Episode 7: Data privacy considerations in investigations

In the seventh episode of our Inside Investigations podcast series, Jeremy Lua (Counsel, APAC Cybersecurity and Data Privacy, Singapore), Fiona Bundy-Clarke (Counsel, Data Protection and Technology, London), Ashley Kuempel (Partner, Regulations, Investigations, Security and Compliance, Austin), Rita Nader-Guéroult (Counsel, Investigations and Business Ethics Team, Paris) and Rongxin Huang (Partner, Shanghai Pacific Legal, Shanghai) delve into data privacy and security considerations in internal and regulatory investigations, particularly those with a cross-border element. Building upon our previous episode about common data sources and challenges in data collection, this episode explores the significant impact that data protection regulations—such as the EU / UK’s GDPR—have on the necessary collection and processing of large volumes of personal data over the course of an investigation.

Key takeaways from this episode include:

• While conducting internal investigations, it is important for organisations to ensure that they have identified, and are able to rely on, a legitimate basis for processing personal data and to adhere to data principles such as transparency and data minimization in order to comply with data protection laws such as the EU / UK GDPR – failure to adhere to these principles can result in severe regulatory penalties.
• Practical strategies for balancing rigorous data privacy requirements with the necessity of conducting robust, defensible investigations, including careful formulation of search terms and the implementation of a staged filtering process to limit unnecessary processing of personal data.
• Insights into navigating complex cross-border data transfers in the context of investigations, particularly under the EU / UK GDPR, China's strict data export rules, and France’s Blocking Statute, highlighting jurisdiction-specific risk mitigation strategies.
• Guidance on responding to requests from foreign regulators, particularly U.S. authorities, emphasising the importance of demonstrating good-faith efforts, engaging local counsel, and managing regulatory expectations through transparent dialogue.

Our discussion underscores the importance of a structured and methodical approach to handling personal data in investigations to maintain compliance across multiple jurisdictions and mitigate exposure to regulatory scrutiny and penalties.

Join us for further episodes as we continue to explore critical issues in investigations, including employment law considerations and effective interviewing techniques.

Related resources:

• GDPR Checklist

• China proposes to ease cross border data transfer restrictions

• Norton Rose Fulbright's 2025 Annual Litigation Trends Survey