Consider ease of compliance when procuring chat software

The pandemic accelerated the adoption of chat and collaboration software within businesses. While chat platforms are convenient for business communications, naturally many were built with a focus on user experience for communications and collaboration, rather than how well they perform from a compliance or eDiscovery point of view.

From our experience of dealing with many different types of chat software, we would recommend getting the answers to these questions before selecting a platform for your business:

– What are the options for data retention, including legal hold? It’s important to consider how this data will be preserved before it needs to be.
– How easy is it for an IT administrator to manage these settings? You need it to be simple for IT teams to administer. This will save time and avoid errors whereby data is not retained when it should have been.
– Does the software allow the settings to be applied at a granular level to individual groups or users? Ideally IT teams can target individuals that are subject to an investigation and thereby limit the volume of data and the associated time and costs.
– How is the chat data exported and in what format is the data exported to? Ideally the format should lend itself to ease of conversion and processing using eDiscovery software.
– Can the IT administrator run exports (by which we mean extracting the raw data from the system) or do requests need to be performed by administrators at the platform itself?
– If the latter, what is the turnaround time of the provider in the event of an investigation where time is of the essence?

Maintain effective information governance processes

Good information governance and a clear understanding of the types of business data held within an organisation are key to managing risk and ensuring that quick decisions on data collection can be made when needed.

A business needs to understand how its employees are communicating, regardless of whether an investigation is ongoing. Employees within different departments may use different modes of communication. This might even extend to chat applications which are not officially authorised.

Before an issue arises the company should already be prepared with a map of potential data sources, and an appropriate data preservation and collection methodology. This should be regularly updated as data management practices change over time. It will form an efficient starting point should an issue for investigation arise.

Impose rules on staff use of business devices and personal devices

Companies that allow use of personal devices for work communications should have a comprehensive “bring your own device” or BYOD policy. The benefits of such a policy for staff include greater flexibility and the option to use a device they are familiar with. For business, there are potential cost savings of procuring and maintaining devices.

A business should tread carefully when balancing a user’s privacy rights with the need to retain control over business data on the phones. It is worth being mindful of the capabilities of the IT department to support the policy. Managing the security of the device and of business data, in compliance with UK GDPR and the Data Protection Act 2018, will also be critical.

Key aspects of the BYOD policy should cover:

– How will the business ensure that work is only carried out through approved applications?
– What are the rights of the business to access a personal device if it holds key information for an investigation or dispute?
– What make and model of device is permitted and what is the latest version of the phone operating system that must be installed?
– Should the company be permitted to remotely wipe the device if the device goes missing?

A policy for business devices should specify what types of applications staff are (and are not) permitted to download and install, and the extent to which they can use the device for personal reasons.

It should be made clear which other IT-related policies staff are expected to adhere to when using devices (whether their own or business), such as the IT Acceptable Usage Policy and Data Protection Policy.

The post is part of a blog series on our eDiscovery-related experiences working with chat data. In blog 1 we looked at the main types of chat platforms and some of the issues that can arise. Our next post will provide practical advice for businesses once an investigation begins.

A&O’s in-house eDiscovery team offers assistance in navigating the complex process of electronic data discovery. Working as one team with our lawyers, the eDiscovery team leverages technology to get to the facts of a matter more efficiently. This translates to better, quicker and more informed legal decisions and therefore better value for our clients.