Understanding Data Nuances at the Intersection of E-Discovery and Compliance

As data storage and collection functions within GRC platforms and e-discovery processes overlap, legal and compliance teams are encountering unexpected data challenges. For example, when data must be extracted from a GRC tool and converted into an e-discovery platform, issues can arise with reconciling data formats and duplicative extractions from GRC platforms. This can create barriers to exporting the GRC data into an e-discovery platform for analysis and review, as well as errors with converting certain artifacts and metadata, all potentially leading to additional time and manual work for e-discovery teams. 

Additional challenges include creation of duplicate data sets and GRC exports presenting chat data in email format, complicating the process of converting to RSMF. Additional complications can also arise when cloud suites (e.g. Microsoft 365 and Google Workspace) are also involved as relevant data sources.

GRC data types that may come into scope in discovery, and some of the e-discovery considerations that may arise include:

• OneTrust: Uses JSON, CSV and XML formats, offering strong metadata tagging and compliance features, but requires careful mapping during data exports.
• LogicGate: Uses JSON and CSV formats, providing data consistency and scalability, with a need for careful handling of nested structures and custom fields.
• MetricStream: Uses JSON and XML formats, managing complexity with detailed logging, though ensuring XML schema compatibility with e-discovery tools is crucial.
• NAVEX: Uses JSON, CSV and XML formats, facilitating flexibility in data export and integration, with a focus on metadata integrity and compliance management.
• Archer: Uses JSON, CSV and XML formats, offering flexibility and automation capabilities, with an emphasis on metadata preservation and workflow configuration.

Reducing the incidence of data challenges when GRC tools are tapped for e-discovery purposes requires upfront work when implementing new systems and workflows. These steps help to ensure tools are optimized for e-discovery and help avoid mistakes and extra work downstream in the discovery process. They include:

Consolidate sources. The GRC platform should be seamlessly integrated with all relevant data sources, including emails, chat logs, documents and other digital communications. Centralized data storage simplifies the e-discovery process by providing a single point of access for all necessary information.

Implement data integration tools. Robust data integration tools can aggregate data from disparate systems into a centralized GRC platform. Tools like ETL (Extract, Transform, Load) processes can help in normalizing and consolidating data.

Standardize formats. Consistent data formats should be applied across the GRC platform. Common formats such as JSON, XML or CSV streamline the data extraction process and ensure compatibility with e-discovery platforms, reducing the risk of data mismatches and errors during conversion.

Leverage APIs. APIs and web services help enable seamless data exchange between systems and ensure that data is synchronized and accessible in real-time, maintaining accuracy within the system.

Automate tagging and classification. Automated tools within the GRC platform can be used to tag and classify data based on predefined criteria such as date, document type and relevance. Automated tagging facilitates quick identification and retrieval during e-discovery, enhancing efficiency and accuracy.

Define and enforce retention policies. Clear data retention policies within the GRC platform will help ensure compliance with regulatory requirements and organizational guidelines. Automated retention schedules also help maintain data integrity and prevent accidental deletion of crucial information.

Automate data synchronization. Real-time or near-real-time data synchronization between the GRC platform and other business systems ensures that any changes in one system are immediately reflected in the GRC platform.

Enable batch data export. GRC platforms can be configured to support batch data export capabilities. This feature allows for the efficient extraction of large volumes of data, which is essential during the e-discovery phase, and helps manage time-sensitive legal requests.

Preserve metadata integrity. All metadata must be preserved during data capture and storage in the GRC platform to uphold context and authenticity for data.

Maintain detailed assessment trails. Comprehensive assessment trails within the GRC platform will track all data access, modifications and exports. Detailed logs support transparency and accountability, providing necessary documentation for legal proceedings and assessments, and to help identify any duplicative data sets.

Uphold quality. Data quality metrics and dashboards can continuously monitor data integrity. Metrics such as data completeness, accuracy, and timeliness can highlight areas that require attention.

Finally, regular data assessments within the GRC platform, conducted in partnership between compliance and discovery teams will help verify the accuracy and completeness of stored information. Validation protocols can also detect and correct errors in data capture and storage, ensuring data quality and reliability for e-discovery. This information can proactively reveal issues and help with continuous quality control and improvement within the system.

Related topics:

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.