Posted by Phil Ayton
27 April 2018

With the General Data Protection Regulation (GDPR) bringing the management of personal data into sharp focus, law firms in particular are set to experience huge drops in productivity and billings.  Law firms create huge amounts of content heavily impregnated with personal data and store these in vast repositories.  As firms have expanded, merged and consolidated so these databases have grown into huge searchable knowledge stores.  Every lawyer at every large law firm uses these daily as to research proprietary content and leverage what the firm has done before.  From 25 May 2018, this utopian availability of knowledge has to stop thanks to the GDPR.

Thanks to the GDPR, law firms are locking down their document repositories, so that only those who can prove they need access to the data can use it.  Additionally, firms are obliged to purge any documents containing personal data that are no longer active or required for other compliance reasons.  Clearly this is an almost impossible task, so many law firms are setting a blanket rule that only those who created or editing data can access it.  In a single blow, the GDPR has killed the main source of know-how for lawyers.

Most firms will have knowledge databases where lawyers will have been encouraged to store model documents, precedents, examples, bibles and other reference materials.  However, even the most well-groomed knowledge database will probably contain documents with personal data and therefore is subject to the same access restrictions as other databases.  To prevent the closing down of these resources, law firms should proactively look to create a personal-data-free knowledge library.

Unlike the vast repositories held by document management systems, knowledge databases should be leaner and only contain relevant information.  Anything more that a couple of years old should be purged unless it can be proved that it is used and maintained regularly.  Any documents containing transactional information need to be sanitised by removing the personal data.  The most obvious method of doing this is through redaction, but what type of redaction should a firm implement?

When we think of redaction we think of documents with black lines through the important bits right?  But this isn’t what we want to do to our templates and documents; we need these to create new content.  Consequently, we need to replace the personal data with tags describing the type of data that should be added at the same point in the document.  This is exactly the same process as used by document automation technology to mark-up a document and turn it into a template.

If the data sanitization process uses document automation mark-up tools rather than redaction tools, then rather than destroying data, the same effort can be used to create better content generation in the future.  If the exercise is extended then multiple variation of documents can be merged into a single, maintainable document.

There are many benefits to including document automation in a GDPR sensitisation project.  Firms just need to find the right tools and get started as soon as possible.