ZyLab + ArkCase + eDiscovery: A Privacy Management Solution to Solve CCPA/GDPR Challenges

ZyLab + ArkCase + eDiscovery: A Privacy Management Solution to Solve CCPA/GDPR Challenges

ZyLab ArkCase eDiscovery A Privacy Management Solution to Solve CCPA/GDPR Challenges

With the emergence of data privacy laws in the USA and European Union, companies are facing an uphill battle. The Data Subject Access Request’s legal framework poses strict rules on processing and responding to requests. Failing to respond to a DSAR can mean serious financial penalties.

Under the General Data Protection Regulation (GDPR) in the EU, and its US equivalent, the California Consumer Privacy Act (CCPA), non-compliance fines can be as high as 20 million Euros or 4% of annual global organization revenue. Under CCPA, noncompliance is not directly sanctioned, but it keeps the door open for violations and lawsuits.

Despite such large fines, according to Egress, only 30% of business respondents are in regulatory compliance, and only another 27% plan to do it in 2020. A recent ZyLAB survey points out that for 45.4% of those implementing the DSAR solution, the biggest challenge is to remain compliant in the future.

In this text, we will cover the DSAR compliance topic and propose several off-the-shelf technologies that can provide a reliable, scalable and most importantly, cost-effective DSAR solution.

The greatest DSAR compliance challenge 

The biggest DSAR compliance challenge

We live in a time of corporate data explosion. Digitally connected, we are creating a digital trail wherever we go, whatever we do. Our civilization’s digital footprint doubles every 18 months.

With the introduction of DSAR, from an undisputed source of wealth and business value, data is now a regulation problem that requires fundamental changes in organizational behavior.

GDPR and CCPA create a whole set of new obligations that organizations can’t ignore.

  1. Citizens can use“Right of Access” (GDPR) or “Right to Know” (CCPA) to request if an organization possesses some personal data about them.
  2. Citizens can use the “Right to be forgotten” (GDPR) or “Right to Delete” (CCPA) to demand deletion of all their personal data that the organization possesses. Data controllers are obligated to do it “without undue delay, which means in a one-month time frame.
  3. Organizations should follow specific data management regulations such as:
    Strict cybersecurity requirements (mandatory data encryption, data security measures, report of breaches, etc.).
    Data processing rules.
    Redact or pseudonymize all sensitive information when there is no regulatory need to collect, possess, manage, or use it.
  4. They must ask the user for prior consent before the user’s personal information is collected and stored.
  5. All data breaches must be reported, and all subjects whose data has been breached must be informed. Organizations have 72 hours from discovery to notify authorities and must keep all records about it. Also, data subjects must be notified “without undue delay” when breaches have affected their unencrypted personal data. The CCPA adopts the individual cause of action or class action versus organizations that fail to adopt reasonable security practices to prevent data breaches.
  6. All third-party integrations must be in regulatory compliance, and the organization should be able to demonstrate that.

As we see, regulatory compliance is not an option. It is an obligation.

From the perspective of DSAR, organizations need to have a scalable system to get these requests, process them quickly and respond on time. However, with a growing data footprint stored in disconnected data sources like emails, chat systems and physical correspondence, searching for each requestor’s data is a daunting challenge. Luckily, there are advanced search solutions that can handle this kind of workload.

ZyLAB’s eDiscovery: The silver bullet on the data train?



In its core, eDiscovery is the collection, processing, and indexing of disparate content so that it can be thoroughly reviewed and redacted. Heavily used in the legal sector, eDiscovery enables organizations to scour large sources of data for Personally Identifiable Information (PII)—lightning fast.

When an organization receives a DSAR, the challenge lies in tracking all data sources for specific details, usually personally identifiable information and other data about the requestor and the data holder. These requests can be simple to process, but as organizations grow, so does the complexity of these requests.

In two examples, organizations have reported staggering costs of processing complex SAR requests. The first is from Nursing and Midwifery Council in the UK. A single, heavily-redacted DSAR costed about $315,000 in processing costs and legal fees. In another case, Oxford University faced a $150,000 cost in order to respond to a single SAR request due to the University needing to process over half a million emails in order to respond to the requestor, Dr. Cécile Deer.

Without a software solution that can process digital data and find personally identifiable information of the requestor (all while masking other individuals’ PII), responding to SAR requests can be extremely expensive for organizations.

Therefore, an eDiscovery solution like ZyLAB ONE is good as a silver bullet for DSAR challenges. The process of finding any document in various locations, fast and on scale is essential for a reliable DSAR solution.

Without using eDiscovery, any DSAR solution would struggle with the search functionality, which is essential for timely DSAR processing.

eDiscovery is responsible for:

  • Locating and processing all relevant data across all repositories, e-mails, etc.
  • Redacting all personally identifiable information related to other individuals mentioned in the same content.
  • Collecting information directly from the relevant organization’s sources with true data integrity.
  • De-duplicating the information. With any DSAR search, the portion of duplicate documents can be up to 80%. Deduplication eliminates a huge portion of work, therefore speeding up the DSAR response time.
  • Automatically unpacking containers of files and making every component searchable.
  • Enriching non-searchable data such as scans, images, media files or unsearchable PDFs, so that all information can be searched and used.
  • Analyzing, classifying and organizing information for a quick and comprehensive review.
  • Using auto-redaction to anonymize or pseudonymize personal and confidential information. This is crucial for data transfer outside of the EU. While anonymization is a more robust solution, after redaction the data subject is no longer identifiable. With pseudonymization, data can no longer be attributed to a data subject. Additional information used to identify is kept separate and subject to technical and organizational security measures. Only when the identifiers are reunited with the core data will it be safeguarded like any other personal data. Otherwise, a non-attribution must be provided.
  • Automatically converting all electronic file formats to one standard format before redactions.
  • Detailed tracking and reporting provide a complete audit trail to prove requested personal data erasure.

These are the key features to solve the GDPR/CCPA bottleneck for finding any document across all locations in the organization. It’s important to note that not all eDiscovery solutions have all these features incorporated.

ZyLAB ONE’s AI-powered eDiscovery combines advanced search, text-mining, auto-classification, natural language processing (NLP) and machine learning. Using these procedures, ZyLAB ONE can cull information from archives to ascertain what information can be destroyed without harming the business, historical or legal need for that data.

ZyLAB ONE eDiscovery can scale out and manage search over large clusters of machines. Both indexing and searching can be distributed over as many machines as desired, and indexes can be centralized or distributed for better performance or robustness needs.

This results in almost unlimited scalability of the search engine. Depending on the hardware, ZyLAB can index multiple terabytes of data in a matter of just a few hours. At the same time, it maintains the ability to search faster than any other product for large queries containing positional operators, Boolean, quorum search, wildcards, and fuzzy matching (also at the beginning of words), complex regular expressions, parsing and tokenization flexibility.

Support functions like index checksums, monitoring index status tools, the environment status tool, and the current running status help in the control and maintenance.

Having a powerful eDiscovery component alone, however, isn’t enough for a solid DSAR solution. Organizations need to marry this search feature with a system that can capture DSAR requests, use workflows and automation to process these requests at-scale.

DSAR Management with the ArkCase Case Management Platform


ArkCase DSAR Solution

One of the hallmarks of DSAR requests management, other than being data-intensive, is that it has a relatively fixed workflow:

  • It all starts with a public portal where people can fill out a DSAR request.
  • Next, there is a mandatory identity verification to confirm that the requester is the data subject. Then, the request is queued for processing.
  • The processing has a fixed workflow of finding the data, deduplication, redaction, review, and delivery.
  • The data subject can respond with a deletion request that the company can respond with proof of deletion beyond recovery.
  • Lastly, the entire process from submission to closure should be auditable, meaning that at every stage of the workflow, log entries are recorded and stored securely.

Software solutions that are preconfigured with workflows and forms are also heavily used in medical and legal practices. These case management solutions enable organizations to automate repetitive tasks, streamline workflows, leverage collaboration and use the cloud for global yet secure access.

One of our favorite case management platforms is ArkCase. It is a modern, open-source case management platform that accelerates case processing time. Thanks to its flexibility, ArkCase offers many off-the-shelf solutions such as data privacy management, FOIA requests management, complaint management, correspondence management, legal case management, etc.

ArkCase is a robust platform that comes with a personalized dashboard, document management capabilities, collaboration, rules engine, configurable and pre-configured workflows, advanced search, reporting, calendaring, task management, multimedia search and is fully auditable. It is an open-source solution that is field-tested, cost-effective, and future proof.

  • Content/Records Management System
  • Robotic Process Automation (RPA)
  • Analytics
  • Correspondence Management
  • Modern eDiscovery

With these integrations, the ArkCase DSAR Solution claims a processing time savings of 60%.  Without the DSAR Solution, the cost of manually processing privacy requests is $1,400 per request.

With flexible licensing and pricing, ArkCase DSAR can be an excellent way to achieve full CCPA and GDPR compliance without breaking the budget.

Wrap-Up: The Combined Benefits Of ZyLAB ONE And ArkCase 


As a result of legal frameworks such as GDPR and CCPA, companies are facing an ever-growing amount of data disclosure requests governed by DSAR. Companies that gather and store a large volumes of user data will find it difficult to respond to these requests on time, even if all their data is digitally stored.

Finding all personally identifiable information related to the requestor, while redacting all other PII from other individuals mentioned in the requested documents, is a daunting task that cannot be solved with increasing the workforce alone. Therefore, organizations turn to scalable technologies like ZyLAB ONE and ArkCase. ZyLAB ONE provides a reliable and fast eDiscovery search, while ArkCase enables people to work optimally, one case at a time.

ZyLAB ONE eDiscovery has the most scalable and flexible architecture on the market. ZyLAB ONE easily handles large data volumes. The total system capacity can be scaled up by assigning as many virtual machines as needed to increase the computing capacity. As a SaaS-based eDiscovery solution, it is suitable for thin-client and remote work use, but it can also be implemented on-premise or hybrid.

ZyLAB ONE eDiscovery provides seamless integration for an efficient process without interruption. A flexible architecture “follows the wave of data” through the eDiscovery system during a project. Thanks to this flexible architecture, ZyLAB ONE provides a future-proof solution for processing large amounts of data, ensuring reliable eDiscovery functionality.

ArkCase is a FedRAMP Moderate open-source platform with a proven track record. As a cloud DSAR solution, it is suitable for thin-client use and remote work use, but it can also be implemented on-premise or hybrid. Federated Search is implemented as an information retrieval technology that allows the simultaneous search of multiple searchable resources.

Combined, the two provide a scalable DSAR solution that provides an organized, central location where all data is standardized and where all your Production Readiness Review (PRR) processes begin and end. A platform that gives control over data access, document review, redaction and the ability to request status at any point in time. All actions are documented and traceable preventing any possible litigation.

If you’re interested in finding out more details about how Armedia can help as a Solutions Integrator and solve your Data Privacy Management needs, contact us for a no-obligation consultation.


The Importance of Weaving Consistent eDiscovery Search Practices into the FOIA Process

The Importance of Weaving Consistent eDiscovery Search Practices into the FOIA Process

the importance of weaving consistent eDiscovery search practices into the FOIA process

As the number of FOIA and public records requests increases, so do the numbers and types of records that must be searched. This is becoming a big problem and is even causing legal issues for FOIA agencies.

The Department of Justice received 228 FOIA lawsuits in FY 2018. According to the FOIAproject.org, this is because FOIA agencies struggle with the ability to efficiently search through all related stored documents such as video and audio recordings, scanned documents, and large document repositories.

These large files required manual review, and this is why, in many cases, they were simply omitted. This omission resulted in lawsuits. Two hundred and twenty-eight of them.

Image Source: FOIAproject.org

As you can see from the chart above, the number of lawsuits continually increases every year. In the past 10 years, the number of lawsuits doubled.

FOIA agencies are facing these consequences because of their outdated documents searching approach.

This is where eDiscovery steps in.

The Need To Incorporate eDiscovery Practices Into FOIA Processes

In 2012, a ruling by U.S. Judge Shira A. Scheindlin of New York pointed out that eDiscovery practices need to be increasingly incorporated into the FOIA and public records process.

The suit in question was brought by the National Day Laborer Organization Network against the U.S. Immigration and Customs Enforcement Agency. The reason behind it was the inadequate searches, both manually and technologically assisted, conducted by federal agencies and used as responses to FOIA and public records requests.

Here is an excerpt of a press release about this lawsuit, illustrating the importance of using proper search procedures, and using available technologies:

Judge Scheindlin flatly rejected the defendant agencies’ claim that they should be “trusted to run effective searches…without providing a detailed description of those searches.”  Particularly harsh in its conclusions about the FBI’s failure to search for documents, Judge Scheindlin characterized as “absurd” their position that ordering an office to conduct a search and receiving no response satisfied government obligations under FOIA.  Pointing out that FOIA requires the government to “use twenty-first-century technologies to effectuate congressional intent,” the decision broke new ground by ordering the government to “work cooperatively” with plaintiffs to “design and execute” new searches.

Judge Scheindlin also said that search details are critical to determining adequacy. Meaning that federal agencies should produce the search terms used in electronic searches and that searches should be conducted uniformly.

How eDiscovery Search Practices Can Help Improve FOIA

eDiscovery search practices help improve FOIA

In most cases, FOIA requests involve millions of documents. This contributes to the growing costs of responding to FOIA and public records requests.

Fortunately, eDiscovery search practices have been used in legal departments for years now. According to Judge Scheindlin, eDiscovery search practices are exactly what FOIA agencies lack in FOIA and public records operations.

Here is how they can be useful in improving FOIA and public records processing:

  1. Finding unknown relationships and identifying relevant information that may or may not contain the search criteria, protecting the organization and diminishing risk.
  2. Reducing the time spent aggregating content from different repositories across the agency improving productivity and reducing costs.
  3. Eliminating manual tagging except by authorized users.
  4. Supporting multiple search techniques.
  5. Eliminating repetitive searches.

Thanks to search practices like in-text and metadata search, filtering out semantically related but topically unrelated terms, and the more advanced features like stemming, phonetic and fuzzy search, eDiscovery is a very powerful tool for FOIA agents.

In addition to the complex nature of document searches, the actual review of the documents has become more challenging for FOIA agencies.

eDiscovery search practices enable FOIA agencies to find all of the related documents in a case and bring back a clean list of documents that employees can manually review.

eDiscovery platforms automatically remove duplicate documents and emails, thereby reducing the total number of documents to be reviewed by up to 70%. They also provide a user-friendly side-by-side preview pane that allows FOIA agencies to compare similar and near-duplicate documents.

The use of eDiscovery search technologies eliminates the need for human reviewers to peruse every document.

Also, the pre-collection analytics of eDiscovery can be especially useful. It allows FOIA agencies to assess a request immediately through keywords and other advanced search features. This further reduces the amount of data that actually has to be extracted from a given repository to fulfill the request.

In order to facilitate the use of technology, FOIA agency clerks will need to learn new ways of handling FOIA requests. They will need to be trained by eDiscovery experts on the most efficient workflow for finding data and searching for details to redact.

To Sum Up

Instead of dreading of lawsuits, FOIA agencies should adopt the recommendation of Judge Scheindlin, and employ eDiscovery search practices as part of their FOIA and public records operations.

The Office of Information Policy has been helping government agencies to rely more on eDiscovery to cut workloads and close information requests faster.

Because they are designed to sift through large amounts of data and locate specific information, eDiscovery search practices are also ideally suited to meet FOIA challenges with demonstrated ability to:

  • Search through various sources and file formats: emails, multimedia files, OCRed documents, document repositories, etc.
  • Eliminate duplicates, near-duplicates, and irrelevant files to greatly reduce the number of documents to review.
  • Automatically classify documents by department, document type, custodian, withholding reasons, exemptions, and many other relevant categories for faster, more organized review.
  • Automatically redact exempted information, Personal Identifiable Information (PII) and Protected Health Information (PHI).
  • Accelerate review and production of responsive records with customizable, automatic reporting and indexing features.

As the process of handling public records requests is very similar to an eDiscovery, agencies can overcome their current FOIA challenges by teaming up with experienced eDiscovery solution providers. ZyLAB, for example, has designed its proven eDiscovery technology platform to deal with the ever-increasing number of PRRs by streamlining and automating the processes, to deliver fast, thorough, and reliable public records disclosures. Their eDiscovery solution is tailored to meet the specific requirements for FOIA and PRR and provides a more scalable and flexible environment for processing electronic records, helping agencies process disclosures in a timely fashion without risk.

To learn more about eDiscovery and FOIA software integration, please feel free to take a look at this blog post where we elaborated on this subject in greater detail. And if you have any questions, feel free to contact us.