One year on from COVID, the risks resulting from long-term work from home environments and economic troubles have been widely discussed—and felt—in every major region worldwide. Data and discovery risks have been especially impacted. We gathered a roundtable of our experts from France, Germany, Ireland, and Spain to discuss these issues in detail.
Many organisations are worried about IP theft, data privacy breaches and compliance violations that may occur while employees are dispersed and working from home. What can companies do to mitigate this new landscape of risk—both while their employees continue to work remotely and when they begin to return to the office?
Thomas Sely, Managing Director, France: The best practices really haven't changed, but because widespread remote working has prompted an increased risk of data breaches and IP theft, they've become more important. In France, we’re advising clients to adapt their tools and policies to align with the "dos" and "don'ts" of working from home, and helping them conduct assessments to ensure that applications approved for information sharing and communications are vetted and bolstered with strong privacy and security controls.
Gráinne Bryan, Managing Director, Ireland: Our clients in Ireland need to consider the problem from all angles, consult with IT security experts and create a robust plan of action to mitigate risk exposure. This plan should contain several specific elements, including:
- Monitoring employee and third-party access to internal systems—both the frequency of connection and quality of connection used;
- Regular review of all internal databases, servers and digital storage systems to ensure ongoing security and continued function;
- Conducting an audit of all outstanding electronic devices issued to organisation personnel;
- Making a full range of security training available to all personnel to help them avoid common missteps.
The growth of cloud and collaboration tools—which has exploded during the pandemic—creates an endless stream of new challenges for organisations across governance and e-discovery. What should legal teams be doing to get a handle on these challenges?
Sely: Getting a handle on emerging data sources requires a degree of technical expertise. Most of these applications are very nuanced and will require customised processes and specialised e-discovery tools or APIs to collect data and load it into a format that is compatible with standard e-discovery platforms. Legal teams should consult with digital forensics and e-discovery experts who have experience with these applications to implement governance around using these applications, design e-discovery workflows for them and avoid common pitfalls.
While these new data types are inherently challenging for e-discovery professionals, once legal teams have established a standard for collecting, processing and analysing them, they can be leveraged to enrich investigations and support more dynamic e-discovery.
COVID aside, there’s also a lot of uncertainty over how Brexit and Schrems II will impact data privacy, e-discovery, disputes, etc. Is the pandemic complicating these issues? What are the key areas you think clients should be focusing on as they navigate the implications?
Javier García-Chappell, Senior Director, Spain: Yes, there are several new challenges and pending developments. The Spanish Data Protection Agency (AEPD) has been recognised as one of the most active in Europe regarding data protection since GDPR was introduced, which resulted in cross-border data transfers being a central concern for the last two years. As a result of Schrems II, law firms and clients are even more aware of data transfers' implications, especially whether they are within or outside of Europe. Brexit is adding to the complications, as organisations here must now also take the legality of their data transfers to the U.K. into account. It’s important for organisations to not get so distracted by the challenges of the pandemic that they overlook or rush through the extra precautions needed to ensure data transfers are compliant with the laws in their region.
Sely: The pandemic has complicated virtually everything from a data perspective, and Brexit in the context of cross-border data transfers is no exception. Until there's more clarity around how the EU and the U.K.'s laws and regulators will interact, clients should tread carefully when moving data in and out of the U.K. and managing legal or regulatory matters that span the U.K. and EU jurisdictions. I think it's best to take a cautious approach and keep data in-country until EU authorities and regulators in each member country provide formalised guidelines.
How have you managed to stay connected to clients during lockdown? What challenges have you faced in juggling work and home duties?
Bryan: I've found several different practices beneficial for balancing the demands of work and home life. I connect with clients on a rolling basis, ensuring they regularly receive some contact. I think a virtual coffee check-in is as welcome by me as it is by them.
García-Chappell: I'd say I've juggled home and work duties more than a clown at the circus. At least a circus is how it feels many days! Beyond that, the main challenge has been establishing new connections and achieving the human touch and relationship with clients. It's easier to maintain a previous contact but much harder to gain a new one.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.