Sun. Sep 25th, 2022
    en flag
    nl flag
    et flag
    fi flag
    fr flag
    de flag
    he flag
    ja flag
    lv flag
    pl flag
    pt flag
    es flag
    uk flag

    Content Assessment: Indecent Exposure? Considering Data Privacy Legislation, Technology, and Best Practices

    Information - 91%
    Insight - 92%
    Relevance - 90%
    Objectivity - 89%
    Authority - 92%



    A short percentage-based assessment of the qualitative benefit of the recent article by Tara Emory and Michael Kearney of Redgrave on data privacy technologies and best practices.

    Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

    To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.


    Minimize Regulatory Exposure from Consumer Data Privacy Legislation with Technology and Best Practices

    By Tara Emory and Michael Kearney*

    With growing numbers of individual U.S. states introducing and passing their own privacy laws, new (and amorphous) pending U.S. federal legislation, GDPR, and a complex array of other international laws on privacy, many enterprises justifiably lack confidence in their preparedness to comply with the various privacy regulations. While an abundance of technology solutions providers claim their tools can automate or facilitate privacy compliance, evaluating these solutions can be confusing. Different “privacy compliance” solutions may contain completely different features and work in quite different ways.

    Privacy compliance is a multifaceted process, and most available solutions do not cover all of them. To determine what technologies might be a good fit, organizations must determine which aspects of privacy compliance they need to prioritize, and then seek solutions to address those needs. Depending on the organization and applicable regulations, needed capabilities may include searching large stores of data in different ways, documenting and preserving information about systems, modifying or deleting personally identifiable information (PII), and more. Some solutions may involve artificial intelligence (AI) and other scripts, while others might involve less sophisticated technology, or might even be manual.

    Pending and Existing Laws Are Driving the Need for Better Data Management Practices

    Today’s organizations must comply with a mishmash of U.S. state and international privacy regulations, a situation that continues to evolve. For example, the pending American Data Privacy and Protection Act (ADPPA) presents the first comprehensive federal data privacy and security bill introduced in the U.S. with bipartisan and bicameral support. The reach of the language of the proposed ADPPA is broad and generally follows the trend of comprehensive privacy laws enacted over the past several years.

    Depending on jurisdictional requirements and the types of data an organization holds and accesses, different entities will be required to comply with different privacy requirements. All of them, however, must understand the types of data they collect, how those are used, and how long they are retained. They must develop strategies to efficiently identify, collect, review, and disclose information related to individual consumers, as the laws provide certain rights to data subjects, including the ability to know, modify, and delete related data.

    Some regulations require that certain entities follow data minimization principles and may provide increased protection for data related to young consumers, biometrics, and geolocation.  Other regulations govern how entities across industries manage personally identifiable information or information that’s reasonably linkable to an individual. Data brokers, in particular, are in the crosshairs of regulators, and many of these organizations should begin planning to conduct algorithm impact assessments that describe their efforts to mitigate potential harm resulting from algorithm bias.

    Each of these requirements highlights how important it is that organizations understand their data environment. Employees tasked with privacy compliance must work together with others engaged in separate data regulatory and legal disciplines. Along with the obvious need to work with security, new regulations highlight the need for effective information governance practices. For example, entities should retain only information that supports a business objective or is needed to meet a legal requirement. By getting rid of information when it no longer serves a business or legal purpose, they will be able to slow the tide of data that they must analyze when working to remain in compliance with privacy obligations.

    Even with stellar information management practices, most organizations will be left with relative mountains of data that they must track to provide adequate consumer privacy safeguards, as well as provide information to individuals when receiving access requests. Except for smaller organizations that do not store much consumer personal information, most entities will need to turn to technology to remain in privacy compliance.

    Assessing Potential Technology Investments to Address Privacy Compliance

     With the patchwork of state and international requirements hovering in the background and new regulations potentially looming on the horizon, many organizations will need to acquire technologies and services to comply with the mandates stipulated by regulatory bodies. Organizations looking to build or bolster their privacy compliance programs using technology will face a dizzying array of options that address a variety of needs created by increased regulation.

    PII compliance entails multiple strategies and goals, and individual standalone solutions address some considerations better than others. Therefore, organizations developing a more robust compliance program need to start by creating a plan to prioritize their PII goals and building a technology investment roadmap to support their objectives. Once their PII priorities are established and ranked, they will be in a much better position to select the right tools for their immediate needs while planning for future investments.

    Here is an overview of core capabilities in privacy compliance tools:

    Documentation. Certain tools offer documentation capabilities for various types of PII stored within an organization’s systems. In some instances, however, these tools rely on manual data entry. If your PII governance tools require manual updates, you must be cognizant of the impact on workflow volume for your staff, ongoing data maintenance protocols, and the potential for error. Otherwise, privacy programs that rely on these technologies will soon contain outdated data and risk non-compliance.

    Identification. Other tools assist with the identification of PII throughout the various systems in your information technology environment. Before investing in this type of solution, you need a solid understanding of your organization’s data map. This initial due diligence—along with necessary ongoing updates—will help ensure that your organization addresses the necessary systems (and underlying data) required to remain in compliance. Organizations that fail to plan may later find that several systems have not been analyzed for privacy compliance.

    When selecting PII identification software you should also understand whether the tools search for content using a structural or contextual approach. Whereas a structural approach will capture data that’s presented in a specified format, contextual tools can evaluate data that requires surrounding data to determine whether it represents PII. Machine learning (“ML”) algorithms driving the contextual tools may be able to detect a higher number of false positives than a structural approach that relies on simple regular expressions.

    Classification. Certain types of data (including data attributable to minors) are afforded heightened privacy protections by regulators. Although organizations should explore simpler solutions for classifying certain types of data (reviewing table headers, writing scripts, using structured queries), those with significant data sets with which they are encountering increasing headaches may also want to explore the data classification capabilities of certain ML tools. When exploring these options, you should remember to determine the amount of up-front work required to get these tools functioning properly.

    Access Requests. The heightened regulations around data subject access requests (DSARs) — formal requests made by a consumer to an organization asking for details about how their data is being collected, used, stored, and shared — require careful consideration. While there are tools that are purpose-built to assist with reviewing potentially responsive documentation related to DSARS, many organizations use technologies that were originally developed for eDiscovery purposes. Both types of tools can provide the capabilities needed to respond in a timely and accurate fashion, but the effort must be supported by appropriate workflows for successful outcomes.

    Applying Best Practices for Information Governance

    Technology can serve as a tremendous aid for entities trying to comply with mandates from privacy regulation. The technologies they choose are only as good as the processes and workflows that are implemented around them. There are a lot of solutions that may serve the needs of your company but working them into the structure of your organization is vital to your ultimate success. These considerations should be addressed at the procurement, implementation, and refinement phases of any organization’s compliance program.

    Once appropriate structures are in place, you need to get and keep your people on board with following the appropriate policies and procedures, which requires training and cross-functional knowledge to the degree that they’re able to be effective data stewards. For example, a team member who receives a DSAR must understand the response process from start to finish to be able to perform their duties effectively — and they need the right technologies to get the job done.

    No organization will achieve 100% compliance with policies and procedures; it’s human nature to fall back into old habits even when your people are fully trained. While you shouldn’t be looking to trap employees in non-compliant activities, you should have mechanisms in place to measure compliance and implement corrective measures when problems surface. Establishing consequences out of the gate and conducting periodic compliance audits will keep your people on track and following up promptly when there’s a problem creates a closed-loop process.

    Finally, define the metrics you will apply to demonstrate success with your information governance program. They should align with both your organizational goals and the nature of your data ecosystem. Even after implementing the appropriate technology and processes, your organization will need to continue to refine its internal compliance program.

    And at the end of the day, fitting technology to privacy mandates is a complex problem, and you should consider the data to be managed, organizational needs, and specific compliance requirements. By starting with these considerations, you will have a great start to ensuring that your organization can comply with the new privacy regulations that come your way.

    * About the Authors

    • Tara Emory

    Tara Emory is a recognized leader in advising organizations and law firms on eDiscovery processes and information governance programs, including managing the development of search methodologies, data preservation and collection approaches, discovery protocols, data management and compliance programs, and records management technology solutions. Tara brings extensive experience in developing targeted and innovative solutions for a wide range of data problems to her role as Senior Vice President of Strategic Operations and Consulting at Redgrave Data. Prior to joining Redgrave Data, Tara served in multiple leadership roles at Innovative Driven, most recently as the Vice President, PRESA (Premiere Expert Solutions Advisory) Group & Associate General Counsel. Earlier in her career, she practiced as an associate attorney at various AmLaw 100 firms, including Skadden, Arps, Slate, Meagher & Flom LLP, Cadwalader, Wickersham & Taft LLP, and Clifford Chance US LLP. Since 2019, Tara has been recognized by the Chambers Litigation Support Guide as a nationally ranked expert in “eDiscovery – USA – Nationwide.” Tara received her J.D. and her LL.M. (International and Comparative Law) from Duke University School of Law and her B.A. from Pennsylvania State University. She holds a Project Management Professional Institute Certificate (PMP). Tara is admitted to practice in New York, the District of Columbia, and Virginia.

    • Michael Kearney

    Michael is a leader in developing technical solutions and processes to address complex issues related to electronically stored information. He brings a multi-faceted background in technology, law, and consulting to his role as Head Solutions Architect at Redgrave Strategic Data Solutions LLC (“Redgrave Data”). Prior to joining Redgrave Data, Michael served as a Legal Technology Solutions Architect at Hogan Lovells, where he advised clients on matters related to information management and developed data-driven custom solutions to assist case teams with the analysis of complex data sets. His career trajectory began at Wells Fargo, managing a team in the information security risk department, followed by attending law school and practicing law as an attorney at Redgrave LLP. Michael received his B.A. from Washington and Lee University and his J.D. from William & Mary Law School.

    Additional Reading

    Source: ComplexDiscovery


    Have a Request?

    If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

    ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

    ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

    Leaning Forward? The CISA 2023-2025 Strategic Plan

    The purpose of the CISA Strategic Plan is to communicate the...

    Continuous Risk Improvement? Q3 Cyber Round-Up From Cowbell Cyber

    According to Manu Singh, director of risk engineering at Cowbell, "Every...

    A Comprehensive Cyber Discovery Resource? The DoD Cybersecurity Policy Chart from CSIAC

    The Cyber Security and Information Systems Information Analysis Center (CSIAC) is...

    Rapidly Evolving Cyber Insurance? Q2 Cyber Round-Up From Cowbell Cyber

    According to Isabelle Dumont, SVP of Marketing and Technology Partners at...

    Revealing Response? Nuix Responds to ASX Request for Information

    The following investor news update from Nuix shares a written response...

    Revealing Reports? Nuix Notes Press Speculation

    According to a September 9, 2022 market release from Nuix, the...

    Regards to Broadway? HaystackID® Acquires Business Intelligence Associates

    According to HaystackID CEO Hal Brooks, “BIA is a leader in...

    One Large Software and Cloud Business? OpenText to Acquire Micro Focus

    According to OpenText CEO & CTO Mark J. Barrenechea, “We are...

    On the Move? 2022 eDiscovery Market Kinetics: Five Areas of Interest

    Recently ComplexDiscovery was provided an opportunity to share with the eDiscovery...

    Trusting the Process? 2021 eDiscovery Processing Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    The Year in Review? 2021 eDiscovery Review Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    A 2021 Look at eDiscovery Collection: Task, Spend, and Cost Data Points

    Based on the complexity of cybersecurity, information governance, and legal discovery,...

    Five Great Reads on Cyber, Data, and Legal Discovery for September 2022

    From privacy legislation and special masters to acquisitions and investigations, the...

    Five Great Reads on Cyber, Data, and Legal Discovery for August 2022

    From AI and Big Data challenges to intriguing financial and investment...

    Five Great Reads on Cyber, Data, and Legal Discovery for July 2022

    From lurking business undercurrents to captivating deepfake developments, the July 2022...

    Five Great Reads on Cyber, Data, and Legal Discovery for June 2022

    From eDiscovery ecosystem players and pricing to data breach investigations and...

    Cooler Temperatures? Fall 2022 eDiscovery Business Confidence Survey Results

    Since January 2016, 2,874 individual responses to twenty-eight quarterly eDiscovery Business...

    Inflection or Deflection? An Aggregate Overview of Eight Semi-Annual eDiscovery Pricing Surveys

    Initiated in the winter of 2019 and conducted eight times with...

    Changing Currents? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2022

    In the summer of 2022, 54.8% of survey respondents felt that...

    Challenging Variants? Issues Impacting eDiscovery Business Performance: A Summer 2022 Overview

    In the summer of 2022, 28.8% of respondents viewed increasing types...

    Nuclear Options? Ukraine Conflict Assessments in Maps (September 17 – 21, 2022)

    According to a recent update from the Institute for the Study...

    Mass Graves and Torture Chambers? Ukraine Conflict Assessments in Maps (September 12 – 16, 2022)

    According to a recent update from the Institute for the Study...

    On The Run? Ukraine Conflict Assessments in Maps (September 7 – 11, 2022)

    According to a recent update from the Institute for the Study...

    Tangible Degradation? Ukraine Conflict Assessments in Maps (September 2 – 6, 2022)

    According to a recent update from the Institute for the Study...