Dawn Raids – Preparations from the IT Perspective

July 3, 2017

Earlier this year the Competition and Markets Authority
(CMA) launched its first advertising campaign, offering rewards of up to
£100,000 to encourage employees in the UK to blow the whistle on potential
cartel activity. This could increase the number of dawn raids – or surprise
onsite visits – to investigate such allegations.

Since authorities are increasingly focussed on electronic
data, dawn raid response plans should have sufficient focus on electronic data,
in addition to addressing legal obligations and providing general guidelines.


Identify IT administrators

One of the key points for dawn raid preparation is to
identify and designate an IT administrator who has the authority to access (and
provide access to) relevant systems and can answer queries from the relevant authorities.

Companies should also ensure that alternative resources are
identified to guarantee that someone with the required skillset will be
available at the time of any potential raid. Being unable to provide the
relevant access will be unacceptable in most cases and may even be seen as

If IT administration or related functions are outsourced, companies
should make certain that their service level agreements provide the required
level of support in the event of a dawn raid.

Data mapping

Completing a data mapping exercise can help to identify potential
issues in advance (e.g. identifying which systems may be difficult to access). Plans
to mitigate those issues can then be put into place.

Creating a data map can also help identify areas of
infrastructure which may be under the control of third parties (e.g. cloud
storage). For those areas, as with outsourcing above, service level agreements should
be reviewed.


Companies should make sure that relevant staff receive
training on what to expect in the event of a raid.

In addition to the legal obligations, employees should also
understand their IT obligations; they must not destroy or delete documents or
emails, or turn off computers.  They
should answer any questions being asked concisely, and should be sure not to
divulge or provide anything further than what has been requested.


Some authorities may have the right to inspect personal
devices found on the premises if they have been used for business purposes.
This would include Bring Your Own Device items such as mobile phones. This can
lead to data privacy concerns should such a device contain a mixture of company
and personal data. Companies should consider ensuring that policies covering this
scenario are written into employee contracts. This issue should also be covered
in training so that employees know what might be expected.

On the day of a raid


Each investigator should ideally be accompanied by a legal
representative and a member of the IT team. Notes should be taken of all
actions performed, questions asked and the relevant responses. This information
can be invaluable, as it is important to understand what data is collected by
the authorities.

Additional IT tasks

As well as providing administrator level access (i.e. access
at an unrestricted level), there are other tasks that IT staff may be required
to fulfil. These may include:

  • answering questions regarding the IT infrastructure
  • temporarily blocking specified email accounts
  • temporarily removing specific machines or servers from the
  • removing and/or reconnecting hard drives.

The authority may request the use of hardware such as
scanners and printers etc. 

After the raid

Compiling and searching

After a dawn raid, the information collected by the
authority should be identified and collected in a forensic and defensible manner.
This data can then be analysed, searched and reviewed to help identify and assess
any potential wrongdoing on behalf of the company or its employees.

The ability to search within a representative copy of the
corpus of documents collected by the authority is useful as the company then
has access to the same documents to consider and assess any exposure.


Using analytic tools can provide a distinct advantage over
parties not using technology and can be key when involved in a race for

Companies can use technology such as email threading or near
deduplication to speed up review. Email threading allows emails forming a
conversation to be considered together, excluding duplicative messages. Near
deduplication can help exclude similar documents from review, or alternatively could
highlight items similar to hot documents.

Conversation mapping could be used to identify if there were
any spikes or dips in activity which may indicate periods of specific interest,
as well as identifying potentially relevant conversations with alleged

Clustering and / or concept analytics could also be used.
Clustering groups together documents with similar themes. This could be used to
exclude groups of non-relevant material or alternatively could identify relevant
material not responsive to keywords. Concept analytics can use a prebuilt corpus
of example hot documents to identify conceptually similar items which could be
highly relevant.


When considering dawn raid preparation plans, companies
should pay particular regard to electronic data. There are points which should
be considered prior, during and after a dawn raid. By being prepared, knowing
what to expect and identifying points of contact prior to any potential dawn
raid, companies can act quickly and decisively to mitigate risk, both during
and following a dawn raid. 

Dr Tristan Jenkinson is an eDiscovery Consultant at Advanced