Better Manage Your Organisation’s Data through a Data Discovery Process

Jayant Saran, Sachin Yadav, Rahul Vallicha | May 2019

With the government demonstrating greater commitment to resolving corporate disputes (through arbitration, fast track courts, or mechanisms such as the Indian bankruptcy code), the parties involved need to be better prepared to gather/produce documents with evidentiary value and submit their responses in legal and/or insolvency matters. Particularly in disputes related to fraudulent practices, data must be managed to allow a company to present relevant information to authorities and assess their factual legal position.

However, according to our experience, managing organisational data can be quite challenging in the global economy where companies can be subject to different legislation and regulatory obligations. In such a scenario, a well-designed data discovery readiness assessment process can be useful for organisations.

This process can help organisations understand the following aspects: 1) where their data lies, 2) how much of it is critical and relevant to the requirement at hand, 3) who are data owners, 4) what are geographical regulatory obligations, and 5) how should data be presented. Over time, this process can help organisations maintain compliance as it allows them to respond to regulatory requests or prepares them to deal with matters related to investigations or litigations.

WHY IS DATA DISCOVERY CHALLENGING?

Collating and sharing data (to be used as evidence) can be a challenging task that often involves deriving insights from both structured data (such as data from financial systems and enterprise resource planning software) and unstructured data (such as emails, data on fileservers, and backup tapes) aggregated from multiple sources in different formats. Some important considerations could be different data retention obligations and associated regulations according to jurisdiction and data type, and cross-border data transfer restrictions. Knowing how to manage personal data as part of the preservation process, maintaining data confidentiality during discovery, and storing data safely are also critical considerations, especially in the light of enhanced attention to personal data protection legislation. Organisations must also understand the appropriate level of technology they need to implement while keeping costs (as well as time consumed) at a minimum.

According to our experience, the following four vital aspects can be considered:

Familiarity/Ownership – It is important for senior management to understand data ownership and the competency levels of data owners with respect to their knowledge of various data systems in their organisations.
Volume – An organisation’s data must be aligned with applicable regulatory requirements and senior management must be aware of the procedures used for compliance.
Location – Knowing where data is stored is as critical as knowing the sensitive nature of different data sets. Data maps can help understand the landscape of an organisation’s digital storage infrastructure.
Preservation requirements – Organisations need to consider the regulatory requirements of data sets’ retention and preservation schedules, in case of litigation, and for geographical and jurisdictional privacy compliance.

Such preservation policies should also be considered when people playing specific roles leave organisations

SETTING UP A DATA DISCOVERY PROCESS

Organisations should set up a data discovery process that considers the entire life cycle of data. The process is explained below.

Information governance/ management: This stage deals with the creation, retention, storage, and disposal of records. It includes understanding various forms in which data is accessible, taking stock of the processes and policies in place, mapping various data islands with owners and storage locations, and collating the legal obligations required to retain data, and complying with jurisdictional data privacy laws.
Identifying sources: This stage involves identifying the potential sources of relevant information and their locations. These sources may include business units, people, IT systems, and paper files. At this stage, organisations can also determine the relevant custodians of data and develop a data preservation plan.
Data preservation: In this stage, companies need to promptly isolate and preserve potentially relevant data in ways that are legally defensible and auditable. This stage focuses on collecting data in a forensically sound manner and ensuring its integrity; preserving data and creating working copies if required; and maintaining a comprehensive and traceable chain of custody.
Data processing: In this stage, to prepare for an attorney review, the collected data needs to be processed to exclude irrelevant information. This can be done using intelligent analytics and converting data into more accessible forms. Content and context, including key patterns, topics, people, and discussions, are the focus areas of this processing phase.
Production and review of data: This stage involves presenting relevant evidence in an appropriate form using a data hosting and production platform based on circumstances such as depositions, hearings, and trials.

HOW CAN ORGANISATIONS BE ADEQUATELY PREPARED?

To improve data discovery readiness, we suggest an approach that includes collaboration among various teams involved in the process – legal, information security, privacy officers, finance, technology, and human resource. This will help discover critical data sources, owners, and retention requirements; review systems/tools being used for asset management, and legal hold implementation and tracking; deliberate on the data discovery and management process and policies; identify gaps and implement measures to improve the legal hold, data retention, and data preservation processes; and identify key stakeholders responsible for reserving data.

Organisations can proactively assess their data discovery readiness, which involves an end-to-end process. The process is used to map potentially relevant and often unstructured data sources, and identify critical data islands and owners to enable collecting, preserving, analysing, reviewing, and producing potential digital evidence. This evidence can then be effectively used in any legal or disciplinary matter(s), in an employment tribunal or domestic or international court of law.

Some factors that can be considered while assessing data discovery readiness include jurisdictional/regulatory differences across geographies to preserve data (including personal and financial data); ensuring the traceability of data; adequacy of employee training concerning data protection and potential breaches; and data rectification, legal hold, and data retention policies.

About Author

Jayant Saran

Jayant is a Partner and leads the Forensic Technology area within Deloitte Forensic India. He has over 19 years of experience and has assisted clients with matters related to cybercrime, bribery and corruption investigations, litigation support through e-discovery, dispute resolution and responding to regulatory enquiries.

Sachin Yadav

Sachin is a Director in the Deloitte Forensic practice in India and has over 14 years of work experience in the areas of Digital Forensic, Electronic Discovery and Incident Response. He has worked closely with law firms, forensic professionals and regulators while assisting them in over 200 fraud investigations across industries.

Rahul Vallicha

Rahul Vallicha is a Manager in Deloitte’s Forensic practice in India. With over 7 years of experience, his area of expertise lies in Discovery Consulting work and Litigation Preparedness for clients. He is the Relativity Administrator for Deloitte India and is a Certified eDiscovery Specialist. He has hands on experience working on forensic tools such as Encase, FTK, Nuix, Intella, Xways Forensic, Passware Kit and Internet Evidence Finder amongst others.