Marty Provin, executive vice president at Jordan Lawrence.

Kramer provided a “battlefield report” about what he is seeing from the field and hearing from his various clients, with three main observations:

  1. Many are still late to the game. Kramer noted that he has several clients contacting him well after the May 25 enforcement date to begin the process of GDPR compliance.
  1. GDPR compliance maps to best practices. Becoming GDPR ready is a good business decision because it establishes transparency, data privacy and security processes that companies should be doing anyway.
  1. Now that the law has gone into effect, organizations that have been proactive are quickly transitioning from readiness to operational compliance and enforcement. For instance, many organizations are finding themselves responding to data subject access requests.

Kramer also noted that while much focus has been on potential fines levied under GDPR, organizations need to be aware that individuals can file complaints with the supervisory authorities under article 77, or even bring their own private actions, citing article 82. These claims have already been brought in the form of class actions, and Kramer expressed concern that many more claims could be fanned by “privacy trolls” – similar in concept to “patent trolls” – or by disgruntled customers or ex-employees.

Marty Provin outlined the importance of information governance and data classification in support GDPR compliance, especially from a standpoint of the need to operationalize policies and procedures in order to identify non-compliant data throughout your organization, and properly respond to regulatory requirements and data subject access requests. Kramer seconded that point, noting that the GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise and be able to remove or minimize it when required.

This readiness is achieved through planning, data mapping, and data classification. Provin provided an informative overview of these processes, based upon his extensive experience implementing such best practices for his clients over the past 20 years. Marty observed that it is also important to have a solution like X1 Data Audit and Compliance to search and identify documents, emails and other records across your enterprise that are non-compliant with GDPR. Such a capability is essential to address both the proactive and reactive components of GDPR.

The final segment of the webinar included a live demonstration of a proactive data audit across numerous computers to find PII of EU data subjects. The second half of the demonstration illustrated an effective response to an actual data subject access request in the form of a request by an individual to have their data erased.

In addition to comprehensive search, the demo highlighted the ability of X1 to also report in a detailed fashion and then take action on identified data by migrating it or even delete in place, including within email containers.

A recording of this informative and timely webinar is available for viewing here.

 

 

Leave a comment

Filed under Best Practices, eDiscovery & Compliance, GDPR, Information Governance, Records Management, Uncategorized

X1 Announces Strategic Product Integration with Relativity

Today we are announcing some exciting news. Our X1 enterprise eDiscovery solution now integrates with Relativity, the industry leading e-discovery platform. X1 Insight & Collection, a component of the X1 Distributed Discovery platform, allows enterprises to search across and collect from up to thousands of custodians in hours, now with direct upload into Relativity, including RelativityOne, utilizing Relativity’s import APIs.

The X1 and Relativity integration addresses several pain points in the existing e-discovery process. For one, there is currently an inability to quickly search across all unstructured data, meaning users have to spend the weeks or even months that are required by other cumbersome solutions. Additionally, using ESI processing methods that involve appliances that are not integrated with the collection significantly increase cost and time delays. And with such an  inefficient process there is simply no way for attorneys and legal professionals to gain immediate visibility into data, often leaving them to wait weeks before they have a chance to assess the data, post- collection.

The X1/Relativity integration directly addresses these challenges. Among the substantial benefits of this integration is the dramatic increase in speed to review, flowing directly from the custodian into Relativity on-premise or into the cloud-based RelativityOne platform. And this integration significantly reduces or completely eliminates inefficient ESI processing. X1 will search, cull and de-duplicate data at the point of collection and now integrates with the Relativity ingestion API, rendering inefficient and expensive processing appliances obsolete.

Organizations will be given real time early case assessment within minutes of initial search instead of taking days and weeks for this insight.  All of this is achieved with a truly repeatable end-to-end process for enterprises. The combination of X1 and Relativity provides a full and complete e-discovery platform.

“Collecting enterprise ESI can be one of the most daunting parts of the e-discovery process,” said Drew Deitch, senior manager for strategic partnerships at Relativity. “We’re excited to bring X1 into the App Hub, where it will offer users another great way to access, search, process, and import enterprise data into Relativity.”

Finally, with this integration providing a complete platform for efficient data search, discovery and review across the enterprise, this also enables organizations to very effectively address numerous information governance use cases such as GDPR compliance, identifying and removing PII and conducting IP data audits.

To see X1 in action, we have a 7-minute demonstration video including this integration with Relativity available here.

Leave a comment

Filed under Best Practices, ECA, eDiscovery, eDiscovery & Compliance, Information Governance, Preservation & Collection, Uncategorized

Data Discovery “Is the Foundation of GDPR Compliance”

Recently, I attended a very informative Microsoft GDPR Summit in Redmond, Washington. Microsoft invited their key compliance partners to brief them on Microsoft’s strong support for GDPR compliance within their Office 365 ecosystem, and to engage them in their strategy. The summit featured a slate of legal, compliance and technology experts who provided compelling insight into the GDPR, including challenges and opportunities for organizations as the May 25 enforcement date approaches.

Enza Iannopollo, a featured keynote speaker from Forrester, is an industry analyst with a deep focus on information security, data privacy and GDPR compliance. She noted that per a recent Forrester security survey, only about 30 percent of organizations report GDPR readiness. In her talks with major organizations, Iannopollo sees a strong if not belated commitment as they scramble to achieve readiness ahead of May 18. In terms of what it takes to effectuate GDPR compliance, Iannopollo presented a slide which simply stated the following: “Data Discovery and classification are the foundation of GDPR compliance.” Iannopollo said this is because the GDPR effectively requires that an organization be able to identify and actually locate, with precision, personal data of EU data subjects across the organization.

The speakers identified both a proactive and reactive requirement of data discovery under the GDPR. Iannopollo commented that a robust data discovery capability is needed to produce an intelligent data map, to classify and actually remediate non-compliant data. This data audit process should done at the outset, and also routinely executed on a recurring basis.

For reactive capabilities, Microsoft deputy general counsel John Payseno noted in a separate session that once GDPR enforcement comes online on May 25, 2018, organizations will be required to respond to data subject requests (DSRs) from individual, or groups of, EU data subjects. The DSRs under the GDPR consist of requests for data erasure, data transfer, or a confirmation that data permissively kept is done so in a minimal fashion without excessive duplication or re-purposing outside of the granted consent. Payseno said that companies must be able to document and demonstrate compliance with these DSRs, in a manner generally akin to responding to a subpoena or other legal requirement.

So a clear takeaway from the Microsoft summit is that GDPR compliance requires the ability to demonstrate and prove that personal data is being protected, requiring data audit and discovery capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement.

While Microsoft demonstrated their capabilities to conduct effective data discovery in their O365 cloud environment, they openly acknowledge a significant gap for addressing on-premise unstructured data. Effective GDPR compliance requires the ability to gain immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of weeks or months as is the case with traditional crawling tools.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers for PII and other data from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery, GDPR and other information governance compliance functionality, X1DD includes the award-winning X1 Search, improving employee productivity while effectuating that all too illusive actual compliance with information governance programs, including GDPR.

Leave a comment

Filed under Best Practices, compliance, Corporations, Data Audit, GDPR, Hybrid Search, Information Governance, Uncategorized