As GDPR enforcement approaches you should start to think about the ESI (Electronically Stored Information) held on your systems that could contain personal data. Whilst reviewing how data is being stored, processed, transferred, updated and protected you must also consider how to later perform e-Discovery on all of that data.

Not unlike the proverbial see-saw, the more you lock something away the more difficult it becomes to get to afterwards. However, Subject Access Requests (SAR) will require the data to be produced without delay and usually within one month. Without tools or processes in place the challenge could prove to be insurmountable, especially with lots of decentralised data on legacy systems.

Your organisation could ask some high-level questions to assist with e-Discovery, examples being: Where is our data being stored? Can we or should we move the data to make it more organised? Is it possible to classify our documents or can we at least start classifying all new documents that are created? Is the data in our backups easily restorable in a timely fashion? Do we have data in our backups that is no longer relevant and should be removed? Should we consider using a live set of data rather than backups to make searches a much quicker process? Is there data that is encrypted that would make it more difficult to perform Discovery searches on those files?

Whilst it may seem trivial to process data during normal business operations with controls in place to protect that data, it can be an entirely different and often extremely challenging task to perform Discovery searches on it later on. With the clock ticking on a SAR this will only compound the difficulty and associated costs, you should consider thoroughly researching how e-Discovery could impact your business.