Five steps for general counsel to get data challenges under control
From protecting sensitive customer data from cyber threats, to complying with data protection laws, corporate information governance (IG) efforts are quickly becoming “must do” projects. While most corporations have bought into the concept of IG, there is little consistency from person to person in how it is managed, and most importantly, how it can be operationalised.
The massive volumes and types of data in today’s corporations put a strain on legal and IT budgets, and further complicate organisational risk. There is little sign of any relief, as the International Data Corporation (IDC) predicts the world’s data will grow by 50 times within the next decade. On top of this, the rising incidence and frequency of data breaches, emerging laws including the EU’s General Data Protection Regulation (GDPR) and the impending impact of Brexit, give a clear indication that companies are facing a rising tide of data challenges.
IG is defined by Gartner as “The specification of decision rights and an accountability framework to ensure appropriate behaviour in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organisation to achieve its goals”. This serves as a reminder that data challenges impact the entire organisation and so should be approached holistically by a team of key stakeholders across departments, yet most IG projects are tackled in silos.
“Don’t let perfection be the enemy of good governance – take small measured steps in the right direction”
Many of the issues that IG projects aim to address – legacy data remediation, streamlining e-discovery, compliant retention, defensible legal hold – ultimately impact the legal department, placing in-house counsel in a unique position to spearhead these initiatives. To help in-house legal teams achieve quick wins for IG projects, there are some important practical steps you should consider:
1. Get the facts: It’s essential for counsel to know where the company’s data – especially the most sensitive data such as employee or customer information – resides within the organisation, and what rules and obligations apply to it. To help prioritise remediation, begin data mapping for areas of the business that are highly litigious, working with key stakeholders to define where the different sources of data reside, how they are used, and where the data is flowing.
2. Secure sponsorship: IG is a cross-stakeholder issue, and requires collaboration of many departments. Finding a single champion can be a challenge, but in-house counsel have an important role to play. Legal is well positioned to partner with the CIO, COO and others to fund and put into action IG policies.
3. Align policies and standards: A review of company-wide policies and standards is another important step. This may include reviewing records management, information security, data protection, legal holds and back-up policies. These policies should address information obligations holistically with clear roles and responsibilities, such as the information steward or information co-ordinator.
4. Align with enterprise-wide process: Another part of ensuring a holistic approach is to incorporate IG policies and practices with other enterprise-wide processes. For example engage with programme teams managing enterprise IT optimisation programmes to ensure litigation, retention, privacy and security requirements are addressed holistically.
5. Build a roadmap: It’s easy to become overwhelmed by IG, especially for multinational corporations in heavily regulated industries. Define the scope and make an action plan that is realistic within the company culture and technology resources so initiatives can be fully and effectively rolled out.
Information cost and risks are growing exponentially. The longer you wait to start your IG programme, the more painful it will be to bring things under control. Don’t let perfection be the enemy of good – take small measured steps in the right direction and most importantly, get started.
