Guest post: Who is Responsible for eDiscovery?
Yerra’s director of eDiscovery consulting Will Wilkinson looks at the rise of eDiscovery to become the vast industry we now recognise today in which corporate legal teams are increasingly taking control. He asks and answers the question, who owns eDiscovery?
The question of who “owns” eDiscovery gets more interesting all the time. In the early days, corporations relied primarily on law firms to deal with identifying, collecting and reviewing electronically stored information (ESI) for discovery demands related to litigation or investigation. They really had no choice. After all, this was before an entire industry popped up around handling eDiscovery. Eventually, alternative providers came on the scene and many of the people who had developed a skill set around eDiscovery left law firms or started their own ventures. Costs came down, and clients demanded more visibility into spend and data management. We now are in a period when many eDiscovery vendors have been consolidated by M&A activity, fewer law firms are investing in their own eDiscovery services and corporate clients are facing ever-tighter data privacy regulations and ever-increasing cross-border issues and risks. As a result, corporate legal and IT departments are taking control – bringing more of the eDiscovery process inside their four walls. These clients have always “owned” eDiscovery but now they are asserting more authority and not just outsourcing it. Many are even building their own eDiscovery departments that sit in between corporate legal and IT. This is especially true for large, international companies that have substantial infrastructure and face intense regulatory scrutiny and constant litigation.
Bringing it In-House
“Bring eDiscovery in-house” is a popular phrase and you hear it from vendors all the time, but what does it mean? This depends on the messenger. Software and data hosting vendors will have different angles on this than consultants, recruiters and managed services providers. Interestingly, it is even a popular message amongst cloud-based hosting providers, which is another discussion entirely. Let’s look at it from the perspective of an in-house legal department making the determination about how to bring more eDiscovery in house and why they might do this.
The number one reason legal departments would bring the eDiscovery function in-house is savings. An eDiscovery service that is run in-house can implement initiatives directed at reducing costs, mitigating risks and introducing new technologies. Bringing the service in-house also gives more control and provides better client services while minimizing the role of outside services. Beyond this, risk is a major motivator. There is more and more liability for data security and as corporate and personal risk grows, in-house legal and eDiscovery teams have become more uncomfortable with the function being performed by multiple vendors outside their walls. Once a decision has been made to take greater control, the next step is to decide how.
Go it Alone
One model many corporations consider is fully insourcing the eDiscovery function. This initially seems attractive especially to large organizations whose infrastructure is often superior to any vendor they might use. After a complete evaluation, however, most decide doing so is not sustainable and not worth the massive effort. There are too many administrative burdens and staffing issues. There are also fluctuating workloads to think about – how will you keep all the full-time employees busy if/when litigation slows down or handle staffing up quickly when something major comes in? Not to mention recruiting and paying for the right level of expertise across the full EDRM.
A Hybrid Approach
What many corporate teams decide is that a balance between full outsourcing and full insourcing is necessary for success. The idea is to get the benefit of insourcing while minimizing the risk and hassle. Managing eDiscovery from pre-collection to production, especially for large, international companies, requires specific expertise, advanced technology and a sizeable staff. When there are multiple outside vendors performing the various steps of the EDRM, the expenses can quickly multiply and become overwhelming. So, a middle ground has been found by consolidating most of the process with a single, trusted partner who provides the needed staff and expertise. These teams are often embedded directly into the corporation’s internal functions, resulting in a better understanding of their needs and operations. Even though there is still some outsourcing involved through a managed services agreement, greater control over corporate data and processes is accomplished, while still reducing costs and risk.
Issues on the Horizon
Looming large over corporations in Europe and around the world is the General Data Protection Regulation (GDPR) that will take effect in May 2018. GDPR will impact eDiscovery processes and requirements in many ways, not the least of which is the level of liability a data “custodian” has in regards to the compliance of its vendors – or data “processors”. Corporations that outsource the processing of data for eDiscovery (or other purposes) will be responsible for ensuring that those vendors are compliant with GDPR. There will be no more “passing the buck” with an outsourced arrangement. Directives and additional clarifications are still coming from the EU in regards to GDPR. It is important to be familiar with these and conduct a rigorous evaluation of the gaps in your current processes well prior to the May 2018 deadline.
Here is a good reference page for GDPR updates.
Yerra has also created an overview of GDPR basics.
Will Wilkinson, director of eDiscovery consulting at Yerra Solutions, has been helping distressed organisations access data for forensic investigations, commercial data recovery and enterprise archiving systems since 1997.
We do not carry advertorials and only publish articles that have genuine editorial value. To pitch your idea for an article to our editorial team please contact firstname.lastname@example.org