By: Nate Latessa, Vice President of Corporate Services
In the two years since General Data Protection Regulation (GDPR) came into effect, over 100 privacy laws have been introduced around the globe. Here in the US, the California Consumer Protection Act (CCPA), came into full effect in January 2020. Maryland, Nevada, Massachusetts, and Rhode Island also passed privacy legislation with at least eleven other states considering their own privacy regulations. This trend is leading many to believe that it’s only a matter of time before federal privacy legislation is enacted.
Only 54% of Companies Know Where Their Sensitive Data is Stored
It’s difficult to comply with data protection laws if a business doesn’t even know what personal data it possesses. Since much of a business’ stored information came about before the promulgation of recent data protection laws, it is more common than you might think to find that the compliance team does not know where the business stores all sensitive information. This is especially true for organizations that are active acquirers of other companies. Many of the acquired physical and digital assets are blindly integrated into the larger organization with very little vetting or auditing of the data they store. This digital promiscuity could lead to severe compliance penalties and reputational damage resulting in substantial financial loses for the organization.
eDiscovery to the Rescue
For years eDiscovery professionals have been honing their tools and techniques to identify, preserve, collect, process, review and produce electronic data for litigation and investigations. Dealing with massive amounts of disparate data, under incredibly tight deadlines, to find a needle in a stack of needles is a typical day for these professionals. The process to find critical and sensitive data to comply with privacy regulations is not much different.
Apples to Apples
Just like an eDiscovery matter, compliance with privacy regulations starts with identification – which custodians and data sources are in possession of potentially sensitive information. Large, structured repositories typically have well defined data models making it easier to locate sensitive data. However, sensitive data could be buried in unstructured fielded text within structured databases, which represents unique challenges. The bigger challenge is sensitive unstructured data buried in documents and emails on workstations and servers. In either instance, eDiscovery forensic examiners are uniquely equipped with the tools and skills to quickly and efficiently surface sensitive data.
In the case of a data subject access request, preservation and collection of that data may also be necessary. More times than not, sensitive data is intermingled with other sensitive data, which requires each piece of data to be reviewed and possibly redacted. Just like legal document review, privacy review can be performed utilizing the same eDiscovery tools and reviewers.
Don’t reinvent the wheel. Utilize the eDiscovery tools and personnel you have in-house or let the professionals at ID help you out.