All posts by

Subject Access Requests: managing the process with minimum pain

Subject Access Request

What is a Subject Access Request?

Under section 7 of the Data Protection Act 1998 (DPA), individuals are entitled to access the information that an organisation holds about them.  The majority of subject access requests arise from former employees who are engaged in a dispute.  However, in this privacy-conscious age, some individuals may simple want to know what personal information a company is holding.

How common are Subject Access Requests?

Because requests only cost £10, more companies are receiving requests from disgruntled ex-employees who want to know what information their former bosses have on them.

How do I fulfil a request?

Delivering the information held on an individual can be surprisingly challenging. Businesses must carry out detailed searches which can include information held in emails, databases, paper records, CCTV records and spreadsheets. In the age of big data, what seems like a simple request on the surface can quickly become complicated and time-consuming.

Once collected, the data must be disclosed in an intelligible form.  Where necessary, companies must include supplementary explanatory information (e.g. if codes have been used) and supply context to the data that has been held, outlining:

  • What personal data has been collected?
  • How was the data obtained and from which sources?
  • Why was data pertaining to the subject processed?
  • Who has received data about the subject

What can be done to make the process easier?

1. Get your house in order
Sprawling data estates and inconsistent approaches to archiving can make searches difficult and inaccurate. Improving information governance in general is best practice, not only for handling subject access requests but for compliance with other legislation such as the GDPR.

2. Nominate a point of contact

Subject access requests must be completed within 40 days of receiving the request. Given the breadth of information held, the request is often handled via multiple departments. Cooperating across departments can challenging and 40 days can quickly disappear. Nominating a single person or department to handle such requests is a great start in streamlining the process and meeting the deadline.

3. Use technology

Ediscovery technology is designed specifically to search, filter and analyse data, making it ideally suited for responding to subject access requests. Ediscovery consultants can advise on how to collect, search, review and produce the data in an efficient, cost-effective and expedited manner.

4. Get expert advice

We guide our clients to consider various sources of information and advise on how to get the data extracted most easily. This may include email systems, server file shares, document management systems, cloud platforms and structured databases such as HR systems or accounting systems.

5. Protect personal data belonging to others

Personal data is often tangled with data belonging to other people or data that is confidential to the company. It is easy to let data pertaining to someone else slip through the net and in trying to comply with the Data Protection act, actually end up breaching it.

Information  should be carefully reviewed before being handed over to the data subject. Managed document review services can assist by reviewing the documents in accordance with your guidelines and flag any concerns about data.

To find out more about managing subject access requests, please contact one of our consultants.

 

Big data: high financials rewards, high regulatory risks?

big data

In a 2013 survey of 400 companies, management consultancy Bain & Company, found that companies using data analytics were:

  • Twice as likely to be in the top quartile of financial performance within their industries
  • Three times more likely to execute decisions as intended
  • Five times more likely to make decisions faster

Fast forward to 2018 and data analytics is firmly entrenched within many companies to the extent that it has attracted the attention of the regulatory authorities. The European Commission, the Competition and Markets Authority and the French Authorite de la Concurrence have all stated that big data and the competitive advantage it can give is a top investigative priority for 2017 and beyond.

How can big data give unfair competitive advantage?

Big data as an asset

Margrethe Vestager, the European Commissioner for Competition is currently considering revising merger control thresholds to include a threshold pertaining to non-turnover related big data holdings. Although the Commission previously incorporated the value of data into previous merger control investigations, this has largely involved companies where big data generates significant revenue. However, a company could acquire a business with a small turnover and large amount of user data, the new owner could exploit this data and reduce competitiveness that market place.

Big data pooling

Although sharing data is not forbidden per se, the way companies share data can breach competition rules. Companies can use big data to place themselves in dominant position over competitors. For example, if a company wants to diversify its offering and move into new areas, it can use data held on current customers to promote the new business.  For instance, Uber’s access to users of its lift-sharing service can be used to promote other ventures such as UberEats. This gives Uber an unfair advantage over other providers offering a similar takeaway food business but lacking the data from such a large customer base.

The regulatory authorities take these violations seriously and are imposing significant fines. Most recently, the Belgian Lottery was fined €1 million  for using a data base of customer contacts to promote a new sports lottery game.

A new form of white collar crime?

The formation of so-called digital cartels is predicted to be one of the biggest challenges regulators will face in the future. Digital cartels arise from companies using automated pricing systems. These digital tools automatically calculate prices according to a set of criteria such as supply versus demand, profit targets and so forth. Increasingly, these systems use machine learning technology. This can lead to the situation where two rival companies use the same pricing technology and react identically to changing market conditions. This results in prices being unintentionally fixed and the law being violated.

Getting value from big data without incurring fines

When it comes to the formation of digital cartels, prevention is complicated. Automated pricing systems are widespread and manual pricing models are unlikely to make a comeback. For regulatory authorities, who are reliant on laws written in the pre-digital age, enforcement is a greater challenge.  However, Vestager has suggested a new directive might follow later in 2017 which may bring clearer rules and stricter enforcement.

Other streams of revenue enabled by the collection and analysis of big data are more easily policed.  For companies who rely on sharing information for product development, Vestager recommends referring to the Commission’s guidelines on horizontal cooperation which shows companies how to share data in a way that doesn’t reduce competition.

She also discussed ways for companies to share information with competitors anonymously in a way that doesn’t harm their own business interests such as sending information to a platform anonymously. In return, they would receive aggregate data with no indication of which company it comes from.

In conclusion, competition enforcement is changing, and fast. Companies who use big data and smaller companies who hold big data should but don’t actively use it should closely monitor the Commissions announcements over the next few months in order to prepare for any changes.  Watch this space!

[1] http://www.theregister.co.uk/2015/08/21/forget_big_data_hype_says_gartner_as_it_cans_its_hype_cycle/

[2] https://ec.europa.eu/commission/commissioners/2014-2019/vestager/announcements/big-data-and-competition_en

The danger of ‘deleted’ data

data theft, deletion

What computer forensics experts talk about when they talk about deletion

As computer forensics specialists, we are often asked about deleted data. Is something truly deleted? Can deleted data be recovered? What should we do with old laptops? We thought the best way to answer these questions would be to conduct an experiment to show that in computer science, deletion is more of a spectrum than a binary state. The experiment also demonstrates the importance of protecting data, even when the device is no longer in use.

Introducing Project Gumtree

Armed with just £20, we responded to an advert on community selling portal, Gumtree and purchased four ostensibly clean hard drives from the seller, who had advertised them as coming from old family laptops.  After payment and collection, we handed over the drives to our forensics team.

The first step of any forensics investigation is undertaking a procedure called ‘imaging’. Forensic imaging involves creating an exact copy of the hard disk, enabling investigations to be conducted without endangering or tampering with the original data held on the disk. Once we had imaged the Gumtree drives, the real investigation could begin.

Upon initial inspection, three of the hard drives appeared to be blank, as promised by the seller. The fourth simply showed the Windows base installation menu.  For the average domestic user, the seller’s privacy would have been protected but the first rule of forensics is deleted does not always mean deleted and we anticipated that we would be able to extract data from the seemingly blank disks.

Lost and found

Once we examined the imaged drives closely, we uncovered an incredible amount of information. Below is an overview of exactly what we found on each disk:

Data recovered from Disk 1

  • 1400 PDFs
  • 500 Excel Files
  • 200 Word Docs
  • 8 Powerpoint Presentations
  • 40,000 picture files

Although the seller had originally described the disks as coming from family machines, the information recovered suggested otherwise, with numerous documents detailing expenditure in excess of £120,000 on roof lights and £170,000 on installing cladding on a bridge walkway.  The drive also contained other invoices for tens of thousands of pounds as well as a cache of foreign language documents, all which suggested the disk was not used in a domestic context.

Data recovered from Disk 2

Disk 2 was the drive which had a visible base windows installation but nothing else.  However, once again we were able to recover a lot of data, the majority of which consisted of confidential documents taken from the internal file sharing system, Sharepoint. Files held on Sharepoint are for internal viewing only and therefore should not have been saved on the laptop, providing furher evidence that the seller of the drives had perhaps obtained them via dubious means.

Data recovered from Disk 3

Disk 3 also yielded some interesting data. We found 3,800 Google search terms that provided a great deal of insight into the life of the previous owner. For example, we saw that the owner had searched for Patisserie Valerie bakeries, swiftly followed by a search for gyms in a particular area. More intriguingly and perhaps disturbingly, hidden amongst quotidian work documents was a raft of files relating to philosophy and the occult.

Data recovered from Disk 4

Of all the data recovered from the drives, Disk 4 contained the most sensitive information. Unfortunately, our in-house counsel has advised that we cannot go into detail about the contents of the drives as they contain data related to the UK government as well as CCTV footage.

By the end of the exercise, it was clear that the drives were not from family computers. In total, we recovered around 10,000 official documents and there is evidence that they come from the same government department. Kroll Ontrack is currently taking steps to return the data and the disks to that department so they can conduct their own investigations as to how the data was stolen.

How to disappear completely

The difficulty of truly deleting data from devices is something of a double-edged sword. On the one hand, if data appears to be lost, chances are that with the assistance of an experienced forensics technician, the data can be recovered. Yet, if a company disposing of devices capable of storing data (which comprises of a surprisingly long list including satellite navigation systems, mobile phones, USB sticks and more), the information stored on there could potentially be accessed by a third party unless actions are taken to forensically delete date the data.

We would recommend that companies disposing of devices capable of storing data should contact a forensics provider to ensure all confidential data is unrecoverable by third parties.

If you would like to find out more about how computer forensics can help you support and secure your business, please join us for a breakfast seminar in Central London on 6th April.  The seminar is specifically designed for those working in human resources or employment law.  Please click here to register your place.

Document Review turns Two: Mischief. Mayhem. Darts.

Can you believe it’s been two years since we opened our dedicated document review centre? Since then we’ve gone from strength to strength, doubling in size and caseload. Below are just a few statistics that  highlight how powerful an offering this service and how much demand is increasing:

  • We have over 1,800 document reviewers registered with us
  • We have worked the capacity to work in 173 languages
  • We have worked on 36 projects over the last 7 months in English, French, Afrikaans, Italian, German, Greek, Hindi, Romanian, Hungarian and Portuguese
  • We have 100 seats at our London centre
  • We are expanding into continental Europe

A competitive second birthday party

Richard, one of our Document Review Managers, takes aim

Richard takes aim

We couldn’t do this without the support of our amazing document review lawyers who come from all over the world to work with us. To thank them, our Managed Review team held a birthday party at Flight Club in Finsbury Square.

For those who haven’t been, Flight Club is a darts bar but not as you know it- gone are battered old boards, pints of flat lager and that particular mental stress that comes from trying to do mental arithmetic in the pressure of a competitive group environment. Instead each cloche has a control panel, a choice of games and a computer/camera set up that automatically calculates scores.

 

Each group played three games and six finalists from each cloche were invited to compete in the grand finale. It was a bit of a surprise to see so many skilled darts players and the final tournament was a nail-biting affair with great performances from each player. However, there could only be one winner- Mr Luke Aaron, Legal Consultant and wannabe late night chat host, who seized victory and took home the coveted gold medal.

If you’re a lawyer and fancy joining our document review team, you can find out more information here.

The winner takes it all!

The winner takes it all!

 

Ediscovery trends in 2017: from artificial intelligence to mobile data centres

2017

2017 is set to be a year of change as organisations prepare for the new General Data Protection Regulation (GDPR) and the accelerated adoption of artificial intelligence. Faced with the need to manage greater volumes of data as well as multiplying communications channels, organisations and their legal representatives will be increasingly reliant on ediscovery technology processes to reduce the time needed to identify and manage information required to satisfy regulatory and legal issues.

Against this backdrop, we make the following predictions for 2017:

  1. Technology will play a vital role in helping organisations prepare for GDPR

The tough new General Data Protection Regulation currently being implemented in Europe will have a global impact. In cross-border litigation and investigations, where data needs to cross borders to comply with discovery requests, mobile discovery will become essential.  These solutions capture, process, filter and examine data on-site, avoiding the need to transfer data across borders. GDPR has strict rules for protecting individuals’ right to be forgotten and organisations will need the relevant tools to find and erase personal data. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs.

  1. Ediscovery will find new homes beyond regulation and legislation

While ediscovery is widely used by professionals working on legal cases in litigation, regulation, competition law and merger control, employment law and arbitration, it will be used more and more this year in an anticipatory manner by organisations to identify, isolate and address any concerns about compliance that could expose them to the risk of some kind of intervention or sanction.  This trend will be exacerbated by the introduction of an increasingly complex and aggressive regulatory environment, exemplified by the French Anti-Corruption laws adopted in November 2016.

  1. New sources of evidence will move into the spotlight

Enterprises are creating more data than ever before. Data can be found anywhere that there are storage devices to hold it, whether that is a data centre, laptop, mobile, on wearable devices or the Cloud. Channels to move data from one place to another are also proliferating. As a result we are seeing a diversification of evidence sources being used to build up a picture of what has happened in a legal matter. Whilst email and structured data remain the most common sources of evidence, other data sources such as social media, satellite navigation systems are gaining in importance and providing key insights into many cases. Clients are increasingly choosing ediscovery providers who can integrate a wider variety of data sources into one platform for analysis.

  1. The robots are coming.

Savvy law firms and corporate counsel will benefit from bringing the latest technologies including artificial intelligence (AI) to the attention of their clients. A long line of court decisions in the US, and now also in the UK and Ireland has already driven greater interest in and adoption of predictive coding.

  1. The ediscovery industry will continue to evolve

The past few years have seen huge changes in the ediscovery industry itself as it seeks to provide the technologies that organisations need to keep up with more stringent regulation in data governance. Only larger, international partners now have the resources and capabilities required to provide local services and data processing centres where organisations need them, together with cutting edge tools and technologies to manage huge volumes of data and channels moving forwards.

  1. Big data will take centre stage in competition and data privacy matters

Regulators are becoming increasingly aware of the competition and data privacy implications of big data. From a competition point of view, big data held by companies can trigger both Articles 101 (relating to antitrust cases) and 102 TFEU (abuse of dominance cases). This is highlighted by the joint report of May 2016 from the French and German Competition Authorities entitled Competition Law and Data which explains that big data can trigger article 101 TFEU and thus be considered a cartel. Companies that handle substantial data volumes on a day-to-day basis will need to factor it into their compliance strategies and embrace technological solutions to aid in investigations and redactions.

  1. There will be a greater need for electronic documents

Despite evidence becoming mostly electronic, until recently regulatory authorities still required the submission hard copies of RFI forms, merger filings and other investigatory materials. However, the introduction of the European Commission’s eQuestionnaire for merger control and antitrust cases means parties must now submit all information electronically.

In December 2016, the EC has also recently published guidelines entitled “Recommendations for the Use of Electronic Document Submissions in Antitrust and Cartel Case Proceedings”. It is important to note that the EC strongly encourages the use of electronic formats even for paper documents which means they have to be scanned and made readable.

Tim Philips, Managing Director at Kroll Ontrack, said: “Ediscovery continues to provide essential tools and technologies for all manner of legal matters and allows companies to efficiently navigate through this era of big data, regulatory scrutiny and more stringent data protection requirements. 2017 is set to be another landmark year in terms of the adoption of ediscovery technology and the evolution of ediscovery technology itself.”

Merry Christmas!

xmas-card-2016

A practical guide to predictive coding

Did you miss out on our practical predictive coding event? Not to worry! We’ve created a twenty minute tutorial video that will guide you through the basics of using predictive coding technology.

Presented by Kroll Ontrack’s predicitive coding gurus and using real life case studies as examples, you will learn how predictive coding technology works and how you can use predictive coding technology in your own cases.

We hope you enjoy the video and find it illuminating, but if you have any further questions please get in touch in the comments or by emailing enquiries@krollontrack.co.uk.

Practical Predictive Coding

 

 

Understanding the value of structured data

In the earlier days of ediscovery, the spotlight was on handling the spiralling volumes of unstructured data such as emails and documents. Email in particular changed the face of ediscovery and nowadays, most lawyers working in litigation or competition are now sophisticated consumers or users of ediscovery technology. However, another source of electronic evidence is becoming increasingly important- structured data. Structured data refers to any data that resides in a fixed field within a record or file. This includes data contained in relational databases and spreadsheets and so often includes financial or operational information.

Research conducted by the Data Warehouse Institute has found that approximately 47 per cent of corporate data are structured in nature, compared to 31 per cent of unstructured data, leaving the remaining 22 percent classified as semi-structured data.

Yet, despite the prevalence of this kind of data, many clients are unsure how to deal with unstructured data and when faced with Question 5 of the Electronic Document Questionnaire, they are firmly out of their comfort zone.

Whilst it might be intimidating or tempting to neglect this, structured data is a valuable source of electronic evidence and quite often is a treasure trove of information. With the right tools and expertise, it is possible to unearth trends, patterns, and red flags which can be used in an investigation or as intelligence into an organisation’s operations.

Much like ediscovery tools revolutionised the analysis of emails, data analytics tools are helping tackle the challenge of extracting, processing and transforming structured data into meaningful  electronic evidence. This evidence can be stand alone or supplementary to unstructured data such as email and documents typically reviewed and exchanged during the ediscovery process in legal proceedings.

Want to find out more?  Shine a light on Data Analytics

Join experts from Kroll and Kroll Ontrack on 13th October 2016 for a discussion of the ways in which data analytics tools can be used to provide advanced data insight for investigations, litigation and regulatory requests.

Using real world case studies, our speakers will illustrate how these tools have been used to unlock relevant information, and suggest ways to get the most out of your use of analytics.

Date: 13th October 2016

Timetable

  • Registration: 6:00pm
  • Presentation: 6:30pm – 8:00pm
  • Drinks and networking: 8:00pm
  • Location: Kroll Ontrack, Nexus, 25 Farringdon Street, London, EC4A 4AB

To register your place, please click here.

IBA Conference 2016: See you in DC!

The International Bar Association’s Annual Conference is one of the highlights of the international legal calendar with over 6,000 delegates from around the world attending. We are delighted to be exhibiting once again and are looking forward to meeting existing clients and new faces.

The 2016 conference is being held in Washington DC and unsurprisingly, has attracted a prestigious panel of leading legal, financial and political figures including such as former US Secretary of State, General Colin Powell, Managing Director of IMF, Christine Lagarde and Director of Federal Bureau of Investigation, Robert S Mueller, III. If that wasn’t a star-spangled enough line up,  our very own Hitesh Chowdhry has been invited to speak on a panel on Thursday 22nd Sept at 10.45am in Balcony B, Mezzanine Level.

Entitled ‘Recalls, reputations and repeat business: bringing companies and their products back from the brink of disaster’, Hitesh and his fellow panellists will be discussing the many essential considerations arising for companies and their in-house counsel in the midst of reputational crises fuelled by an urgent (typically global) recall of products from consumers.

The panel will present real-world recall examples and the companies and lawyers who were in the trenches, as well as true to life case studies in this interactive and vibrant session, with a focus on the winning legal, communications and public relations strategies that bring companies and their products back from the brink of disaster.

Members of our EMEA team will also be based at booths 40 and 41 and will be available to answer any electronic evidence-based questions you may have. We will also be launching the second edition of our New Frontiers report, which is bigger and better than before. Come say hello and get your copy hot off the press!

 

Predictive coding: a little less conversation, a little more action                 

Predictive coding has been the hot topic of conversation for a while now. Both legal technology providers and industry thought leaders have waxed lyrical about its efficacy and this year marked the first time a UK court had approved the technology for use in a case. Yet despite this, one topic of conversation has remained untouched; how do you use the technology?

We decided to rectify this situation by hosting a unique seminar:-  Predictive Coding: Getting it Done. Held in the Museum of the Order of St John’s Chapter Hall, the seminar was led by Kroll Ontrack’s predictive coding experts Jim Sullivan and Leon Major. We were also delighted to welcome guest speakers Emily Maxwell of DLA Piper  and Ilaria de Lisa, Gleiss Lutz. As Kroll Ontrack clients, Emily and Ilaria were able to provide their unique insights into using predictive coding.

The seminar’s jam-packed agenda covered all the practical predictive coding basics including a breakdown of common terminology, an overview of the scenarios in which predictive coding can be used and, a step-by-step guide to using predictive coding using real life case studies as examples. Guests also had the opportunity to have their questions answered by our experts.

Following the presentation, guests gathered in the Museum’s medieval cloister gardens to enjoy a champagne reception and to make the most out of the unusually pleasant summer weather! Originally used by the Order of St John for growing medicinal herbs, the Cloister gardens is one of London’s hidden gems; a rose and lavender-scented oasis which proved to be the perfect location for relaxing after a very informative workshop.


Garden1-1170x636