2018 ARMA Houston Spring Conference

Decoding the EDRM

Or How to Master the Identification Phase and Conquer the World

Todd L. Dietrich, CCE, EnCE, IGPBDO USA, LLP

2016 ARMA Houston Spring Conference2

Agenda

1. Introduction2. The Electronic Discovery Reference Model3. Litigation Readiness 4. Identification5. GDPR6. Key Takeaways7. Questions

2016 ARMA Houston Spring Conference3

With you today…

tdietrich@bdo.com Direct: 713 548 0791

2929 Allen Parkway20th Floor

Houston, TX 77019

Tel: 713 407 3826Fax: 713 968 7140

www.bdo.com

Todd L. Dietrich, CCE, EnCE, IGP

Todd Dietrich has more than 25 years of experience inproviding governance, risk management and complianceservices for global organizations. As a co-founder of BDO’sData & Information Governance Practice he leads our policyand procedures practice area where he regularly works withclients to evaluate IT, privacy, security, informationmanagement and related documents. Currently, Todd worksclosely with our clients to evaluate their privacy, informationmanagement and GDPR readiness requirements. In the pastTodd has assisted counsel with drafting discovery requests,protective orders and 30(b)(6) queries regarding digitalevidence; and with data collection planning and execution.As the former leader of BDO’s Digital Forensics team he hasa wide array of investigative and litigation support serviceswhere has been called upon to testify a number of times.Additionally, he has conducted digital forensics examinationsinvolving civil, criminal, due diligence, and internal corporatematters. These matters have included theft of intellectualproperty, DMCA/software piracy claims, False Claims Actinvestigations, keylogger detection and tracking, and variousemployment law issues.

2016 ARMA Houston Spring Conference4

EDRM: Electronic Discovery Reference Model

2016 ARMA Houston Spring Conference5

Understanding the EDRMPhase Description

Identification Locating potential sources of ESI & determining its scope, breadth and depth.

Preservation Ensuring that ESI is protected against inappropriate alteration or destruction.

Collection Gathering ESI for further use in the e-discovery process (processing, review, etc.)

Processing Reducing the volume of ESI and converting it, if necessary to forms more suitable for review and analysis.

Review Evaluating ESI for relevance & privilege.

Analysis Evaluating ESI for content & context, including key patterns, topics, people & discussion.

Production Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.

Presentation Displaying ESI before audiences, especially in native & near-native forms to elicit further information, validate existing facts or positions or persuade an audience.

2016 ARMA Houston Spring Conference6

Litigation Readiness

DEFINITION

Litigation Readiness can be defined as:

Proactive efforts taken by an organization to prepare for the discovery phase of litigation or an investigation. These efforts help to position discovery response as a consistent and defensible business process.

2016 ARMA Houston Spring Conference7

Litigation readiness in the EDRM

2016 ARMA Houston Spring Conference8

Market drivers

Costs Reduce discovery costs

less duplicate or unnecessary information

reduced processing, hosting, and review fees

Optimize discovery workflow

Risks Limit incomplete collections and

risk of spoliation

Reduce legal exposures from over retention of unnecessary records

Avoid inconsistent discovery processes

Drive compliance with regulators

GDPR

2016 ARMA Houston Spring Conference9

Identification

Custodians Relevant Departments

Locations

Current vs. former

Data Sources Email

Workstations

Mobile devices

Network locations

Locating potential sources of ESI & determining its scope, breadth and depth

2016 ARMA Houston Spring Conference10

Challenges to Easy Identification

Unstructured data in organizations

(Source: https://hbr.org/2017/05/whats-your-data-strategy)

50% is used in decision making

1% is analyzed or used at all

70% of employees have improper access to data

Analysts spend 80% of their time just looking for and preparing data

2016 ARMA Houston Spring Conference11

Identification Approach

Smaller Data Volumes

Catalog

Classify Clean-up

2016 ARMA Houston Spring Conference12

People, process, technology

Develop a designated response team

Seek input from business leaders

Users: trust, but verify

Crawl network collecting metadata

Index network content

Federated search Cloud storage

utilities

Optimize legal hold process

Align policies and processes with leading practices

Develop a response plan

2016 ARMA Houston Spring Conference13

More approaches to consider

Standardize data management for discovery Develop discovery vendor requirements Audit discovery vendors Reduce unnecessary data in the discovery process

Once a plan or process is established, memorialize it!

2016 ARMA Houston Spring Conference14

GDPR to the rescue!

Article 5 of the GDPR addresses retention and disposition.

Does not add any significant burdens on organizations with respect to record retention

The wrinkle for organizations is that with respect to personal data, section 5(1)(e) provides that it “be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

2016 ARMA Houston Spring Conference15

What is the GDPR?

The General Data Protection Regulation (GDPR) imposes new rules on organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents, no matter where they are located.

Enhanced personal privacy rights

Increased duty for protecting data

Mandatory breach reporting

Significant penalties for non-compliance

Fines are up to 4% of global revenues or €20 million, whichever is greater.

BECOMES EFFECTIVE ON MAY 25, 2018

2016 ARMA Houston Spring Conference16

GDPR Background, Impact & Context

Sensitive personal dataSensitive personal data are special categories of personal data that are subject to additional protections (e.g., genetic data, biometric data, criminal information).

Personal dataApplies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Data subject rightsThe Right to: access, erasure, to be forgotten, or data portability.

2016 ARMA Houston Spring Conference17

EDRM is THE standard for the litigation process Litigation readiness is about being proactive Reducing costs and mitigating risks push litigation

readiness Identification is the nexus between litigation readiness

and information lifecycle management (ILM) The GDPR is a powerful lever to use to push IG, ILM,

RIM and LR initiatives.

Key takeaways

2016 ARMA Houston Spring Conference18

Questions?

2016 ARMA Houston Spring Conference19

You can contact me at: Email: tdietrich@bdo.com Direct Line: 713 548 0791

Thank you!