23 December 20226 minute read

Managing data = managing investigation/litigation risk

Strategic data protection – or data management – is not just to address compliance with data privacy and cyber laws. Proactive data management, in its broadest sense, is increasingly critical to conduct efficient investigations, and more effective litigation and related disclosure exercises.

What does this mean in practice?

 

Understand your data

Do you fully know what data your organisation has? You may have a ROPA (record of processing activity) which maps out your personal data. But does it cover all processing around the world? Many organisations only have ROPAs for EU/GDPR purposes.

Apart from personal data, what about other categories of data? Your organisation’s internal data classification may not align with categories of data that are, for example, subject to strict data sovereignty rules under local laws/regulations in other countries. So, while you may know you have certain data, do you know whether you can use it during an investigation, or share it with headquarters in another country?

You may have record retention policies and retention schedules. But do your record descriptions actually capture what data you have?

You cannot effectively use data unless you know what it is, and what you can/cannot do with it. Data mapping of data sets is critical to managing data risks, but also seizing opportunities to use data, including for investigation, litigation and disclosure purposes. Current data policies and data record-keeping tend to be too limited, meaning organisations don’t have a full handle on their data inventory. This can mean you miss key data. It can also lead to unpleasant surprises when it comes to investigations, litigation and disclosure.

 

Don’t assume you can just use your personal data for investigations/proceedings

Time is often lost at the outset of a matter whilst steps are taken to establish whether individuals’ data can be monitored, collected and reviewed for the purposes of the investigation or litigation.

Notice: does your privacy notice sufficiently cover use and sharing of personal data in connection with an investigation or legal proceedings? Most data protection laws allow an organisation to use personal data that it has collected from an individual in the context of investigations or proceedings provided the individual was notified (usually via a privacy policy or privacy statement) of this when their data was first collected. Checking and updating privacy notices now to cover this, therefore, may enable you immediately to use the data during an investigation or litigation without needing to take any further steps. This saves time and effort during the critical early stages of an investigation or forming a case. Waiting until an investigation is afoot risks losing time and putting individuals on notice of their suspected involvement in a matter.

Consent: do you have the individual’s consent to use their personal data in connection with an investigation or legal proceedings? A few data protection laws, notably the EU’s GDPR and Hong Kong’s Personal Data (Privacy) Ordinance, don’t require this. But under other data protection laws – notably those across most of Asia – you must have the individual’s consent to collect, use and disclose their personal data. Some – in particular Mainland China – require additional, separate consent for cross-border data transfers, including transfers between group companies. In the context of an internal investigation, it can be very difficult to get that consent once an incident occurs or an investigation is underway, especially from the protagonists. Getting the right consent(s) upfront, when the data is first collected, is straightforward and enables data to be used and shared - and transferred overseas – immediately during an investigation or litigation.

Exemption: what if your notice and/or consent is not in place? Exemptions in a few data protection laws allow use and disclosure of personal data for investigations, to respond to regulator enquiries or legal proceedings. However, don’t assume you can rely on an exemption. Not all countries have them; and in those that do the exemptions are often very limited (e.g. just to proceedings or as regards laws in the local jurisdiction). Avoid this risk – plan ahead and make sure your privacy notice and consent (if you need it) are in place now, so you don’t even have to think about exemptions.

 

Can you access your data

Even if you have mapped out a full data inventory, have you operationalised it? Meaning, have you tagged your data in your systems, so you can easily identify what type of data it is, where it originated from, what data laws apply, whether it can cross borders, what policies apply to it?

Do your systems allow you to apply a litigation hold to certain data?

 

Don’t keep data for ever

Personal data cannot be kept forever – most data protection laws require it to be deleted or deidentified once it is no longer needed for the purposes for which it was collected. Other records must be retained for a specific period by law, such as tax records. But do you keep the data for too long? Many organisations hang on to data for a longer period than permitted or needed just in case or because data is valuable.

Even if you have data retention schedules, do you actually purge data regularly? Do you really delete it all, even back-ups? Do you really, truly anonymise or de-identify data before keeping it? Especially where you undertake big data analytics, data lakes or AI?

Not being regimented around data retention – both in terms of policies and actually following them - breaches data protection laws, but also risks retaining data unnecessarily that may then have to be disclosed as part of an investigation or litigation.

 

Right-fit your data team

Data management is broader than data privacy. Data management requires full alignment with the business - strategic, operational, technical and compliance. Data notices, policies and procedures should be drafted carefully to address investigation and litigation risks as well as immediate compliance requirements. Legal and compliance teams should work with the IT and infosec teams to ensure the policies and procedures can be implemented at a systems and operational level.

Our data privacy, investigations and litigation teams are experienced at managing data and investigation/litigation risk. Contact any of the authors of this article to discuss how we can help further.

Print