Ediscovery & Digital Forensics blog

KrolLDiscovery named in Inc. 5000’s fastest growing companies list

by Lauren Grest on August 22, 2017 in News with No comments

Inc. magazine revealed its 36th annual list of the 5,000 fastest-growing private companies in America, including KrolLDiscovery at No. 2024. The list represents a unique look at the most successful independent small and midsized companies. Past honorees include Microsoft, Dell, Domino’s Pizza, Pandora, LinkedIn, Yelp, Zillow and many others.

Of the tens of thousands of companies that have applied to the Inc. 5000 over the years, only four percent have made the list six times.

“We at KrolLDiscovery are honored to continue our stay on the Inc. 5000 rankings and be included in Inc.’s seminal list for a sixth year in a row,” said Chris Weiler, CEO of KrolLDiscovery. “Our commitment to providing excellent service and technology for our clients is the reason we continue to grow at this pace.”

Added Weiler, “It’s also important to recognize and congratulate the KrolLDiscovery team for their continued passion and dedication over the last year.”

“The Inc. 5000 is the most persuasive evidence I know that the American Dream is still alive,” said Inc. President and Editor-in-chief Eric Schurenberg. “The founders and CEOs of the Inc. 5000 tell us they think determination, risk taking and vision were the keys to their success, and I believe them.”

The 2017 Inc. 5000, unveiled online at Inc.com and with the top 500 companies featured in the September issue of Inc., is the most competitive crop in the list’s history. The average company on the list achieved a mind-boggling three-year growth of 481 percent. The Inc. 5000’s aggregate revenue is $206 billion and the companies on the list collectively generated 619,500 jobs over the past three years, or about eight percent of all jobs created in the U.S. economy during that period. Complete results of the Inc. 5000 can be found online at http://www.inc.com/inc5000.

How do ediscovery platforms manage the challenge of East Asian languages?

by Lauren Grest on August 18, 2017 in Pieces of Interest with No comments

As a global company, it is always interesting to learn about how clients and colleagues use technology to overcome challenges. In our recent Face to Face with the Regulators symposium, one of the key requirements for clients working in Asia is capacity for their ediscovery vendors to deal with East Asian languages such as Chinese, Japanese and Korean.

We caught up with our friends and colleagues at KrolLDiscovery APAC to find out how ediscovery technology tackles these languages.

How have you seen Asian countries like China handle the challenge of handling data in multiple languages during international and national e-discovery projects?

Working in multiple languages either nationally or internationally can present a number of challenges. First, you need an ediscovery platform capable of handling multiple languages including Chinese, which comes with its own set of challenges specific to the written form (more on this later). Secondly, you need to have in place native speakers in each language who understand the legal and technological considerations of each case. For international projects, there is a third consideration that you need teams that can work locally in each country whilst still communicating and working as part of a wider global team.

Our Asian clients come to us because our combination of technology, global network and local expertise mitigates these challenges. In terms of technology, our ediscovery platforms can handle hundreds of languages including Traditional Chinese, Simplified Chinese, Korean and Japanese. One platform can handle multiple languages within one country, simplifying national ediscovery projects with multiple language requirements.

For international projects, we like to say we are around the globe but across the street. Our case managers, consultants and forensics experts are based in local offices and speak the local language but are part of something bigger and often work on cross-border cases in conjunction with our other teams around the world. We believe this is the key to a successful ediscovery project involving multiple languages and jurisdictions as ultimately, there needs to be cohesion and collaboration to ensure the deadlines and requirements in all countries involved are met.

What are some of the nuances or idiosyncrasies of the Chinese language which may make it more difficult than English to review for e-discovery practitioners and e-discovery tools / machines? Do other related Asian languages share the same nuances / idiosyncrasies?

The biggest challenge for ediscovery practitioners and ediscovery software developers alike is handling the written forms of Chinese and other East Asian languages. Unlike Western languages using Roman or Cyrillic alphabets where each letter represent sounds to build words, Chinese (traditional and simplified), Japanese and Korean language groups use a logographic system. As a result, single characters can represent anything from a single word to multiple words to entire phrases. Furthermore there are no spaces to segment individual words. A string of characters can be read differently depending on where they are segmented by the reader or indeed, in ediscovery cases, the platform.

When looking for an ediscovery platform to use in China, it is vital that effective tokenization systems are in place. Tokenization is the process of segmenting character to strings to define words and phrases. The best ediscovery systems use sophisticated tokenization systems to ensure searches of accurate. In contrast, more basic platforms deploy a simplistic method whereby each character is assigned a word. Given the nuances involved, these systems can result in unreliable and inaccurate data filtering and processing.

Language recognition can also present a problem during Asian ediscovery projects. For example, the Japanese has three written language systems; hiragana and katakana which are syllabaries (phonetic writing systems where each character represents a syllable) and kanji. Katakana is primarily used to transcribe foreign words. Kanji is a logographic system that uses a lot of characters common to written Chinese. On a similar note, some Japanese text is written in ‘Romaji’ where the Roman alphabet is used to write in Japanese. As a result, some platforms may not recognize a text as being written in the Japanese.

When looking for ediscovery providers for projects in Asia, it is always best to choose companies that employ native speakers in their consultancy, case management and computer forensics teams. Aside from the complications involved for platforms handling Asian written languages, human readers can also struggle. Asian languages are richly nuanced and the meaning of a word or phrase can be changed by the use of different tones or regional dialect. Even fluent second language speakers may miss these nuances which could result in significant misunderstandings that may affect the outcome of a case or investigation.

Have you seen more e-discovery companies or practitioners use advanced technology like AI to better mitigate language challenges when conducting e-discovery? If so, how?

Asia is only just beginning to discover the advantages of predictive coding technology. The majority of our clients in Asia are using predictive coding to automatically create workflows by identifying documents according to language and then segregating documents for processing accordingly.

However, some of our more technologically savvy clients are starting to unlock the potential predictive coding has for refining the ediscovery process on projects involving Asian languages for example, to look documents containing for colloquialisms or other ambiguous language that requires further human review to improve clarity and understanding.

Face to Face with the Regulators in Tokyo

by Lauren Grest on August 3, 2017 in Best Practice & Top Tips, events, Pieces of Interest with No comments

On July 26th, our Tokyo office hosted a unique event: Face to Face with the Regulators. Delegates were able to get up close and personal with regulators from the US Department of Justice, US Securities & Exchange Commission and the US Federal Bureau of Investigation for a discussion on the following topic :

Enforcement trends
Industries under the regulators’ spotlight
The conflict between US regulators’ expectations and business culture in Japan
Clarifying regulators’ expectations
Managing ediscovery requirements and tips for a cost-effective process

Although the day was designed to help Japanese businesses, the insights that were shared are valuable for European businesses who have subsidiaries in the USA. Below is a high level overview of the the key points that came out of the day’s discussions.

Pay now or pay later. Implementing and investing in compliance programmes is something that will save your company money in the long run. It is always better and cheaper to uncover wrongdoing and use leniency programs than undergo an investigation triggered by a whistleblower or having attracted scrutiny from regulators. This applies to both anti-bribery and antitrust cases.
Collaboration between national and international regulators is increasing each year. This means there are more resources to conduct investigations leading to more prosecutions and subsequently more risks for companies operating domestically and abroad.
Third party subsidiaries, partner organisations and suppliers remain a source of considerable risk for companies. Companies need to be vigilant and ensure that their compliance programmes and training extends to these organisations and individuals. Management needs to buy into to compliance and communicate directly with those on the ground to understand and manage risks.
Individuals are becoming more important to investigations. Programs have been introduced that financially reward individuals for reporting wrongdoing to the authorities. This will incentivise potential whistleblowers into taking action against their companies. Equally, individuals violating antitrust and anti-bribery legislation are at risk from prosecution and can receive harsh including fines and prison sentences.
Ediscovery is essential for effectively responding to regulatory investigations and facilitating efficient compliance programs. The sophistication of this technology means you can respond quickly to requests for information, uncover and preserve key evidence and avoid excessive costs associated with processing large volumes of data

Thank you to all of our speakers, delegates and our colleagues in the Tokyo office for making the event so informative and inspirational.

KrolLDiscovery Summer Party: Ornament, Armament, Merriment!

by Lauren Grest on July 12, 2017 in events with No comments

We hold many events all around the world; some are small seminars, others are panel discussions featuring prestigious speakers and many are practical workshops. But sometimes, we just want to have fun and thank our clients for working with us.

This year, we threw our biggest summer party yet; at the Tower of London. Led by the famous Yeoman Warders, our guests were given a private viewing of the Crown Jewels before enjoying champagne and canapes in and around the famous White Tower.

By day, the Tower is a busy place, thronging with tourists and tour guides. Amongst the commotion it can be hard to appreciate on the hundreds of years of history. But by night when the crowds have dissolved and the sun sets, it truly is magical.

You can check out some of the photographs from the night here: https://mattharquail.smugmug.com/KrollDiscovery-Summer-Party/n-KB2dKF/

An overview of Sapin II

by James Farnell on July 10, 2017 in Legal Developments, News with No comments

Fraud, corruption, bribery. Across the globe, these challenges hit close to home for legal and IT professionals regularly called on to collect, analyze and produce data in support of an active investigation or compliance audit.

In France, game-changing legislation is taking effect to strengthen anti-corruption efforts and U.S. businesses with global operations need to be prepared. The provisions of new anti-corruption legislation, Sapin II, have just come into force in France (as of May 2017). Sapin II, adopted on November 8, 2016, is modeled on the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act.

SAPIN II: THE KEY TO CLOSING LOOPHOLES IN FRANCE

In 2005, Sapin II was first proposed and named after Michel Sapin, a French politician and France’s Finance and Economic Minister. Like many countries, France has attempted to combat fraud through multiple anti-corruption laws. However, these laws had several loopholes. The main aim of Sapin II was to strengthen existing anti-corruption legislation by implementing provisions that would close existing loopholes in France’s anti-corruption laws.

Sapin II is a comprehensive anti-corruption framework, some parts of which are more important than others. Below are a few key provisions of Sapin II, along with brief explanations.

1. France’s Expanded Jurisdictional Reach: Prior to Sapin II, French prosecutors had limited jurisdiction in bribery cases. Sapin II removed these restrictions and gave criminal prosecutors the opportunity to charge more offenders in bribery cases.

2. Creation of the French Anti–Corruption Agency (AFA): Sapin II created a new administrative agency known as the AFA. The AFA has replaced the Central Service for the Prevention of Corruption (SCPC). It is monitored by a presidential appointee and a sanction commission. The AFA has four major responsibilities:

Prevent and detect corruption in the private and public sector;
Help companies implement compliance programs that are required;
Report violations of the law to prosecutors; and
Oversee the monitorships of corporations.

The AFA sends informative reports to the Justice and Budget Ministries to work together to keep up with fraud and anti-corruption strategies.

3. Compliance Program Requirement: Under Sapin II, a company must have a compliance program in place when there are more than 500 employees and the company has a gross revenue exceeding 100 million euros. This is applicable to both French subsidiaries and non-French companies who fulfill the above criteria. There are eight criteria that must be met in order for a compliance program to be deemed to be sufficient by the AFA. The most important criteria are that there must be corporate risk mechanisms and disciplinary procedures in place. Failure by a company to have a compliance program could lead to directors and managers being sanctioned by the AFA.

4. Whistleblower Protection Provision: Sapin II protects those who with good faith report against those who have violated any of France’s laws, international treaties where France is a party, or have threatened the public interest. In order for the whistleblower to receive protection he or she must notify a supervisor directly or indirectly. If the issue is not resolved within a reasonable amount of time then external parties may be notified and if three months have gone by and it is still not resolved, the public may be notified about the violation. Retaliation against a whistleblower can lead to both criminal and civil punishment.

5. French Deferred Prosecution Agreements (DPA): Sapin II’s DPA is modeled on the U.S. DPA. French corporations are forced to argue facts that have been listed by the DPA. Whether a corporation is punished depends on the judgment from a court through a public hearing. If found guilty, a fine of 30 percent of the company’s average revenue for the past three years must be paid to the French Treasury.

6. New Criminal Offenses and Bribery: It is now a crime for any company or individual to offer a donation, gift or reward to sway a public officer to abuse their discretion with public authority or government. This new criminal offense combines both French criminal law and anti-corruption efforts to stop and prevent fraud.

SAPIN II AND EDISCOVERY TECHNOLOGY

As legal and technology professionals in law firms and corporations begin to work under the new provisions of Sapin II, it will be increasingly important to turn to technology solutions to audit compliance programs and investigate fraud. Of particular interest within Sapin II, is the requirement that companies implement a procedure for assessing the effectiveness of a particular compliance program. The review of corporate electronic communication is one way of ensuring that organizations are complying with anti-corruption laws and ediscovery technology can be a critical piece of a thorough compliance audit. For example, the data analytics features in many leading ediscovery review platforms can help detect hidden or emerging compliance risks under anti-corruption laws.

In addition to assisting with a compliance review, legal professionals have increasingly leveraged ediscovery technology to facilitate the investigation and analysis of specific fraud matters. For example, in sensitive investigations, companies can rely on computer forensic experts to collect data and make use of mobile ediscovery technology which allows data to be processed, hosted and reviewed at the company’s premises, if need be. Data need not leave the premises while a sensitive investigation is underway. Most importantly, in France or anywhere around the globe, companies need to seek guidance from local experts to assist in the navigation of local data protection laws and with the collection, processing and analysis of electronic evidence in investigations and litigation.

Whether fighting fraud in France, investigating money laundering in Brazil or collecting data from a Chinese subsidiary in a U.S.-based litigation, organizations all over the world can manage a wide range of business and legal challenges using ediscovery technology.

James Farnell, KrolLDiscovery, Legaltech News

Editor’s note: this article originally appeared in Legaltech News.

IICE 2017: Chairman’s Report

by Lauren Grest on June 30, 2017 in events with No comments

We recently had the privilege of chairing this year’s IICE Summit. IICE brings together decision makers in Information Management, Investigations, Compliance, and eDiscovery to collaborate on the direction of disruptive regulation, technology, and organisational excellence.

At this year’s Summit we addressed a particularly challenging set of circumstances, driven by the complex landscape created when data, business and the law interact and at times collide.

There have been rapid regulatory developments in the past year in relation to privacy and data protection in Europe. We have now entered the final year before implementation of the General Data Protection Regulation (GDPR) and this predicated a great deal of discussion at the Summit.

The future of privacy law is uncertain as regulations continue to evolve globally and conflicts arise due to differences in policy. As we heard from delegates, the biggest challenge for companies is to stay compliant with local, regional, and national regulations while putting their new data privacy frameworks in place.

One of the biggest concerns raised at the Summit was how to ensure new channels and platforms can be included in ediscovery exercises. Apps can be found just about anywhere on phones, tablets and even on appliances. All of them when downloaded are accessing data. How do you keep your data safe in the mobile world?

Another big theme for this year’s Summit was cybercrime, a very real and present threat. In Q3 of last year (2016), 18 million new malware samples were captured by one company alone. That’s an average of about 200,000 per day. More than 4,000 ransomware attacks have occurred every day since the beginning of 2016. That’s a 300% increase over 2015, where 1,000 ransomware attacks were seen per day.

We also know new ways in which old offences can be committed. For example, we have companies sharing data, they are creating data lakes today but these will be oceans tomorrow. The sharing of information is not a problem but if AI systems can bargain and talk to each other, then we may have a digital cartel on our hands.

We are seeing ediscovery used more and more in an anticipatory manner by organisations to identify, isolate and address concerns about compliance that could expose them to the risk of some kind of intervention or sanction.

Overall, the 12^th IICE Summit represented a unique opportunity to benchmark implementation programmes against competitors, to ask some hard questions and to assess innovative solutions that are available to help with compliance.

Since last year’s conference we have witnessed significant changes in the ediscovery industry itself. The major changes in data protection law in Europe and the uncertainty around legitimate data transfers have sparked a series of mergers in the industry geared towards expanding global footprints and providing local risk free ediscovery solutions.

Ediscovery solutions that allow clients to process data in country and onsite are therefore essential and we heard delegates expressing their need for flexible and mobile solutions in the year ahead and beyond.

We would like to thank the delegates, speakers and event organisers who put so much time and enthusiasm into making this year’s Summit such a success.

What you need to know about China’s Cybersecurity Law

by Lauren Grest on June 9, 2017 in Legal Developments with No comments

In June 2017, the People’s Republic of China is implementing its controversial Cybersecurity Law. The government is becoming more involved with data protection and strengthening enforcement. Up until now, its current rules have not been clearly defined or regularly enforced, so it is important to keep up with developments or risk getting caught off guard.

Unlike Japan’s focus on protecting data, China turns its attention to the network operators managing data. Below are some key facets to its new policy.

1. Data stored in mainland China: The new law insists that Chinese citizens’ “personal information” and “important data” be stored on servers within its borders. Any companies claiming an exception that is “truly necessary” must undergo a security assessment before information can be released.

2. Law applies to network product and service providers: The majority of the new law’s provisions apply to “Critical Information Infrastructure Operators” (CIIO) possessing data critical to China’s security. Industries predominantly targeted in this new definition include financial, transportation, health care, utilities and telecommunications.

3. Stronger data protection provisions: Supplementing existing data privacy guidelines in China, network operators must first obtain their clients’ consent before collecting and disclosing personal information, including the reason for the disclosure, and take measures to ensure the security of personal information.

4. Security examinations: All network providers must pass a “network security examination.” This includes specific requirements that network operators must follow when purchasing new network systems.

5. Severe consequences for noncompliance: While specific penalties are unknown at this time, cancellation of a business license is part of the current regulations. Additionally, the new regulations require CIIO’s to establish violation reporting mechanisms, suggesting that China is taking the new law very seriously.

As legal and technology professionals in law firms and corporations prepare for the data protection implications of the EU GDPR, do not disregard important changes afoot in Asia. Most importantly, seek guidance from local, in-country experts, prepared to help you collect, host and transport data in investigations, litigation or regulatory matters around the world.

The lowdown on Japan’s APPI amendment

by Lauren Grest on May 25, 2017 in Legal Developments with No comments

On 30th May 2017, Japan’s historic Act on the Protection of Personal Information is going to be amended (APPI) . The APPI in its current form has been unchanged since the early 2000s and is one of Japan’s oldest data protection laws. The decision to amend APPI are, like other forthcoming updates to data protection legislation like the the GDPR, is in reaction to rising data volumes, increased data breaches and increased concern over privacy.

What does the amendment change?

1. Creation of the Personal Information Protection Commission: The amended APPI went into partial effect in 2016, creating the Personal Information Protection Commission (PPC) as a central, independent regulatory authority with enforcement powers.

2. Two new classifications: Two information classifications will determine whether data can be transferred and if the owner of that information can give consent to its transfer: sensitive information and anonymised information. Sensitive information (information about a person’s race, creed, social status, medical records, criminal history, etc.) receives enhanced regulatory protection, with the person’s content required before such data can be transmitted. Anonymised information (personal information where there is no possibility of identifying the person) can be transmitted with restrictions but without the express consent of the individual.

3. “Opt-in” is now “opt-out”: The current rules require the user’s permission before personal data can be transferred. Under the amendments, companies can share data without permission if they disclose certain information to the user beforehand, such as the nature and purpose of the personal data being provided, and the way the data is being provided. The company transferring the information must also give the user the option to opt out of the transfer before it occurs. Businesses must disclose to the PPC if they will continue to default to an “opt-out” policy, or change the process transferring information to a third party. The PPC will make these changes known to the public.

4. International data transfer policy: For the first time, the APPI will address international information-sharing. Any company transferring personal records outside Japan’s borders will need the user’s permission, and opting out will not be an option unless the foreign jurisdiction has similar privacy standards.

5. Sanctions for noncompliance: The PPC is enacting a two-tiered criminal penalty measure into the APPI and its guidelines. A negligent violation will bring about an enforcement notice ordering the company to either correct the issue or halt data transfer operations. Failure to comply may result in imprisonment up to six months or a fine up to JPY 300,000. Intentionally stealing or providing personal information for a dishonest purpose may result in a direct penalty of up to one year in prison or a fine up to JPY 500,000.

Companies and law firms who are processing data in Japan will need to be pro-active and vigilant in order to comply with these changes. For truly international companies who are preparing for GDPR, the changes will mesh well with their compliance plans. For smaller companies or those operating only in Japan, it is like to be more of a challenge.

Ediscovery Costs: Pay as you gone?

by Hitesh Chowdhry on May 17, 2017 in Best Practice & Top Tips, Pieces of Interest with No comments

eDiscovery On-Demand

In today’s no-frills ‘on-demand’ economy, customers apparently want to rent rather than own things. Why commit to purchasing a car when you can order a cab instantaneously? Why take on permanent lawyers in-house when you can hire temps as and when required? And in the ediscovery world, why pay astronomical sums to license technology in-house when you can tender out work to vendors on a project-by-project basis? The way ediscovery technology is bought and sold is a hot topic.

The latter ‘pay as you go via tender’ model has been the preferred modus operandi for most law firms in the UK and Ireland. Many of the firms who have tried to make ediscovery into a ‘profit centre’ by licensing technology in-house have failed to do so. In my experience the reasons for this have included the following:

The up-front hardware costs can be enormous;
Technology becomes obsolete quickly and law firms are not set up to maintain it;
A small team (often only one person) within the firm knows how to operate the technology. The firm therefore becomes overly-reliant on those people; as and when they leave they take the key operational knowledge with them. One firm I deal with has been without a litigation support manager for 2 years and hires external consultants to operate their system on an ad hoc basis;
The ‘profit centre’ argument may make sense on paper, but in reality the technology cost is often the first line item to get written off of a client’s bill.

A False Economy?

That said, the tender model is not without its difficulties. Ediscovery is not a taxi service – it is a complex blend of technological and consultative processes which requires matter-specific application. Not to mention time and costs. Associates often spend an inordinate amount of (non-billable) time comparing quotes that seem to require a PhD in Mathematics to comprehend. Even if estimates are put into a standardised format, predicting data volumes can be as kind to the forecaster as predicting the British weather. All of which goes against the maxim that costs in litigation should be both reasonable and predictable.

The reality is that ediscovery is an integral part of the modern litigator’s practice needs. Whilst only some matters proceed to the disclosure stage, the perusal of electronic data is often necessary to assess merits at the outset of a matter. At that stage a client is just about content to invest money in legal advice, let alone to approve a disbursement for technology to enable that advice. Lawyers now need the comfort of an in-house system where they can upload data as and when they please without incurring the stress, time and moreover the uncertainty of a full-blown tender process. Could you imagine having to contact three or four companies every time you needed to conduct some legal research or find a precedent? This has led to forward-thinking law firms pursuing a third option for the procurement of ediscovery services – the subscription model.

Just Sign Here…

A subscription model (aka a Software as a Service model) is a fully-flexible solution which allows you to pay a fixed monthly sum for a certain volume of data to be hosted across an unlimited number of matters. The pricing is set out in ‘bands’ so that you have the flexibility to increase your hosting volume without incurring any extra costs up until you reach the next tier. Each offering is designed bespoke to the client’s needs. The advantages are as follows:

There is far greater certainty on costs than under a ‘pay as you go’ model;
Lawyers can save significant time and stress by avoiding the tender process;
There is a tangible value-add to point your clients to. ‘Innovative’ has become an overused buzzword in law firms’ self-descriptions. Relieving clients of the uncertainty of ediscovery costs and being able to analyse key electronic data immediately when instructed on a matter are strengths to genuinely shout about;
There is no need to worry about paying huge up-front sums to invest in technology. Your provider will maintain the hardware and software in their own data centre. Moreover, you will have the ability to host data in any of the provider’s global centres and on any of the review platforms that they offer. I have come across dozens of organisations who are using an outdated review platform purely because at the time they licensed it, it was cutting-edge. As Blackberry has discovered, 5 years is a long time in business;
You can build a relationship with people at the provider, and set in motion a style of working that suits your firm, so that you receive a consistent, repeatable service. There is also no concern about an over-reliance on one person at your firm; some of our project managers are considered by their clients as extensions of the legal team.
You can decide how to bill your clients for ediscovery services.

How much does it cost?

Naturally, firms will be concerned that a subscription model is only suitable for those firms with the deepest pockets. That is simply not the case. Rather than focusing on costs, you are advised to approach vendors with a ‘wish-list’ of services and a budget in mind (it may be the last time you need to contact more than one provider). We have law firms who are able to service their clients’ needs with a spend of around £10,000 per annum. Small change for speed, reliability, and a competitive advantage.

Time to get off the app and into the driving seat.

Subject Access Requests: managing the process with minimum pain

by Lauren Grest on April 26, 2017 in Best Practice & Top Tips with No comments

What is a Subject Access Request?

Under section 7 of the Data Protection Act 1998 (DPA), individuals are entitled to access the information that an organisation holds about them. The majority of subject access requests arise from former employees who are engaged in a dispute. However, in this privacy-conscious age, some individuals may simple want to know what personal information a company is holding.

How common are Subject Access Requests?

Because requests only cost £10, more companies are receiving requests from disgruntled ex-employees who want to know what information their former bosses have on them.

How do I fulfil a request?

Delivering the information held on an individual can be surprisingly challenging. Businesses must carry out detailed searches which can include information held in emails, databases, paper records, CCTV records and spreadsheets. In the age of big data, what seems like a simple request on the surface can quickly become complicated and time-consuming.

Once collected, the data must be disclosed in an intelligible form. Where necessary, companies must include supplementary explanatory information (e.g. if codes have been used) and supply context to the data that has been held, outlining:

What personal data has been collected?
How was the data obtained and from which sources?
Why was data pertaining to the subject processed?
Who has received data about the subject

What can be done to make the process easier?

1. Get your house in order
Sprawling data estates and inconsistent approaches to archiving can make searches difficult and inaccurate. Improving information governance in general is best practice, not only for handling subject access requests but for compliance with other legislation such as the GDPR.

2. Nominate a point of contact

Subject access requests must be completed within 40 days of receiving the request. Given the breadth of information held, the request is often handled via multiple departments. Cooperating across departments can challenging and 40 days can quickly disappear. Nominating a single person or department to handle such requests is a great start in streamlining the process and meeting the deadline.

3. Use technology

Ediscovery technology is designed specifically to search, filter and analyse data, making it ideally suited for responding to subject access requests. Ediscovery consultants can advise on how to collect, search, review and produce the data in an efficient, cost-effective and expedited manner.

4. Get expert advice

We guide our clients to consider various sources of information and advise on how to get the data extracted most easily. This may include email systems, server file shares, document management systems, cloud platforms and structured databases such as HR systems or accounting systems.

5. Protect personal data belonging to others

Personal data is often tangled with data belonging to other people or data that is confidential to the company. It is easy to let data pertaining to someone else slip through the net and in trying to comply with the Data Protection act, actually end up breaching it.

Information should be carefully reviewed before being handed over to the data subject. Managed document review services can assist by reviewing the documents in accordance with your guidelines and flag any concerns about data.

To find out more about managing subject access requests, please contact one of our consultants.

RT @KrolLDiscovery: How will the new administration effect global #antitrust regimes? https://t.co/h2Fi9iPzml https://t.co/X7ywTMC21t
- Tuesday Aug 22 - 3:41pm

RT @KrolLDiscovery: Just in: Nebula brings end-to-end eDiscovery to the cloud. https://t.co/MXyg6OPLpD https://t.co/wJUGkpPT4i
- Tuesday Aug 22 - 2:38pm

Thanks Archana! Hope to see you soon :) https://t.co/O4RZo9AAUd
- Tuesday Aug 15 - 4:31pm

We are delighted to have made the @inc5000 of fastest growing private companies again! Proof that team work is the key to growth.
- Tuesday Aug 15 - 2:09pm

RT @sschnettler: Are There Better Ways to Destroy Smart Phone Data Than With a Hammer? https://t.co/4gw1RaiWoi https://t.co/iMVS5Tdlbh
- Wednesday Aug 9 - 2:25pm

KrolLDiscovery named in Inc. 5000’s fastest growing companies list

How do ediscovery platforms manage the challenge of East Asian languages?

Face to Face with the Regulators in Tokyo

KrolLDiscovery Summer Party: Ornament, Armament, Merriment!

An overview of Sapin II

SAPIN II: THE KEY TO CLOSING LOOPHOLES IN FRANCE

SAPIN II AND EDISCOVERY TECHNOLOGY

IICE 2017: Chairman’s Report

What you need to know about China’s Cybersecurity Law

The lowdown on Japan’s APPI amendment

Ediscovery Costs: Pay as you gone?

eDiscovery On-Demand

A False Economy?

Just Sign Here…

How much does it cost?

Subject Access Requests: managing the process with minimum pain

What is a Subject Access Request?

How common are Subject Access Requests?

How do I fulfil a request?

What can be done to make the process easier?

Visit our website

Subscribe to the latest posts

Tweets

Categories

Industry news

August 2017
M	T	W	T	F	S	S
« Jul
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30	31

SAPIN II: THE KEY TO CLOSING LOOPHOLES IN FRANCE

SAPIN II AND EDISCOVERY TECHNOLOGY

eDiscovery On-Demand

A False Economy?

Just Sign Here…

How much does it cost?

What is a Subject Access Request?

How common are Subject Access Requests?

How do I fulfil a request?

What can be done to make the process easier?

Visit our website

Subscribe to the latest posts

Tweets

Categories

Tags