In our first post in this series, we discussed how eDiscovery technology and workflows are being applied to several different use cases today. According to eDiscovery Today’s 2023 State of the Industry Report, seven use cases are being applied by at least 40% of 410 survey respondents.
One of those use cases is privacy requests, for which eDiscovery is used by more than four in ten (42.4%) of respondents – the seventh highest percentage of respondents overall. In this post, we’ll discuss the latest data privacy trends, what goes into a data privacy request, and how eDiscovery workflows and technology can be applied to support privacy requests.
Latest Data Privacy Trends
The General Data Protection Regulation (GDPR) has been in place since May 25, 2018, and in the past couple of years, fines for data privacy violations have risen dramatically. GDPR fines for data privacy violations in 2021 and 2022 exceeded € 2.1 billion, which is more than 8 times the fine amount in euros issued in 2018 through 2020! And we’ve recently seen our first single fine of over € 1 billion, with Meta being fined a record € 1.2 billion in May of 2023!
Of course, the US doesn’t have a national data privacy law, but the pace at which states are enacting laws is increasing dramatically. Since the beginning of 2023, data privacy laws have gone into effect for California (with CPRA replacing CCPA) and Virginia. Laws for Colorado, Connecticut and Utah will go into effect by the end of the year.
As of this writing, we have already seen an additional four states (Iowa, Indiana, Tennessee and Montana) enact new data privacy laws in 2023 to go into effect in subsequent years, with Texas having passed their law (which is awaiting to be signed by its governor to officially become law). Those five states all passed their laws within a two-month time-period! As each state law is unique, organizations must be aware of the differences in each of the laws in terms of how they may affect privacy requests.
What Goes Into a Data Privacy Request
The ever-changing data privacy landscape is forcing organizations to create new eDiscovery workflows to support privacy requests from data subjects regarding their data. Data Subject Access Requests (DSARs) are the primary mechanism by which individuals can request information about the way companies handle their personal information. You may also hear them referred to as Subject Access Requests (SAR), Data Subject Requests (DSR), or Subject Right Requests (SRR), but the DSAR has essentially either replaced, or is a superset of, these other request types. Data subjects are typically customers of the organization, but they can include any individuals for which the organization maintains data (including employees).
DSARs and other privacy requests can include:
- Contact information of the data subject (including name, email address, and phone number).
- The type of request, which typically falls into one of the following categories: 1) Identify the information you collect on data subjects, 2) Identify the information you collect on me, 3) Delete my information, or 4) Take my data elsewhere.
- An open description field where the data subject can provide additional description to their request.
Applying eDiscovery Workflows and Technology to Privacy Requests
A DSAR can be submitted at any time by any individual for which data is being tracked by the organization. Even though the information produced is much more targeted than it is for a typical litigation case, it still requires the ability to leverage eDiscovery technology and workflows to respond to the request.
The typical eDiscovery workflow for privacy requests includes the following steps:
- Searching: To identify personally identifiable information (PII) associated with the data subject, searching is performed to identify potential matches associated with the request.
- Review: Potentially responsive ESI is reviewed to identify specific instances of PII for the data subject to be included in the DSAR response.
- Normalization: When review is completed, the results are normalized, deduplicated and QCed.
- Response: With the PII being tracked by the organization for the data subject identified, the organization then responds to the privacy request by either identifying general information collected for data subjects, identifying specific information collected for the requesting data subject, and/or notifying the data subject that the request to delete or move that information has been completed.
The time frames for responding to a DSAR can vary based on the requirements of the data privacy law and the complexity of the request. For example, GDPR typically requires responses to DSAR requests to be completed within a 30-day period, but the deadline may be extended to two months if the request is complex or if your organization has received multiple requests from the same individual.
Unlike PII searching for incident response, searches for PII associated with the data subject are much more targeted (e.g., a specific social security number instead of a regular expression (Regex) pattern search for any social security number). They are also typically iterative as more information is learned about the data subject (e.g., a search that yields an address for the data subject will lead to a search for other ESI containing that address).
As is the case with incident response, however, unsupervised machine learning capabilities can be used to identify other documents which may have PII for the data subject or eliminate groups of documents unlikely to have PII at all.
The ability to respond to data privacy requests has become a standard expectation for any company that stores data for individuals (essentially any company). That means virtually every company needs eDiscovery workflows and technology today! Responding to privacy requests is a much more targeted and expedited application of eDiscovery workflows and technology than the other use cases, but the ability to leverage eDiscovery for privacy requests is just as important!
For more regarding Cimplifi security, privacy, and compliance services, click here.
In case you missed the other blogs in this series, Why Use a Hammer When You Can Use a Swiss Army Knife?: Use Cases for eDiscovery Today, you can find them here:
- Blog #1: Why Use a Hammer When You Can Use a Swiss Army Knife?: Use Cases for eDiscovery Today
- Blog #2: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Arbitration
- Blog #3: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Investigations
- Blog #4: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Incident Response:
- Blog #5: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Privacy Requests
- Blog #6: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Government Information Requests
- Blog #7: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for HSR Second Requests
- Blog #8: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Information Governance
- Blog #9: Why Use a Hammer When You Can Use a Swiss Army Knife?: Considerations for Litigation