Law Technology Today-May 23, 2017-Why is the General Data Protection Regulation (GDPR) Important?

Why is the General Data Protection Regulation (GDPR) Important?

As of May 25, 2018 the European Union (EU) will alter business requirements for companies that possess personal information pertaining to EU residents. The General Data Protection Regulation (GDPR) applies to any company doing business with customers in the EU, and will have a far reaching impact, greater than many corporations realize. While a primary purpose of the GDPR is to harmonize data privacy protection regulations across the various EU member nations, the potential business interruption for organizations around the world that will result from these new standards is a serious concern.

The applicable fines set forth in the GDPR for failing to comply with regulations are significant. Corporations that handle EU customer data, regardless of where the company is based, can face up to EUR 20 million (approximately $22.3 Million U.S. Dollars) in fines, or 4% of their total global revenue for the preceding fiscal year, whichever is higher, for GDPR noncompliance. Hence, if a company has customers based in the EU, these GDPR requirements must be taken seriously.

The GDPR data protection protocols must be in place for “Personally Identifiable Information” (PII), of all living EU citizens, regardless of where that information is sent, processed, or stored. In addition, the company possessing such PII data must have a process in place to verify and prove that valid protections exist. Corporations are not exempt from the GDPR simply because they don’t have offices there, or don’t process data in the EU. The EU’s concept of data privacy differs greatly from the United States’, but U.S. based corporations doing business with EU citizens will still have to adhere to the strict requirements of the GDPR. The impact of the GDPR reaches nearly all companies, including many who are seemingly unaware of its regulations. In certain specific circumstances, companies must create a position of “Data Protection Officer” (DPO), whom will address GDPR compliance. Hence, the costs to prepare for compliance will include requirements for trained personnel and financial investment in technology.

Having a means to comply with the stringent requirements of the GDPR is no simple task. Planning is required to comply, which is why the regulations are not meant to take effect until May 2018. Some of the complex issues that need to be addressed for GDPR compliance include:

  • How electronic information is stored, transferred, accessed, and secured.
  • Document retention schedules, and how they are enforced.
  • Written proof of compliance.

Creating an effective compliance strategy will be costly and many companies have not set aside money in their projected annual budget for the funds required to address these concerns, which means they will come from emergency or other contingency planning budgets.

Those corporations who have already begun to address their information management capabilities in general will have an advantage in complying with the GDPR requirements. Many of the key elements of a corporate “Information Governance” (IG) plan are related to the issues of concern for GDPR compliance. The ability to manage information, and address data governance, corporate risk, and regulatory compliance, are existing concerns for corporations, notwithstanding the GDPR. Existing technology for cybersecurity and “Data Loss Prevention” (DLP) can also be utilized to help prepare for the GDPR. Moreover, search and retrieval technology and techniques used for eDiscovery purposes also serve as a means to assist in managing information. The illustration below from Susan Bennett, of Sibenco, provides useful insight into aspects of information governance, many of which help address the specific needs of the GDPR.

(Source: “What is Information Governance and How Does it Differ from Data Governance,” Sibenco, 2017, Information Governance vs Data Governance)

Handling sensitive information, such as PII, is a challenge that pertains to both IG and GDPR compliance. Restrictions imposed on the transfer of PII by the GDPR can be addressed by the use of technology. Identification of sensitive content within a business record, and the ability to redact portions of content, can impact whether that specific file is transferrable under the rules set forth by the GDPR. Having a means in place to identify the content of data will be essential for GDPR compliance. In addition to IG protocols, “Knowledge Management” (KM) practices will also enhance a corporation’s ability to comply with the GDPR. The ability to garner business intelligence about the information the corporation possesses will serve as a significant advantage for GDPR compliance. Knowledge of not only files in possession and control of a business, but also about the content level within those files, will be a prerequisite for doing business with EU customers.

Addressing GDPR Compliance

Since the GDPR specifically requires the ability to prove data protections are in place, documentation of existing privacy safeguards is essential. All documentation and processes must clearly address issues such as: where is the data; what type of data exists; who has access to the data; what is in the data content; how is data stored; how is data transferred; how is newly created data incorporated? Without answers to these questions, GDPR compliance is impossible.

Below are suggestions for IG best practices which can be specifically implemented to address the requirements of the GDPR:

Data Mapping. If a DPO does not know the location and/or the contents of corporate data, it is impossible to fully protect that information per the GDPR requirements. The need for data mapping is rather obvious since the risk of non-compliance is too high without the knowledge of location of all the corporate sources of data. If the data map for the corporation is incomplete or inadequate, a discussion with the I.T. stakeholders in the company should take place to update this information. Collaboration between I.T., management, and the corporate legal department, in order to create a comprehensive data management plan is a vital step toward GDPR compliance. Any corporate data stored by third-party providers, including cloud services vendors, or data archival companies, requires attention. The data in the possession of third-party providers is also subject to the GDPR regulations applicable to the corporation, including information retained by outside counsel law firms. If data in possession or control of the corporation contains PII of EU citizens, GDPR compliance requires steps to protect such information.

Understanding File Contents. Many corporations seem ill prepared for the requirement to know the contents of their internal data. Knowing where data resides is only part of the equation. A corporation must also know what the data is and contains. For example, are the files legally binding in nature, such as contracts and agreements? Do the files contain any sensitive data, such as PII or PHI?

Consent. A key requirement of the GDPR is the need to obtain specific consent from an individual before being obtaining, storing or utilizing their personal data. The corporation must provide a clear affirmative action or statement providing permission to process the individual’s data. In addition, the GDPR establishes that the individual has a “Right to be Forgotten,” and can request their personal information be explicitly removed from use. Without some other legal reason to process an individual’s information, the corporation must respect a request to delete data without undue delay.

Information Request. On a similar note, an individual has a right to request access to the personal information being gathered and stored about them. The individual may request information from a company about any of their personal data, including: who has access to their information, how the data is accessed; where it is being accessed; and the purpose for which it is being accessed. Furthermore, an individual can also seek corrections about their personal data, if the EU resident feels the information is inaccurate. The individual may object to the use of their data for profiling by the corporation.

Retention Schedules. Enforcing corporate document retention schedules, while also maintaining proper litigation hold protocols, is already a challenge for many corporations. There are inherent risks associated with maintaining information when there is no legal obligation to retain possession of that data. An effective means of dispensing with specific information that is outside of an applicable document retention schedule is an important component for both IG and GDPR compliance.

Security Breaches. An overarching component of the GDPR is the need to provide cybersecurity protections to prevent data breaches, as well as express provisions regarding notifications of data breaches to both the supervisory authority and to individuals whose information has been exposed. Hence, corporations must not only be aware when a breach has occurred but also must have a means to notify those impacted by the breach of what specifically was exposed.

Data Transfer. The GDPR places explicit restrictions on transfers of personal information. Corporations must have an enforceable plan to prevent unauthorized data transfers, and the GDPR puts forth stringent requirements regarding data transfers to locations outside of the EU. Whether a data transfer is permissible under the rules of the GDPR, will require answers to a series of queries about the content of the information. If PII, or otherwise sensitive information, exists in the data at issue, additional restrictions will be applied, possibly revoking permission for the transfer of that information. An entire file might be improper to transfer under certain circumstances, thereby prohibiting access for persons outside of the EU to view such information. In other instances, a portion of the content of a file might block the permissible transfer, however if actions are taken to redact the specific content in question, the remainder of the file might be permissible for a data transfer.

What Is Auto-Classification and How Does It Assist with GDPR Compliance?

It is clear that properly managing all data in a corporation’s possession to comply with GDPR regulations is an extremely onerous task for most businesses. The GDPR requirements necessarily create an increased reliance upon automation in order to properly manage the lifecycle of corporate information.

The explosion in the volume of data in the possession of corporations has already led to the advancement in various technologies that assist managing information. Corporate best practices for IG, KM, E-Discovery, compliance and cybersecurity, all provide guidance for the use of technology which help address GDPR regulations. One particular automation technology that will serve as a tremendous asset to corporations struggling with GDPR mandates is referred to as “Auto-Classification.”

Auto-Classification Software data mines information at the content level, and then categorizes files based on the information’s substance. This technique is already being utilized by many corporations as part of their IG strategy. Auto-Classification’s ability to group information by category or by specific characteristics will prove useful for GDPR compliance. Similarly, Auto-Classification’s ability to detect the presence of PII and other sensitive content will likely become a best practice when it comes establishing GDPR protections.

One impediment in complying with GDPR is the vast amount of “Dark Data” currently residing in most corporate networks. Dark data is information existing on shared file servers, or in employees email inboxes whose content or purpose is largely unknown. Auto-Classification helps manage unwieldy unknown information and sheds light on the contents and origins of such data. Corporations utilizing document management systems (DMSs) or enterprise content management systems (ECMs) rely on Auto-Classification to categorize files outside of the document/content management platform, subsequently placing that information into folder-level taxonomies within their systems.

Auto-Classification software uses both pattern-matching algorithms as well as artificial intelligence to detect file contents and attributes such as: personal information; authorship and origin; type or format of document; and expected retention period. In addition, Auto-Classification technologies are configured follow a set of customized rules regarding file disposition. For example, a rules-based Auto-Classification system will enforce a specific document’s retention schedule, and then place the file into the proper folder taxonomy structure. Auto-Classification technology specifically meets the GDPR requirements to have a system in place that can detect what information it has, where it lives and how it will be handled under differing circumstances.

With a proper Rules Engine, sensitive information is protected via individual security level restrictions, including limitations based on the geographical location of the user attempting access. Rules are also used to block improper information transfer to locations outside the EU. Furthermore, rules are used to trigger certain events, such as an expiration date associated with certain data which would make such information eligible for deletion.

Conclusion: Advantages Of Using Automation For GDPR Compliance

While compliance with GDPR regulations will be no small task for most enterprises, the use of automation makes the task more manageable. Though not every organization is as proactive as they should be, there is still time for those companies to prepare for the GDPR regulations, and avoid the imposition of fines. Enterprises that have been more proactive in automating their IG strategies are in a better position to comply with the GDPR than others. Companies most likely to avoid fines are those with a DPO in place, who can document the automated steps taken to provide the required protections to personal sensitive data. Similarly, corporations with established IT security protocols and passed audits will have an easier path toward GDPR compliance.

Return on investment is often a key metric required by corporations before they approve expenditure of funds. While companies may have been reticent about investing in IG technology previously, the GDPR requirements serve as a stark turning point to that strategy. The potential for business interruption caused by the GDPR, not to mention its stringent fines for non-compliance, prove out any return on investment calculation several times over. Furthermore, the benefits derived from improved information management techniques assist not only GDPR compliance, but also corporate efficiency and knowledge management capabilities.

Certainly technology is creating some unique challenges for business. Protecting the privacy of individuals is increasingly difficult as the volume of personal data in possession of corporations continues to explode. However, through intelligent use of a proper combination of people, process and technology, the challenges of GDPR compliance can be adequately met. Conversely, waiting for the deadline of May, 2018 to approach without taking steps to address that challenge could prove very costly.

Lack of preparedness for GDPR is an alarming concern. According to a Symantec survey in 2016, “91% (Ninety-One Percent) of 900 business IT decision makers polled in the U.K., France, and Germany have serious concerns about their ability to be compliant by May 2018. The attention paid to the looming threat from the GDPR’s effective date May 25, 2018, will only grow as that date approaches.

About the Authors
Ms. Serkes is President & CEO of Valora Technologies, a leading provider of document, data and content analytics solutions for Information Governance and eDiscovery. One of the company’s original founders, Ms. Serkes takes a very active, day-to-day executive role in the company. In her tenure, Valora has successfully landed some of the most prominent corporate, legal and government clients in the world. A Harvard Business School MBA and MIT graduate, Ms. Serkes is a frequent industry speaker and panelist.
Joe Bartolo, J.D., Senior Solutions Consultant for Valora Technologies, is a former litigator in New York State, with 11+ years of experience working for eDiscovery providers. Joe is a VP in the Metro New York Chapter of ACEDS, and is the Co-Chair of their Educational Committee. Mr. Bartolo is a former working group leader in the EDRM, and has instructed continuing legal education courses about eDiscovery and information governance throughout the United States. Joe received a Juris Doctorate Degree from Rutgers School of Law – Newark in 1992, and a Bachelor of Arts Degree in Political Science from New York University in 1989. Follow Joe on Twitter @joseph_bartolo.
View Full Article Here

Spring 2017 Thought Leadership Update

Valora in the News

DTI completes its strategic investment in Valora, marking AutoClassification’s coming-of-age, and a clear commitment to investing in leading-edge Information Governance solutions.

Webinars, Events, and Appearances

The long awaited book by numerous industry luminaries features Sandra Serkes’ chapter on  “Predictive Analytics for Information Governance.” Order your copy here.


 Featuring Sandra Serkes and Nick Inglis, Information Coalition President

Serkes headshot
Sandra Serkes
Valora Technologies CEO
              Valora showcased AutoClassification by Matter Name with live
      PowerHouse & BlackCat demos
              Featuring Sandra Serkes and Eugenia Brumm, HBR Consulting

Valora Product Updates

  • Rules Engine now supports Data Driven Rules, which automatically generates rules from data lists, retention policies, and corporate databases and ERP systems.
  • New tunable Confidence Level Rankings available for all metadata extraction and rules dispositions in PowerHouse.  Tune processing to you level of comfort!
  • Full integration with Tesseract OCR from Google, versions 3.0 & higher, for better text recognition and search results.
  • AutoRedaction now supports full, partial, transparent and blackbar redactions, with full or black & white TIFF images.

  • Point of View Pivoting toggles the center of reference across any important attribute, such as Document Count, Employee Count, Incident or Location.
  • Automatic link support from HR and ERP systems, such as UltiPro, take users directly from a database record to the supporting documentation behind it.
  • Custom maps display geographic data across a wide array of visualization options, from global to street-level, with many custom options.
  • Global editing lets user make single metadata changes or additions and have the apply everywhere applicable.

CMS Wire – April 12, 2017 – The Information Governance Supporting Software Market Heats Up


Just a few years ago, only a handful of companies were talking about achieving information governance. Often, it was despite their current set of tools and software. They discussed workarounds — workflow tools — used like duct tape to the enterprise, piecing together a strategy.

Fast forward to today.

Dramatic Changes in Information Governance World

Those visionary smaller software companies that saw and embraced the opportunity are growing up. Companies like Valora Technologies, RecordLion, FileFacets, Adlib Software and so many others are now reaping the rewards. And larger players who expanded their offerings, companies like IBM, Box, Microsoft, Alfresco and others, are seeing those investments begin to pay dividends.

We can see it in the news: Valora Technologies received a large investment infusion from DTI in late March. Only a week before, Gimmal purchased RecordLion to expand its offerings, a purchase likely paid for with an undisclosed investment infusion it received earlier in the year.

Late last year, it was FileFacets that received $4 million in Series A funding.

Buckle in for a wild ride.

Don’t Call It the Information Governance Market

Let me be clear: information governance isn’t a piece of software or technology, it’s a strategy.2 So before anyone says “Information Governance Market,” let’s remember that there really is no such thing, since there is no technology solution to a strategy problem.

However, to implement information strategy, one needs supporting technology — so the market could be more accurately defined as the “Information Governance Supporting Software Market.” It is that information governance supporting software market that is absolutely red hot right now and will only grow in the years to come.

The Information Coalition defines information governance as,

“The overarching and coordinating strategy for all organizational information. It establishes the authorities, supports, processes, capabilities, structures, and infrastructure to enable information to be a useful asset and reduced liability to an organization, based on that organization’s specific business requirements and risk tolerance.”

Companies can no longer afford to separate their various information-focused disciplines. Records managers cannot fight over the same information that the data scientists are using, which legal and compliance are also tapping into. A unified strategy must emerge, and that strategy is Information Governance.

When your company is ready, a new and maturing software market is ready for you.

About the Author

Nick Inglis is president of the Information Coalition and co-founder of The Information Governance Conference. He is the author of the AIIM SharePoint Governance Toolkit and creator of the Information Governance Model.

April 12, 17|Categories: News|

eDisclosure Information Project – April 6, 2017 – DTI invests in Valora Technologies for AutoClassification, predictive analytics and data mining

By Chris Dale

The merger last year of DTI and Epiq made one of the largest and most significant players in the global legal technology market. I recently interviewed Keith Conley, President and COO at DTI, who emphasised (among other things) the in-house capability of the merged business to provide in-house processing with DMX. The implication was that DTI / Epiq would bring its resources to developing and enhancing technology and not just to using it.

That intent is further evidenced by the announcement last week that DTI has made a strategic investment in Valora Technologies. Valora has long been a significant name in auto-classification, predictive analytics and document data mining technologies for information governance, eDiscovery and Records Management. It has remained narrowly focused in this niche area, becoming a respected specialist in its field. DTI’s investment is described as “the beginning of the coming-of-age of auto-classification” as well as evidence of DTI’s commitment to the technology behind information governance solutions.

Sandra Serkes, CEO of Valora said:

“Our mission is to transform the creation and utilization of rich metadata for mission-critical information management purposes, such as large content migrations, file cleanups, remediation, classification and compliance.”

It will be interesting to see how this develops.

There is a press release about this here.


About Chris Dale

Chris Dale has been an English solicitor since 1980. Dale runs the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere.

View Full Article Here

April 6, 17|Categories: News|

e-Discovery Journal – March 30, 2017 – DTI Invests in Valora Autoclassification

By Greg Buckles

It seems that I was not the only one interested in how Valora’s PowerHouse could address the sprawling corporate digital landfills. DTI has made a minority investment in Valora to provide the functionality to their Information Governance clients. In the M&A  world, a minority investment from what is essentially a giant channel partner is ‘neither fish nor fowl’to use a 17th Century idiom for something that is not easily categorized. We understand acquisitions, but Valora remains an independent organization from DTI and maintains its woman-owned status. The real question is how this will affect the nascent partner channel that Valora had just started to cultivate. Will DTI competitors be willing to use PowerHouse when they imagine that DTI can undercut them on the license fees? Will Valora essentially become a captive technology that is resold exclusively as a DTI service? This is essentially what happened to Patterns when FTI acquired Attenex. I don’t think that DTI’s investment comes at the price of Valora’s independent status, but I do think that the Valora team will have to work a bit harder to reassure potential channel partners or non-DTI customers of that fact. This investment confirms my new webinar slide (below) that shows DTI having the largest number of acquisitions/investments in the eDiscovery market. Early M&A Impact poll and interview results are starting to paint a picture of the concerns facing consumers when their provider is acquired or takes a large investment that changes their Go To Market strategy. So take my poll to see the results and join the ILTA webinar by Duane Lites and myself on April 12th to hear our take on how the eDiscovery market is consolidating and how you can mitigate the risks.

Stay skeptical my friends!



About Author

Greg Buckles wants your feedback, questions or project inquiries at He solves problems and creates eDiscovery solutions for enterprise and law firm clients. His active research topics include analytics, mobile device discovery, the discovery impact of the cloud, Microsoft’s Office 365/2013 eDiscovery Center and multi-matter discovery. Recent consulting engagements include managing preservation during enterprise migrations, legacy tape eliminations, retention enablement and many more.

Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment. Greg is no longer a journalists and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being posted. 


View Full Article Here

Press Release – March 29, 2017 – DTI Makes Strategic Investment In Valora Technologies


Global eDiscovery and Legal Services Market Leader Invests in AutoClassification Information Governance Pioneer

Atlanta, GA and Bedford, MA – March 29, 2017 – DTI, a global legal process outsourcing (LPO) company providing eDiscovery, management services, litigation support, and court reporting, and Valora Technologies, Inc., the leading innovator in AutoClassification, Predictive Analytics and Document Data Mining Technologies for Information Governance, eDiscovery, and Records Management, today announced that DTI has successfully completed a strategic, minority investment in Valora Technologies, Inc.  The investment marks the beginning of the coming-of-age of AutoClassification and the clear commitment of DTI to invest in leading-edge Information Governance solutions. Learn more.

March 29, 17|Categories: News|Tags: , , , |

LegalTech News – March 29, 2017 – DTI Looks for Next Step E-Discovery, Info Gov with Minority Investment in Valora

The investment allows Valora to focus on technology development over services, while DTI’s clients get access to data classification technology.

By Ian Lopez

E-discovery is a buyer’s market, defined by large companies like LDiscovery and OpenText buying up industry players to enhance their own service delivery. But the biggest purchase monetarily in 2016 was made by DTI, which bought Epiq in a deal valued at $1 billion that merged the two companies.

The company’s investment aspirations, though, did not stop there. Today, DTI announced a minority investment in Valora, a Bedford, Massachusetts-based technology and services company focusing on a variety of legal document management tasks.

As part of investment round in which Valora accrued $1.75 million in equity funding, the investment allows DTI and Epiq clients access to Valora technology for automated data classification and data mining. For Valora, the investment allows the company to shift resources toward technology development, part of an existing plan to focus more on technology than services. Neither company would comment on the financial specifics of the investment.

Valora will remain an independent company, and it had a relationship with DTI prior to the investment, auto-coding documents for in-house company and e-discovery projects, Kevin Jacobs, vice president of mergers and acquisitions at DTI, told Legaltech News. He noted that DTI was currently working on “active proposals” to provide Valora, and that the technology was already available to some clients.

“The purpose of the investment is to help advance the development in [Valora’s] categorization engine” to make it more product-focused, Jacobs added. Primarily a technology-enabled services company, “they kind of eat their own cooking if you will, and so we wanted to expand the product. We needed the product to be more market facing, and to streamline some of the processes to make sure it’s super effective for us to provide the services for our clients.”

In terms of DTI’s investment strategy, the company wants the technology to make the company “part of the day to day process of data management and compliance,” for clients, Jacobs said. He added that the company is “certainly looking” at other technologies but not discussing them at this time.

Valora’s “auto-classification” technology automates different tasks on the legal workflow, applicable to e-discovery, records management, litigation and information governance, for which it was chosen as a finalist for different categories at the annual InfoGovCon event in 2015 and 2016. Prior to the investment, the company was primarily “provisioning services on [its] technology core,” Valora CEO Sandra Serkes told LTN.

“What’s starting to happen is there’s more and more demand for the technology itself,” she said.

Among Valora’s services are document coding, review, intake and visualization; analytics; and hosting. DTI’s services include litigation support, court reporting, and managed services.

View Full Article Here


Nasdaq GlobeNewswire – March 29, 2017 – DTI Makes Strategic Investment in Valora Technologies

Investment makes Valora’s pioneering AutoClassification and information governance technology available to DTI and Epiq clients

ATLANTA and BEDFORD, Mass., March 29, 2017 (GLOBE NEWSWIRE) — DTI, a global legal process outsourcing (LPO) company providing eDiscovery, management services, litigation support, and court reporting, announced that it has completed a strategic, minority investment in Valora Technologies, Inc. Valora is a leading innovator in AutoClassification, predictive analytics and document data mining technologies for information governance, eDiscovery, and records management. The investment underscores the commitment DTI has made to investing in leading-edge information governance solutions.

March 29, 17|Categories: News|Tags: , , |

ComplexDiscovery – March 29, 2017 – DTI Makes Strategic Investment in Valora Technologies

Investment Makes Valora’s Pioneering AutoClassification and Information Governance Technology Available to DTI and Epiq Clients

ATLANTA, GA and BEDFORD, MA – March 29, 2017 – DTI, a global legal process outsourcing (LPO) company providing eDiscovery, management services, litigation support, and court reporting, announced that it has completed a strategic, minority investment in Valora Technologies, Inc. Valora is a leading innovator in AutoClassification, predictive analytics and document data mining technologies for information governance, eDiscovery, and records management. The investment underscores the commitment DTI has made to investing in leading-edge information governance solutions.

March 29, 17|Categories: News|Tags: , , |

March 20, 2017 Webinar Tomorrow’s Information Governance Planning the Path Forward

Industry leaders and experts Sandra Serkes, Founder, President & CEO of Valora Technologies and Nick Inglis, CIP, IGP, & President of the Information Coalition and Co-Founder of InfoGovCon as they outline and discuss planning the Information Governance path forward.


March 20, 17|Categories: News|
Load More Posts