From Paper to Digital: Clearing a Dead Room
By Daniel Rupprecht, Director – eDiscovery Consulting
On a recent matter, I began the usual process of understanding the totality of the documentation that might be at issue, something which is never straightforward. I started with a discussion of custodians and date ranges followed by the typical questions related to data sources, devices, cloud storage and archived information. All seemed to be going well until my very last query. “Are there any hard copy documents that we need to consider?” To which I received the following answer: “maybe the contents of the dead room.”
The “dead room,” I would soon discover, was not unlike the final scene in ‘Raiders of the Lost Arc’ – a giant storeroom with row upon row of boxes stacked to the ceiling. It was called the “dead room” because apparently, this is where documents came to die. Also dead were the chances of putting together a complete, detailed, data map without a better understanding of what was contained in the many hundreds of boxes found therein.
When dealing with the broad requests for documentation in litigations and investigations, and with the implementation of the General Data Protection Regulation, knowing where your data is and what it contains is more important than ever. Take the above scenario but replace me with a Data Protection Authority (DPA) – the existence of a “dead room” quickly becomes no laughing matter. It will, in fact, be a clear indication that the organisation in question is not meeting its obligation to protect data subject rights, which requires it to only carry personal data that is essential to the operation of the business. In short, the days of answering “I don’t know what’s in there” are over.
5 Steps to Clearing a “Dead Room”
Step One: Identify & Destroy
Identify known documentation to destroy. Begin the process by categorising and labelling as much as possible. Historically it has been easier to just store documents rather than interrogate their organisational relevance. As such, most companies are carrying vast amounts of paper from one year to the next or even worse one decade to the next. Whether it be by year, corporate division, or individual, if you don’t need it, get rid of it. Having a document retention policy in place also puts a company in a better position if documentation legitimately no longer exists within the organisation.
Step Two: Organise
Organise the remaining boxes in some fashion. Hopefully there is an existing order (year, division, or individual) that you would like to carry forward which will provide an organisation the tools to evaluate how this should be maintained.
Step Three: Digitise
Convert all paper documents into an electronic format. The results may be somewhat uneven in terms of quality. For example, legacy invoices may be in such poor condition that they cannot be scanned. For the most part, however, the majority of documents can and should be converted. Work with a third-party provider to have these documents professionally scanned.
Step Four: Assess Quality
Assess the quality and completeness of the scanned documents. Determine what should be done with the digital representation. Optical Character Recognition (OCR) should be applied to all scanned documents to enable searching using typical eDiscovery tools. From a GDPR perspective, this provides another avenue to interrogate data that might contain personally identifiable information.
Document service providers can also manually fill empty metadata fields to enable even more functionality associated with advanced eDiscovery tools. With all fields accounted for and filled in, organisations will also be able to reintroduce these documents back into the destruction protocol chain as they will now mirror the digital data that currently flows through the network environment.
Step Five: Repeat
Ensure that all future paper production follows the same path. Having a formal system in place is not just good housekeeping, but also can be considered best practice when seen from a GDPR perspective. Should a DPA ask where particular data is located, it can now be easily reviewed. Should an accumulation of paper return, a policy is now in place to handle its eventual reintroduction into the digital food chain. Most importantly, if there is documentation stored on premises or a separate storage facility, when questioned by a DPA, the answer will no longer be “I don’t know.”
In the original scenario regarding the “dead room,” the client ultimately agreed to a settlement. Did they settle because everyone finally agreed to get along? Did they settle because everyone agreed that the best approach was to forget about half the data and only focus on what can easily be achieved? Did everyone agree that the data in the dead room was out of scope? Unfortunately, to all those questions, the answer was no.
The reality is, given the timeframes involved and the cost associated with clearing a “dead room,” what seemed like a vast chasm between two numbers resulted in a recalibration, taking into consideration moving forward to trial. Had the company already been in a position to know their data, perhaps the company would have been in more control of negotiations, or at least have had fewer factors impeding upon the original strategy or desired outcome.