Managing data = managing investigation/litigation risk
Strategic data protection – or data management – is not just to address compliance with data privacy and cyber laws. Proactive data management, in its broadest sense, is increasingly critical to conduct efficient investigations, and more effective litigation and related disclosure exercises.
What does this mean in practice?
Understand your data
Do you fully know what data your organisation has? You may have a ROPA (record of processing activity) which maps out your personal data. But does it cover all processing around the world? Many organisations only have ROPAs for EU/GDPR purposes.
Apart from personal data, what about other categories of data? Your organisation’s internal data classification may not align with categories of data that are, for example, subject to strict data sovereignty rules under local laws/regulations in other countries. So, while you may know you have certain data, do you know whether you can use it during an investigation, or share it with headquarters in another country?
You may have record retention policies and retention schedules. But do your record descriptions actually capture what data you have?
You cannot effectively use data unless you know what it is, and what you can/cannot do with it. Data mapping of data sets is critical to managing data risks, but also seizing opportunities to use data, including for investigation, litigation and disclosure purposes. Current data policies and data record-keeping tend to be too limited, meaning organisations don’t have a full handle on their data inventory. This can mean you miss key data. It can also lead to unpleasant surprises when it comes to investigations, litigation and disclosure.
Don’t assume you can just use your personal data for investigations/proceedings
Time is often lost at the outset of a matter whilst steps are taken to establish whether individuals’ data can be monitored, collected and reviewed for the purposes of the investigation or litigation.
Consent: do you have the individual’s consent to use their personal data in connection with an investigation or legal proceedings? A few data protection laws, notably the EU’s GDPR and Hong Kong’s Personal Data (Privacy) Ordinance, don’t require this. But under other data protection laws – notably those across most of Asia – you must have the individual’s consent to collect, use and disclose their personal data. Some – in particular Mainland China – require additional, separate consent for cross-border data transfers, including transfers between group companies. In the context of an internal investigation, it can be very difficult to get that consent once an incident occurs or an investigation is underway, especially from the protagonists. Getting the right consent(s) upfront, when the data is first collected, is straightforward and enables data to be used and shared - and transferred overseas – immediately during an investigation or litigation.
Exemption: what if your notice and/or consent is not in place? Exemptions in a few data protection laws allow use and disclosure of personal data for investigations, to respond to regulator enquiries or legal proceedings. However, don’t assume you can rely on an exemption. Not all countries have them; and in those that do the exemptions are often very limited (e.g. just to proceedings or as regards laws in the local jurisdiction). Avoid this risk – plan ahead and make sure your privacy notice and consent (if you need it) are in place now, so you don’t even have to think about exemptions.
Can you access your data
Even if you have mapped out a full data inventory, have you operationalised it? Meaning, have you tagged your data in your systems, so you can easily identify what type of data it is, where it originated from, what data laws apply, whether it can cross borders, what policies apply to it?
Do your systems allow you to apply a litigation hold to certain data?
Don’t keep data for ever
Personal data cannot be kept forever – most data protection laws require it to be deleted or deidentified once it is no longer needed for the purposes for which it was collected. Other records must be retained for a specific period by law, such as tax records. But do you keep the data for too long? Many organisations hang on to data for a longer period than permitted or needed “just in case” or “because data is valuable”.
Even if you have data retention schedules, do you actually purge data regularly? Do you really delete it all, even back-ups? Do you really, truly anonymise or de-identify data before keeping it? Especially where you undertake big data analytics, data lakes or AI?
Not being regimented around data retention – both in terms of policies and actually following them - breaches data protection laws, but also risks retaining data unnecessarily that may then have to be disclosed as part of an investigation or litigation.
Right-fit your data team
Data management is broader than data privacy. Data management requires full alignment with the business - strategic, operational, technical and compliance. Data notices, policies and procedures should be drafted carefully to address investigation and litigation risks as well as immediate compliance requirements. Legal and compliance teams should work with the IT and infosec teams to ensure the policies and procedures can be implemented at a systems and operational level.
Our data privacy, investigations and litigation teams are experienced at managing data and investigation/litigation risk. Contact any of the authors of this article to discuss how we can help further.