I recall a notable meeting with an in-house litigation counsel at a large company circa 2005 when the concept of enterprise eDiscovery began to gain traction. The lawyer was gearing up for the then-upcoming 2006 amendments Federal Rules of Civil Procedure, and she brought in the company’s Chief Compliance Officer and his team to enlist their assistance.
The compliance team presented a demo of their internal enterprise dashboard, which mapped the company’s policies and procedures, such as document retention. The dashboard tracked compliance with those policies through a litany of impressive charts and color-coded indicators. However, at the end of the demo, the in-house counsel quipped (and I am paraphrasing here), “this is all good, but when opposing counsel serves us with a subpoena to produce specific emails and documents relevant to a litigation matter, we can’t respond by pointing to green lights on a compliance dashboard. We have to comply by actually producing the responsive emails and documents.”
I was reminded of this exchange when reading a practice update from the law firm of DLA Piper on the GDPR, which states: “The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal and compliance challenge – it is much broader than that, requiring organisations to completely transform the way that they collect, process, securely store, share and securely wipe personal data (emphasis added).”
Translation: written polices, compliance dashboards and data mapping are very important first steps, but organizations are going to have to actually comply with the GDPR in a systematic and operational manner. And as such, many organizations will have to transform their information governance programs (and thinking) with a focus on such operational execution and enforcement of existing policies.
DLA Piper also references a very important dynamic of the GDPR in that the private citizens of the European Union will have active role in its enforcement. Unlike many regulatory regimes, where a relatively small handful of government regulators infrequently enforce the rules, organizations that store information on EU citizens will face about 300 million regulators, which is a rough figure of the adult population in the EU. These citizens can make requests at any time to have data deleted in place through the right to be forgotten as well as make other requests regarding the usage of their personal data.
Even more importantly, the GDPR provides a means for a private right of action under Article 82(1). Regulations which provide a private right of action, including the ability to bring a class action law suit, are exponentially more impactful than the vast majority of regulations which do not.
A mandatory aspect of GDPR compliance is the ability to demonstrate and prove that personal data is being protected, requiring information governance capabilities that allow companies to efficiently produce the documentation and other information necessary to respond to regulators and EU private citizen’s requests. As such, any GDPR compliance programs are ultimately hollow without consistent, operational execution and enforcement. To achieve GDPR compliance and also EU data shield certification, organizations must ensure that explicit policies and procedures are in place for handling personal information, and just as importantly, the ability to prove that those policies and procedures are being followed and operationally enforced. What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results regarding PII leakage within minutes instead of days or weeks. The need for such an operational capability is further heighted by the urgency of GDPR compliance.
X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers for PII and other data from a central location. Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, delete, or take other action on the data as a result of the search parameters. Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.
X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery, GDPR and other information governance compliance functionality, X1DD includes the award-winning X1 Search, improving employee productivity while effectuating that all too illusive actual compliance with information governance programs, including GDPR.