February 09, 2022

 Andrew Greene

data privacy DSARs GDPR privacy litigation elevatenext

Companies entangled in litigation are well familiar with the drill: discovery requests lead to a collection of a broad swath of documents from numerous e-mail boxes, servers, hard drives, and cloud accounts. Next, your outside lawyers and e-discovery vendors sift through gigabytes of data to identify the relatively small percentage of potentially responsive documents. Their work incurs costs wildly disproportionate to the amount of information at issue, and substantial internal resources get diverted while e-mail boxes and other repositories are searched. This is when many managers wish, belatedly, there had been better policies and procedures in place. The only consolation is that – for many organisations – litigation involving such discovery is not a daily occurrence, and burdensome data collection is too infrequent as to be considered routine.

But the continued rollout of new privacy laws may be changing all of that. Given the ever-growing list of such laws, companies would be well served to re-evaluate their current efforts concerning data mapping, retention policies, and data governance.

First, a little background: since 2018, the European Union’s General Data Protection Regulation (GDPR) has granted individuals located in the EU certain rights to demand, among other things, that organisations: tell them what data is being collected about the individual; provide a copy of any personal data; correct any inaccurate data; limit the way the individual’s data is used; and, under certain circumstances, delete any personal data about the individual.

A slew of similar regulations has followed in other jurisdictions. Beginning in 2020, California’s CCPA (the California Consumer Protection Act) and Brazil’s General Data Protection Law (referred to as LGPD, an abbreviation for the Portuguese title of the law) granted similar rights to their citizens. Virginia (with the Virginia Consumer Data Protection Act or VCDPA), Colorado (via the Colorado Privacy Act, the CPA) and California (this time under the California Privacy Rights Act, the CPRA) have hopped on the “data subject rights” bandwagon. Depending on the jurisdiction, such rights may apply to consumers, households, and even employees. Other jurisdictions continue to consider similar legislation, and, of course, individuals are becoming increasingly aware of these new rights. Little wonder, then (as Jeff Rohlmeier noted in a recent article), more and more organisations are finding that the old “’inbox and spreadsheet” method of handling data subject requests is no longer viable.

In this context, it is crucial that organisations establish processes and workflows and implement appropriate technology to deal with increased data requests (expected or unexpected). Just as important is developing comprehensive data inventories, accurate data maps, and practical and enforceable data protection and retention policies.

Although the foregoing guidance may sound straightforward enough, anyone who has dealt with information collection (in the context of litigation, regulatory actions, or otherwise) knows it is not always so simple. Even an organisation with a central document repository where all consumer records are supposed to be kept, may not account for the ad hoc use of e-mail or collaboration software to share attachments when resolving a customer complaint. There are other potential complications, such as a document retention policy that preserves data for short periods may be optimal for privacy purposes but a problem in regulatory investigations or spoliation claims during litigation. And whatever the policy, software platforms used to carry out a policy are only as useful as their operators.

Such challenges are even more difficult for organisations without a robust legal operations function to support technology evaluation, process design, and staffing. Yet, as privacy regulations (and awareness of them) continue to grow, the importance of these sorts of activities will only increase.

Is all lost for companies with limited resources to devote to privacy? Of course not. Privacy readiness is not rocket science, nor does it have to be a mammoth line item in the budget. As with many challenges, it can be made much easier by focusing on the right things early – in this case, matters such as determining where personal information is kept and why. And chances are, whatever an organisation’s circumstances, someone else has already been there and can provide a good roadmap for a solution.

So, to any organisation that feels it may not be ready for the brave new world of data subject requests, we advise: take a breath, consult with people who have been there, and – most importantly –  begin now rather than waiting until events beyond your control create an emergency.