Regulatory authorities play a crucial role in ensuring compliance with laws and regulations by companies. In the European Union, authorities such as the European Commission’s Directorate-General for Competition (DG COMP) and the European Securities and Markets Authority (ESMA) have extensive investigative powers to enforce competition and financial market regulations. Additionally, the European Anti-Fraud Office (OLAF) and the European Public Prosecutor’s Office (EPPO) play key roles in combating fraud, corruption, and financial crime affecting the EU’s financial interests. While these institutions set overarching enforcement standards, it is important to note that investigative powers and regulatory frameworks can vary across member states, with national authorities maintaining their own enforcement mechanisms alongside EU-level oversight.

Two commonly used methods are dawn raids and information requests, both of which can have a significant impact on a company. The consequences of an investigation are substantial and can have long-lasting effects, including reputational damage, operational disruptions and possible fines or sanctions for violations. For in-house lawyers, it is essential to be prepared for these scenarios, even if they are unexpected. By responding effectively and efficiently to these situations, the long-term impact on the organisation can be minimised. In this article, we discuss how to best manage such situations from a data perspective.

Dawn Raids

A dawn raid, an unexpected workplace search, is a powerful tool used by authorities to gather evidence on-site. During a raid, they can inspect documents, make copies of digital data, and even question employees. These types of investigations can come unexpectedly and require immediate cooperation from the company. This presents both operational and legal challenges for an organisation.

Proper preparation is essential to respond effectively to a dawn raid and minimise its impact. Additionally, good preparation ensures better cooperation. Being unprepared can lead to mistakes, such as refusing to cooperate or deleting data, which can worsen the situation. Both parties benefit from an organisation that is well-prepared for dawn raids.

Internal Agreements and Communication

It is crucial to establish clear internal protocols regarding who needs to be informed if an authority unexpectedly arrives at the reception.

• Receptionists are often the first point of contact. Ensure they are aware of a protocol outlining how to proceed and who needs to be alerted immediately. Ideally, a protocol for each authority.
• Set up a crisis management team that will act immediately in the event of a dawn raid. This team will typically include, among others, an in-house lawyer, chief data officer or data protection officer, compliance officer, and external counsel.
• Establish a communication strategy for how the news will be shared within the organisation as well as externally. Try to prevent panic as much as possible, as this can escalate the situation.

IT Department

The role of the IT department during dawn raids is crucial. The amount of data being stored is growing exponentially. Authorities arrive with modern techniques to seize data. These tools and software assist in searching for, identifying, and copying large quantities of data. The authorities will no longer walk away with boxes filled with physical documents. Here are a few key points to consider:

• Ensure that the IT department has a clear overview of the IT landscape: where data is stored, how long it is kept, and who has access to which data.
• Train the IT team on how they should assist the authorities. They need to be aware of what cooperation is mandatory, what rights they have, and how to respond if authorities exceed their powers or take disproportionate amounts of data.
• During an unexpected workplace search, authorities will seize data. It is important to make a copy of this data yourself or have it made by external forensic experts. Based on the information the authorities possess or do not possess, an internal investigation can be initiated. Additionally, this provides a check on highly confidential information. It may also be necessary to inform relevant individuals within the organisation that, for example, a copy of their mailboxes has been made. It creates uncertainty with an organisation when it is unclear what data the authority has.

The most time-consuming part of an investigation will be after the raid. An internal investigation must be launched into potential wrongdoing within your organisation. In addition to authorities using eDiscovery to identify the relevant documents, the organisation will also need to do this. This will be the difference between chaos and control. With eDiscovery, you can efficiently find relevant data and develop a strategy for engaging with the authorities. eDiscovery can also be used to identify sensitive or privileged business information within the seized dataset. Constructive conversations can then take place with the authorities, where new information can be shared, and a request can be made to remove sensitive or privileged data from the seized dataset.

Information Requests

In addition to a raid, authorities can issue information requests. Companies are obliged to answer specific questions and provide information within a set deadline. While less disruptive than dawn raids, these information requests can be particularly complex and time-consuming. Furthermore, the deadlines are often tight. By responding appropriately, long drawn out processes that could cause significant damage to the company can be avoided.

A structured approach is required when responding to such requests. This starts with a thorough analysis of available data, from which answers can be formulated. Although it may be tempting to start with what you already know, this can lead to a limited perspective where crucial information is overlooked.

The first step is identifying where relevant data is stored and collecting this data. Only then can answers be formulated based on the data gathered. This approach ensures not only that the correct information is used, but also that it can be indicated with certainty when certain information is not available.

eDiscovery can support this process. Using eDiscovery, the data can be processed, analysed, and assessed on different levels. This helps to fully understand the situation and ensures that no important details are overlooked. Furthermore, eDiscovery enables you to use advanced search and filter techniques to quickly identify the most relevant documents. This is essential given that there is often limited time available to respond to an information request. Finally, it is desirable to deliver the requested documentation in a consistent format. Authorities often specify their own rules regarding the format of the documents to be provided. Failing to follow these rules can have consequences.

Conclusion

An investigation by authorities can significantly impact a company. Therefore, being well-prepared and responding correctly without delay is essential. This applies to both dawn raids and information requests. In both scenarios, the use of eDiscovery plays a crucial role. It enables companies to efficiently collect relevant data and build a strong case.

In these situations, knowledge and expertise in forensic investigations and eDiscovery are vital. Having expertise in these fields ensures the integrity of the data. Furthermore, this knowledge is vital when conducting thorough internal investigations. A systematic approach ensures that a company not only complies with the authorities’ demands but also effectively manages legal risks and minimises the long-term impact of an investigation on the organisation.

Authors

Mr. Mathieu van Ravenstein, Partner,

Mr. Damien van Outryve d’Ydewalle, Director and Head of Brussels Office,

Ms. Michelle Hagoort, Cyber and eDiscovery Analyst.