How GDPR and DSARs are Driving a New, Proactive Approach to eDiscovery

March 25, 2020



Michael Brown
Michael Brown

Executive Summary

The GDPR and Data Subject Access Requests (DSARs) are a key reason why companies are starting to focus their attention on information governance strategically, as opposed to simply reacting each time they get a request. With GDPR, companies have seen a significant increase in DSARs and the resulting  requirement to look inwardly at their data landscape is timed perfectly with advances in cloud computing.

Inconsistent Need

Over the last 20 years, I have assisted clients in responding to triggering events such as litigation and investigations by helping to identify where their data is and how to retrieve, preserve, and filter it for legal review. Rarely have those same clients been interested in proactively implementing information governance frameworks and policies without a consistent need to do so. A General Counsel once told me they face an investigation about as often as every Olympic cycle, so they don’t prioritise resources to prepare for such an infrequent event.

The GDPR and associated DSAR obligations have provided exactly this motivation. However, this stick has combined with the carrot of cloud computing to provide the right mix of requirement and capability, not just to make compliance a token project stream within a company, but an enterprise-wide strategic initiative to focus on how data is generated, accessed, managed, and deleted.

Common and Civil Law Environments

Throughout my career, I have worked closely with companies in mainland Europe and the Middle East on cross-border litigation and investigations. In my experience, companies operating in civil law jurisdictions are not as familiar with the eDiscovery process as their common law counterparts unless they have faced regulatory scrutiny (such as companies in the financial services or technology industry). This is  because they and their counsel do not face the same discovery obligations and thus have not traditionally focused on gathering evidence to produce to a court or third party. The result is inadequate retention procedures and disconnected strategies regarding data management.

However, one thing all companies have in common is that using technology to make data management more efficient has become essential as data volumes grow. For example, DSAR responses may not be as ‘normal’ in mainland Europe as they are in the US or UK, but they have universally added  motivation to those tasked with managing data within the company.

Information Governance Buy-In

Now that awareness has increased  on the significant consequences of  holding certain data longer than you need, senior leadership is prioritising (even at board level) how to effectively manage data within the company. This comes at a time when most companies have moved or are moving to the Cloud.  According to Microsoft, “97% of Fortune 500 and 95% of Fortune 1000 companies have Office 365.” Notably, these companies are not moving to the Cloud for compliance or eDiscovery reasons, they are doing so for overall enterprise reasons including streamlining IT operations by moving off premise, giving employees access to modern workplace tools, and for security purposes. But as a bonus, when it comes to comprehensive cloud platforms such as Office 365, information governance, compliance, and eDiscovery tools are already included.

Cloud Relevance for Legal Teams

Now that companies are shifting their focus to information governance, what can legal teams do to utilise the investment they’ve made in cloud computing? Since business efficiencies are important but not what legal is primarily concerned about, risk management is the key and to that end, data management is the order of the day.

With increased GDPR penalties looming and cloud capabilities at their disposal, lawyers are now turning to the central pillars of information governance – document retention, categorisation, preservation, defensible deletion, identification, collection, and, depending on cloud maturity, data migration.

For example, utilising functionality within Office 365, a company has a fighting chance to develop very effective and granular document retention policies that actually work and are dynamic (rather than a dusty document no one ever refers to). Categorising a document (or having it automatically categorised) when it is created, as well as determining, based on its content, when it will be deleted, is a very powerful capability. Setting email and chat message retention based on a defined policy is a significant achievement that goes a long way to limiting what data is kept and for how long.

Not Just Technology

As GDPR and the Cloud have revolutionised information governance and provided the motivation and capability to address new and existing risks and inefficiencies, for these technology solutions to work in the long term, there needs to be a strong focus on people and processes. Change management has always been the Achilles heel of technology implementation and it is no different for Office 365 when it comes to effective information governance.

First and foremost, understanding who in the company has responsibility for various processes needs to be determined. For example, who will respond to a DSAR? Who will create the data searches, preserve the data, and retrieve it for review? When it comes to labelling a document, what is the criteria for determining what qualifies as personal data? How does the technology assist in the decision making? How can a remediation exercise tie into an ongoing retention policy?

Overall Compliance

It is very hard for a multinational company to become 100% GDPR compliant. However, the Cloud offers significant capability for a company to take very reasonable and appropriate measures that go a long way. It’s better to be in the middle of the sheep pack than on the outside when the wolf is close and modern cloud technology allows companies to develop enterprise-wide frameworks to better manage their data. Let the regulators worry about companies with no demonstrable plans, not those who have made comprehensive changes to their data landscape. Even for companies that are not used to the fraught discovery world of US or  even UK discovery, information governance has become a key priority due to GDPR and increasingly complex  data environments that can now be managed in an effective and coordinated manner.

More on this topic can be found in this article, Three Steps to Tackling Data Privacy Compliance Post GDPR. To discuss this article further, please feel free to reach out to me at

About the Author

Michael Brown

Mike has over 18 years of in-house and consultancy experience in the legal technology industry. He has a strong track record in helping global corporations to achieve greater efficiency when managing compliance, information governance and complex disputes including litigation, arbitration and investigations. Previously Mike was with Linklaters in London and New York for several years, developing their e-discovery capabilities, before moving on to practice as an industry consultant. Mike has since held executive director positions at Control Risks and Epiq Systems, where he was instrumental in founding the EMEA ediscovery business for both companies. His team leadership experience is paired with his client facing project experience, particularly in mainland Europe and the Middle East.