From the EU’s General Data Protection Regulation (GDPR) to China’s far-reaching cybersecurity law, data localization mandates are affecting how multinational corporations manage and transfer data from their various worldwide offices.
Adhering to such international data regulations can be a tall order for corporate counsel, but one that can be readily met by taking some specific precautionary measures and employing a hefty dose of foresight.
Counsel who spoke at Legalweek: The Experience sessions, as well as Zapproved’s “Corporate E-Discovery Hero Award” ceremony, for example, have been able to navigate the complex regulatory terrain by following a few tried-and-true steps.
Here are three processes these speakers implemented to better secure their corporation in its multinational operations:
1. Conduct Targeted and Localized E-Discovery
Jeff Nass, senior e-discovery counsel at Boehringer Ingelheim, explained that long gone are the days when companies have free rein over what they can do with their data. Many international data regulations, he said, force counsel to consider “what is required to legitimately process data” at their disposal.
For Nass, this consideration means realigning discovery processes when a request for data comes in due to pending litigation or a regulatory investigation. During such requests, Nass first tries to avoid having to collect data outside the United States. “We try to phase discovery, which means let’s look at the data we actually have in the U.S., and if it’s really easy to get, how far that goes with fulfilling our discovery obligations.”
He added that if the data in question is in the form of emails, the majority of data may likely exist both in the United States and overseas server locations, because data “custodians are generally talking to each other.”
But there can be times when requested data is exclusively stored overseas, thereby forcing the corporation to collect data from another country, and thus heed local data protection laws. In such a case, Nass noted his team will “try to do a targeted collection” that adheres closely to local regulations on how data is handled and transferred.
Such a cautious process is a relatively new approach for American practitioners. “In the U.S., lots of us will take wholesale data sets and move it into the e-discovery process,” Naas said. But in other countries, “that is not legitimate.”
While performing a targeted collection can have its own challenges, such as being careful of how personally identifiable information is used, Nass noted corporations can rely on e-discovery providers that offer localized services, so that discoverable information stays within the country while being processed.
2. Implement Robust Legal Hold Visibility
As international regulations place new pressures on multinational corporations’ e-discovery efforts, an efficient e-discovery operation can mean the difference between compliance and crippling penalties. Part of adhering to regulations involves a well-run and managed legal hold process.
“From a corporate or government agency perspective, we need a robust legal hold platform,” Michael Arkfeld, founding director and faculty fellow at the eDiscovery Education Center and eDiscovery and Digital Program at Arizona State University, previously told Legaltech News.
Such robust platforms, he said, should include the ability for corporations to have visibility into everything that has been flagged throughout the company data ecosystem.
“Once a triggering event happens when you have a duty to preserve, you have to implement reasonable legal hold procedures, and most organizations will implement something. But I don’t think they are necessarily reasonable because they don’t track it,” Arkfeld added.
Attorneys, however, cannot blindly rely on technology for legal holds. Dawn Radcliffe, legal operations manager at TransCanada Pipelines, told Legaltech News that a big challenge corporate counsel face is the precarious nature of preservation, particularly given “changing types of data and the million and one ways people can save and manage that data.”
“I don’t think we have the confidence yet that the preservation-in-place technologies”—which lock down data in a specific repository—“are working the way we need them to,” she added.
3. Effectively Manage Employee Access
A multinational corporation’s efforts to prevent data misuse and prevent regulatory action will always fall short if it does not also account for one of the most unpredictable and perilous risk variables: its own employees.
Despite a company having siloed data to comply with cross-border regulations, an employee with access can easily transfer data outside its legally bound location.
So it’s not surprise that many corporations are limiting what their employees can and cannot access. “We put a lot of controls on our employees’ ability to handle data, so people can’t download data to thumb drives or CDs,” said Julie Richer, legal operations and discovery manager at American Electric Power.
She noted that her corporation’s visibility into what data employees are handling is so broad that despite having greater access rights to data than the average employee in her company, she still gets called by her IT department when downloading sensitive information.
“I love the fact that they are out there monitoring that much information,” Richer said.
Alongside data access control, Natascha Gerlach, senior attorney at Cleary Gottlieb Steen & Hamilton, added that corporations should also “have agreements in place with the employees” that outline how they are expected to handle company information.
By documenting procedures to follow, she said, a corporation can more easily understand and pinpoint where data mishandling occurred, instead of having to perform an extensive internal investigation.