Privacy & Regulatory Compliance for Collaboration Systems

Enable Privacy by Design through User Adoption

Firms need to design and implement processes and systems that can manage personal data and provide audit/reporting assurances that data is in the right place. This starts with designing metadata and folder structures that enable documents to be uniformly grouped and easily located across all content systems. These processes improve user adoption of content systems.

• Create core folder and document structure for workspaces and documents
• Enable workspace and folder changes and updates across content systems
• Adjust workspace structure to improve usage

Implement Need-to-Know Security

Given the highly sensitive nature of their work, firms are moving towards adopting role-based security and permissions that provide access to only those that need to know. This allows client data to be restricted to only those people who are directly working on any given engagement and have been authorized by the client. Need to know security policies enhance security but also require technology and personnel to administrate the policy across content systems.

• Provision and de-provision workspaces and documents for security across content systems
• Limit access and editing rights to only those that need to know
• Control permissions provided to administrators and service desk professionals

Implement Data Mapping Capabilities

To comply with various privacy and cybersecurity regulations, firms need to know what data they have, where it is stored, and who has access to it. This creates the need for data mapping capabilities.

• Track key profile information about matters
• Track the location of matter workspaces across content systems
• Track key matter metadata to identify persons
• Track people who need access to data

Streamline Subject Access Requests Responses

As privacy regulations continue to increase, organizations must be able to effectively and efficiently respond to subject access requests. Subject access requests gives individuals the right to obtain a copy of their personal data as well as other supplementary information. These requests need to be resolved in a complete and timely manner.

• Track matter data to determine what content needs to be provided to the requester
• Provide content in a timely manner (latest one month from official request)
• Locate data across content systems to provide complete data to requester

Allow Trigger-Based Data Minimization

Data minimization refers to the ability to move or delete data according to a set schedule or when it is no longer needed. This requires a multi-step process which may involve first moving content from one system to another, exporting it back to the client, or completely deleting it from the system.

• Create policies that trigger matter-based data minimization processes
• Allow content to be moved within and between systems for archiving, deletion, or changes to security
• Implement policies based on client and matter metadata

Provide Assurance through Analytics

Firms need to have processes in place to prove that they are following policies. This can be done through analytics and reporting on user access and changes to data.

• Create report schedules and automate assurance processes
• Configurable dashboards to monitor activities
• Provide audit reports on source systems and compliance with data minimization policies

Readiness for Business Continuity Incidents

Essential and regulated industries (e.g., health, financial services, energy, etc.) are often required to have business continuity plans in place for their operations and their vendors’ operations. As a result, law firms are often required by their clients to implement business continuity plans.

• Securely store document in the firm’s AWS S3 account
• Enable access through one-time password
• Search for documents through profile searches and download document
• Check-in documents when systems return online