Safeguarding Sensitive Information and PII
This article is the last in a trilogy focusing on how technology can help with review and eDiscovery processes, more effective virtual collaboration, and safeguarding sensitive information.
Many lawyers spend a large portion of their time on administrative tasks like tracking the status of various cases, bridging information gaps, looking for information, securing facts, following up, document reviewing prior to eDiscovery, and building structures to be able to handle different matters and (sensitive) information more easily. Most of these tasks are done in collaboration with others and require the right set of legal tech tools.
In Part 1 and Part 2, we focused on finding, retaining, and acting on Information as well as Early Data Assessment (EDA). In this final part, we will discuss ways to safeguard sensitive data and PII.
Keeping Track of Sensitive Data and PII
GDPR and other national data privacy regulations have been in effect for a while now and most companies have taken steps to ensure that they are compliant with the laws and regulations. Still, it is hard to keep track of where PII is being created, stored, and otherwise exposed with a growing number of tools and applications. Not to forget, human errors occur, even when proper policies have been put in place.
For people who are dealing with, or responsible for, compliance within their company it is an ongoing effort to make sure that their company and its employees are adhering to the policies.
Having tools at hand that help to identify where sensitive data and PII is stored and exposed, could be a real help in taking the right steps to handle tasks like Data Subject Access Requests (DSAR) or removing personal/sensitive data from places where it shouldn’t reside.
Handling Sensitive Data and PII
An employee or a customer, for that matter, could exercise their right to access the personal data that you have stored about them. Many companies still struggle to uncover all of the personal data that they hold about an individual.
When having indexed all of your data repositories, NLP technology can be used to extract hundreds of PII data points to ensure that all of the data is found, no matter where it resides. Whether this data is stored in a structured way, like in a CRM, or in an unstructured way, like emails and scans of documents, you would be able to find it.
Once PII has been identified, there are tools such as Ayfie Supervisor that allow companies and their Data Protection Officers to automatically run reports and inform individuals about the actions they should take to redact data and prepare the report for the data subject.
Setting up and running reports to identify sensitive data that resides in a company’s various software applications can easily be applied to non-PII data. Since all data has been aggregated and indexed via an intelligent search engine, it’s easy to run reports against Intellectual Property data or to run tests for things like insider trading.
Data Leakage
One of our customers wanted to be able to track sensitive documents, especially when under NDA, to ensure that they did not leak into unauthorised repositories.
Data leakage is often a simple matter of one person accidentally making a mistake; a document was attached to an email that included people that are not under NDA or is stored in a location that is publicly accessible, for example.
To take matters into their own hands, they have set up rules and automated checks that provide warnings when the data is showing up in new/different places. As a result, they can quickly tackle these issues and make sure that the data is not leaked further, and set in motion the right actions for follow-up. Simple and effective.
• How much time/resources are being deployed when a DSAR is being placed? Does it involve many manual tasks to capture it all?
• How do you ensure that sensitive data is not ending up in the wrong places? What processes help you today to ensure this?
• Do you have policies and workflows in place to help your teams stay compliant around PII? Can you describe these processes?