In the beginning was eDiscovery and, alongside it, the barely-regarded business of records management. EDiscovery brought obvious risk – of losing a case or, in the US, of being sanctioned for non-compliance with a court rule. Records management appeared to bring neither risk nor profit and its problems, so it was thought, could be solved by buying another server.
The concept called “information governance” showed its face briefly in about 2012, but did not take off because there was nothing obvious to buy to solve a problem which organisations barely regarded anyway.
Then cybersecurity risks brought damaging outcomes – expense, reputational damage and lost customers. Regulatory expectations and regulatory interventions began to equal or exceed the demands of litigation discovery. Privacy and data protection requirements rose to the top of the pile with the advent of the EU’s General Data Protection Regulation, which induced first indifference, then panic (at the expected level of fines), then the comforting illusion that only Google, Facebook and other organisations whose business was data collection were the targets.
Better organised, or better advised, organisations came to realise that, while the big fines were indeed aimed at those who collect data in order to sell it, they all collected and held data which included personal information ancillary to whatever their main business was. It became clear, eventually, that all these subjects – litigation discovery, regulatory requirements, cybersecurity threats and privacy duties – were all interlinked. The ideas about information governance came back to life.
Throughout all these changes, FTI Consulting kept the faith with the concepts of information governance as an overarching discipline which tied all the other things together. FTI’s Jake Frazier was the first person I heard set out a logical framework embracing all these disciplines, leading to the establishment of a dedicated FTI group responsible for, and called, Information Governance, Privacy & Security.
The IGP&S business cases is set out thus:
Information Governance, Privacy & Security from FTI Technology can develop and implement information governance solutions that reduce corporate risk, cut storage costs, secure data, improve the e-discovery process and enable faster and deeper insight into data.
Organisations are increasingly allocating budget to information governance and investing both in people and in technology to handle it all. One problem dominates – the shortage of people with appropriate skills, particularly those capable of taking on the role of Data Protection Officer. Late in 2018, FTI expanded its data privacy and data protection practice, not least by launching a Data Protection Officer (“DPO”) service solution within its technology segment.
I spoke to Chris Zohlen, Managing Director in FTI’s IGP&S practice, and asked him to talk me through the present need and demand for data protection and related services.
Chris Zohlen said that brand protection and reputational risk were increasingly sources of concern for organisations, not merely the fines which had caused such concern when the GDPR first came along. US reaction to the GDPR was originally muted, many organisations believing that it did not apply to them. As lawyers and providers started talking and writing about it, there was a rush to put budget into management systems and procedures relating to privacy. Organisations want to know what is the minimum viable readiness they need to have in place. They recognised that the GDPR had a “big bark” but nevertheless waited to see if it had bite. From about January 2018 they realised that it does.
Further, the US began developing its own privacy regulations, bringing an end to the comforting illusion that privacy was something which affected other people. There was also the growing realisation that all companies had personal data, not just those whose business involved the management of data. The Yahoo breach (a class-action, nothing to do with the GDPR) alerted many companies to a risk they had felt able to ignore.
Some companies were more progressive than others. They began to realise that they were not only spending millions on eDiscovery and cybersecurity, but that there was a tension between the perceived need to keep data for some purposes and the obligation to delete data for other reasons.
Chris Zohlen said that security and privacy were in FTI’s information governance model five or six years ago. FTI’s team does not just say “Here’s how to do privacy”. They help organisations understand how the regulator is going to look at them and how consumers will see them.
The appointment of a data protection officer is an obligation for those caught by the GDPR, but it was increasingly seen as something which organisations ought to have anyway. Many companies still don’t have such a post, and find it hard to recruit suitable people. FTI had people with deep experience in eDiscovery and analytics, as well as relevant formal qualifications. This led to the development of FTI’s DPO-as-a-Service offering.
Many mid-sized companies began to realise that they held large amounts of consumer data. There is a new class of player whose business depends on, say, Instagram, whose core business is influencing people where consent is not obtainable, and where the GDPR calls the whole business model into question. FTI’s DPO-as-a-service model is ideal for such organisations.
There is an assumption, at least among eDiscovery people (of whom I am one), that there will always be a need for the retrospective exercise to find documents relevant to past events which is what discovery is. The progression with which I began this post put eDiscovery at the starting gate and sees everything else as derived from discovery or dependent on its tools and skills.
I stand by that (and the worldwide outlay on pure eDiscovery does not seem to diminish, though its recipients are changing from lawyers to those who provide software and services, and though the lines increasingly blur between the headings).
The balance must shift eventually, however, away from reactive and retrospective discovery and towards the anticipatory and proactive approach which falls under the heading information governance. This is not just because organisations will get better at IG. Microsoft’s Office 365 offers the potential for organisations to undertake proactive identification and classification from the beginning. Furthermore, the data is already in the cloud, offering itself for instant and pre-emptive analysis (unsurprisingly, Office 365 migration and discovery is one of the services offered by FTI’s IGP&S service).
Two predictions are worth making: one is that, however blurred its boundaries become, the wider eDiscovery business will continue to expand; the other is that this expansion will not respect jurisdictional boundaries – the precise demands may be different between countries, but the same skills and tools will be needed everywhere.
FTI, already a global business, has recently made announcements about its use of RelativityOne in India and in Brazil, and made a senior eDiscovery appointment in Hong Kong. It is a reasonable bet that where these discovery initiatives begin, FTI’s information governance, privacy and security initiatives will quickly expand.