Corporate Data Challenges in EMEA in 2021: Data Privacy and Information Governance Considerations (Part 3 of 4)

Data privacy considerations have become top of mind across large corporations due to the potential reputational risks of a privacy violation, especially in consumer and healthcare focused industries. As mentioned in the prior post, privacy assessments are increasingly being conducted as part of an M&A due-diligence process, alongside the integration of the acquired organisation into the business processes, infrastructure and policies of the acquirer. Likewise as U.S. organisations acquire a presence in Europe, they will need to adapt their business processes to comply with local privacy and data protection legislation.

Beyond the M&A context, data privacy regulations and the increasingly decentralised structure of multi-national corporations are impacting investigations and e-discovery work in a number of ways. First and foremost are the issues with data transfers across borders. With a global IT estate, it becomes important to appropriately determine which systems contain information relevant to an investigation, where those systems are located, and who within the organisation (or outside the organisation if it is a cloud-based system managed by a third party) has control. Each step of finding where data is resident, gaining access to it and transferring it to a central location for analysis and review needs to have the data privacy and transfer implications assessed to ensure they’re being appropriately managed.

Another impact is the rapid increase in data privacy breach investigations. GDPR requires organisations that have experienced a data privacy breach to report this within 72 hours of becoming aware of the breach. Meeting this timeline for issuing notifications to authorities can be challenging for corporations to meet, as it takes time to investigate what happened, the extent of data impacted and the identity of the individuals involved. Uncovering accurate information about what happened, ability to identify and notify impacted individuals and demonstrating competency of investigation to regulators is of the utmost importance. Therefore the combination of expertise in forensic analysis, privacy and crisis communications, coupled with strong collaboration with outside counsel and key stakeholders at the corporation, are key to meeting difficult timelines and ensuring any briefings to regulators are comprehensive and correct.

As clients continue to grapple with the difficulty of reacting to high-stakes, high-pressure matters, the interest in proactive programmes that reduce the risk and burden of investigations is heightened. Work was trending in this direction before the pandemic, though many proactive efforts were stalled while organisations focused on immediate survival and keeping employees safe. As the world continues to unlock, organisations are looking to resume proactive IG and compliance projects, such as remediation of legacy data, implementation of defensible deletion policies, data mapping and improved controls around IP, personal data and other instances of sensitive information.

With this, we’re also starting to see the positive effects of the past few years’ increase in IG awareness. Governance programmes that were put in place are now delivering benefits both in terms of helping legal teams understand their data landscape, better prepare for impending investigations and be able to respond more quickly when demands for data arise. These are important steps that will enable organisations to better manage the impacts of the vastly growing data universe.

The final upcoming post in this series will discuss developments in class action litigation in EMEA, as well as evolving demands in e-discovery and digital forensics.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.