Why Moving to the Cloud can Help with DSARs (and Have Some Surprise Benefits)

November 5, 2020



Matt Bicknell
Matt Bicknell

However you view a DSAR, for any entity who receives one, they are time consuming to complete and disproportionately expensive to fulfill. Combined with the increasing manner in which they are being weaponized, companies are often missing opportunities to mitigate the negative effects of DSARs by not migrating data to the Cloud.

Why Moving to the Cloud can Help with DSARs (and Have Some Surprise Benefits) AdobeStock_234040701

Existing cloud solutions, such as M365 and Google Workplace (formerly known as G-Suite) allow administrators to,for example, set data retention policies, ensuring that data cannot routinely be deleted before a certain date, or that a decision is made as to when data should be deleted. Equally, legal hold functionality can ensure that data cannot be deleted at all. It is not uncommon for companies to discover that when they migrate to the Cloud all data is by default set to be on permanent legal hold. Whilst this may be required for some market sectors, it is worth re-assessing any existing legal hold policy regularly to prevent data volumes from ballooning out of control.

Such functionality is invaluable in retaining data, but can have adverse effects in responding to DSARs, as it allows legacy or stale data to be included in any search of documents and inevitably inflates costs. Using built-in eDiscovery tools to search and filter data in place in combination with a data retention policy managed by multiple stakeholders (such as Legal, HR, IT, and Compliance) can mitigate the volumes of potentially responsive data, having a significant impact on downstream costs of fulfilling a DSAR.

Typically, many key internal stakeholders are frequently unaware of the functionality available to their organization. This can help to mitigate costs, such as Advanced eDiscovery (AED) in Microsoft 365, or Google Vault in Google Workspace. Using AED, a user can quickly identify relevant data sources, from mailboxes, OneDrive, Teams, Skype, and other online data sources, apply filters such as date range and keywords, and establish the potential number of documents for review within in minutes. Compare this to those who have on-premise solutions, where they are wholly dependent on an internal IT resource, or even the individual data custodians, to identify all of the data sources, confirm with HR / Legal that they should be collected, and then either apply search criteria or export the data in its entirety to an external provider to be processed. This process can take days, if not weeks, when the clock is ticking to provide a response in 30 days. By leveraging cloud technology, it is possible to identify data sources and search in place in a fraction of the time it takes for on-premise data.

Many cloud platforms include functionality, which means that when data is required for a DSAR, it can now be searched, filtered, and, crucially, reviewed in place. If required, redactions can be performed prior to any data being exported externally. Subject to the level of license held, additional functionality, such as advanced indexing or conceptual searching, can also be deployed, allowing for further filtering of data and thus reducing data volumes for review or export.

The technology also allows for rapid identification of multiple data types including:

  • Stale data
  • Sensitive data types (financial information/ PII)
  • Customer-specific data
  • Suspicious / unusual activities

By using the inbuilt functionality to minimize the impact of such data types as part of an Information Governance / Records Management program, there can be significant changes and improvements made elsewhere, including data retention policies, data loss prevention, and improved understanding of how data is routinely used and managed in general day-to-day business. This, in turn, has significant time and cost benefits when required to search for data, whether for a DSAR, investigation, or a litigation exercise. Subject to the agreement with the cloud service provider, this may also have benefits in reducing the overall volume and cost of data hosted.

With a sufficiently robust internal protocol in place, likely data sources can be identified and mapped. Now, when a DSAR request is received, an established process exists to rapidly search and cull potential cloud-based data sources, including using tools such as Labels or Sensitivity Type to exclude data from the review pool, and efficiently respond to any such request.

Migrating to the Cloud may seem daunting, but the benefits are there and can be best maximized when all stakeholders work together, across multiple teams and departments. DSARs do not have to be the burden they are today. Using tools readily available in the Cloud might also significantly reduce the burdens and costs of DSARs.

To discuss this topic further, please feel free to reach out to me at MBicknell@lighthouseglobal.com.

About the Author

Matt Bicknell

Matt Bicknell has over 15 years' experience assisting clients with global regulatory investigations, complex commercial litigation, arbitration, and employment matters, and leveraging technology to provide the most cost-efficient outcome for clients. Matt specializes in multijurisdictional matters, assisting clients with responding to regulatory investigations and/or information requests, focusing on the clients' electronic evidence and IT infrastructure. Matt has been globally engaged by clients, working in various sectors including automotive, aviation, banking, oil and gas, construction, engineering, healthcare, information technology, insurance, non-profit, pharmaceutical, and utilities sectors. He has experience with the following regulatory agencies: European Commission, Financial Conduct Authority, Financial Services Authority, Department of Justice, Financial Crimes Enforcement Network, Office of Fair Trade, and the Security and Exchange Commission. Matt is recognised by his clients as a strategic, trusted advisor to senior legal counsel, specialising in legal and compliance, investigations, eddiscovery and information governance.