This website requires Javascript for some parts to function propertly. Your experience may vary.

Ready before the fire breaks out: Why companies need eDiscovery readiness at the top | Hengeler Mueller News

Argus Eyes – The Blog on Internal Investigations, Crisis Management and Compliance

17 February 2026
Key Contacts: Vera Jungkind, Constantin Lauterwein, Fabian Alexander Quast, Sven H. Schneider, Wolfgang Spoerr, Dirk Uwer and Daniel M. Weiß

Ready before the fire breaks out: Why companies need eDiscovery readiness at the top

'The readiness is all.'¹ What was true for Hamlet is especially true today for management teams and legal departments. In a digital world, legal disputes and administrative proceedings are no longer decided solely in the courtroom but also on servers, in cloud environments and on employees' smartphones.

As soon as there is an inquiry from an authority, a dawn raid or a US discovery order, what may seem like an IT matter becomes an urgent C-suite issue. That is when it matters whether adequate organisational and technical eDiscovery measures have been put into place.

eDiscovery readiness means, in brief, that a company can identify relevant data sources and collect, preserve and review them within a short period and in an auditable manner—with clear governance and documented decision-making at every step.

Technology is necessary – governance matters

When a situation becomes critical, the response in the first few days often determines the course of events thereafter. Anyone who has then to clarify responsibilities, look for tools or understand data structures loses time—and risks unintentional data loss.

From a forensic perspective, it all begins with data mapping: what data sources exist—and where are potentially relevant data stored? What sounds simple in theory is challenging in practice because data landscapes are fragmented: e-mails, collaboration tools such as Microsoft Teams or Slack, ticket systems, cloud shares, personal mobile devices, backups and 'shadow IT'.

One risk that should not be underestimated in this context is the unintended loss of data as a result of automatic retention and deletion routines, device replacement, chat retention protocols, cloud policy changes or simple 'housekeeping' activities. That is why it must be possible, where necessary, to take technical measures (a 'legal hold' or 'litigation hold') quickly so that relevant data are not erased or overwritten. Particularly where there is a US nexus, the technical implementation of such preservation measures must be carefully documented, as failures can lead to significant disadvantages and even penalties in proceedings before US authorities such as the DOJ.

Establishing eDiscovery readiness is not a perfunctory technology exercise. It is part of management's duties. To ensure the ability to respond, the allocation of tasks and responsibilities among legal, compliance, IT, information security and operating divisions should be defined, documented and practised in advance—including decision-making powers and escalation channels. For sensitive investigations, it is advisable to establish an independent steering committee which, where the significance of the matter demands it, includes a member of management and has clear rules for avoiding conflicts of interest.

Typical weak points – and how to avoid them

1)     Make your policies and procedures 'eDiscovery ready'

Readiness depends not only on systems, but also on rules. Are employees allowed to use their mobile devices for work purposes (BYOD)? Is the private use of company e-mail accounts or mobile devices allowed? Which channels of communication may be used?

Without clear IT policies, compliance guidelines and, if necessary, works agreements, investigations can quickly run into conflicts with co-determination rules, employment law, the GDPR and, in certain circumstances, the principle of telecommunications secrecy. This may also undermine employees' willingness to cooperate. The result is delays, limited ability to analyse the data, or additional areas of contention—precisely when speed is of the essence.

Company rules and regulations should be designed such that data can be collected and analysed in a legally watertight manner, without having to address fundamental questions for the first time in the middle of a crisis.

2)     Protect legal privilege – both in a German and US context

An often underestimated risk is the loss of legal privilege, which can be especially serious where there is a US nexus (attorney-client privilege and work product doctrine). Here, proper governance is also essential: separating privileged communications, use of adequate disclaimers, access restrictions, involvement of outside legal counsel and/or in-house counsel at an early stage and implementation of communications processes to prevent inadvertent disclosures.

In fact-finding interviews, standardised 'Upjohn' warnings should be given: the attorney represents the company (not the employee); the privilege belongs to the company. At the same time, German standards (professional secrecy, confidentiality, limits under employment law) must also be observed.

3)     Stay within the guardrails for data protection, AI and data transfers

The EU's GDPR sets guardrails for the collection and processing of data. Anyone deploying AI-enabled analysis additionally needs proper governance, documentation, appropriate tools, security measures and human review (particularly in light of the EU's AI Regulation). If data are being transferred to the US, further safeguards must be implemented (e.g. standard contractual clauses).

4)     Build AI literacy

eDiscovery is virtually unthinkable without the use of AI tools. In recent years, rapid developments in generative AI and large language models have opened up new possibilities, such as OpenAI's ChatGPT, Google's Gemini, Anthropic's Claude etc.

This has increased the demands on AI governance and risk mitigation processes. Companies should consider early on whether to develop this expertise internally or to seek external advice.

5)     Comms and PR: control of the narrative

Once the investigation is under way, the clock is ticking to get ahead of the story. Listed companies must check whether any ad hoc disclosure obligations are triggered under the Market Abuse Regulation.

Both internally and externally, a 'one voice' approach is the order of the day: centralised co-ordination, need-to-know protocols, agreed talking points, precise clearance procedures and strict confidentiality—with the goal of avoiding leaks, liability risks and reputational harm.

Checklist for decision-makers

  • Governance: Have roles, decision-making processes and quality-assurance procedures for investigations (e.g. four-eye principle) been defined in advance?

  • Data mapping: Is there an up-to-date list of all data sources (including mobile devices, cloud environment, collaboration tools)?

  • Legal hold: Can deletion and retention routines be suspended in systems at short notice and manual data deletion be prevented?

  • Policies: Are policies and procedures, communications guidelines and works agreements 'eDiscovery ready'?

  • Privilege: Have workflows been established to protect legal privilege under US law?

  • AI and data protection: Are AI governance and GDPR compliance in place?

  • External partners: Are there procedures for efficiently engaging outside counsel (forensic specialists, legal advisers, PR firms)?

  • Documentation: Will the organisation, the decisions taken and the followed procedures be documented in an auditable manner?

 

¹ William Shakespeare, Hamlet (Act V, Scene II).

On the responsibility of all organs of the constitutional state to use AI, using internal investigations as an example
© 2026 HENGELER MUELLER