You Can’t Have Legal GRC Optimisation Without Data Management Improvement

– By Nick Rich, Head of Corporate Engagement UK&I at Exterro

Effective data management is no longer an optional extra, but a fundamental part of organisational strategies. Good data analysis allows companies to make informed decisions and create reality-based plans. From enhanced customer experiences to streamlined administrative operations, effective analysis is key to identifying areas for improvement and innovation – and analysis depends on data management.

However, while it’s easy to get caught up in the opportunities data offers, organisations must tread with caution. If captured, kept, or used wrongly, data can end up doing more harm than good.

Typically, more data leads to more risk. With each rise in the amount of information an organisation acquires, the more expensive and difficult it is to store and manage it safely, heightening administrative burdens and costs. Equally, it becomes harder for firms to achieve best practices across the board, increasing the likelihood that they will succumb to, for example, data breaches.

We’ve seen this evidenced time and again in recent years through the large number of high-profile cyberattacks – a concerning trend that governing authorities have attempted to rectify by enforcing new regulations. While these are necessary to help reduce complacency towards internal data protection compliance and ensure organisations actively work to reduce their exposure, it isn’t always easy for companies to align.

In particular, the legal GRC teams that are tasked with responding are coming under growing pressures. From privacy and compliance to data inventory and discovery operations to cost analysis, legal departments have more to deal with today than ever before. These strains are not expected to ease soon – rather the opposite.  

Nick Rich

As data volumes and formats grow, regulatory change is expected to accelerate, bringing with it new innovations and technologies and creating additional layers of complexity in managing data privacy. According to ACC and Exterro’s 2022 Chief Legal Officers (CLOs) Survey, 60% of Chief Legal Officers felt that there would be a rise in privacy-related regulatory enforcement.

Meanwhile, company executives have simultaneously started to demand a greater understanding of the inner workings of legal teams to determine operations efficiency, cost effectiveness, and potential areas for improvement.

As a result, legal GRC teams are facing a perfect storm that is only expected to become more volatile moving forward. To manage these pressures and ensure compliance, it is critical that organisations get their data management houses in order as soon as possible.

Embracing process transformation through technology

Technology will undoubtedly be vital in helping to reduce the burdens on legal GRC teams. Thankfully, there are a variety of solutions capable of undertaking much of the heavy lifting when it comes to addressing privacy, helping firms to achieve compliance and reduce litigation risks.

In the case of e-discovery, for example, artificial intelligence is already being leveraged to great effect. Document review is a highly time consuming and laborious process that is ripe for automation. By ensuring repetitive tasks such as these are completed (or at least drafted) by AI engines, employers benefit from greater efficiencies and effectiveness while employees are freed up to focus on higher value tasks that are more engaging. 

In the future, it is also likely that AI engines will extend into becoming fully fledged virtual partners capable of taking on a greater role when working alongside governance and legal GRC professionals. Instead of simply expediting repetitive tasks, these colleagues will be able to lean on such technologies to guide e-discovery projects, further reducing workloads. 

However, while the potential for AI in legal GRC is immense, the application of these technologies should not be thought of as a silver bullet resolution for all the challenges facing legal GRC departments. 

For AI to work effectively, it must be deployed thoughtfully. That means being built upon the right foundations and provided with the right environment to thrive in. Data quality is fundamental to this. It needs to be not just accessible in adequate volumes, but highly reliable so it can accurately inform machine learning models. Without this baseline, any intelligent technologies will ultimately fail to develop the intelligence required to generate informed and correct outcomes.

Four steps to improving data management processes

Firms must improve their data management processes as a priority. With the right policies, organisations will be well placed to ensure that increasingly critical data functions become both easier and less time-intensive while successfully bolstering regulatory compliance and reducing risk.

But how exactly can organisations bolster their data management processes? 

First, they should begin by developing a comprehensive data inventory that paints a highly detailed picture of its overall data footprint. Data-associated risk can only be assessed when you have total insight. If you don’t know what you’re collecting, how you’re collecting it, or how it’s being used, then it’s impossible to protect, manage or process data properly. For this reason, it is critical that firms map out exactly what they have, from existing processing activities to data subjects, storage locations and retention obligations. 

With an inventory in place, firms can then begin to develop data retention protocols, looking at what kind of data they have, what they need to keep, and how long they need to keep it for.

Critically, this must be an open and collaborative exercise that involves all parts of the business, from sales and marketing to legal and IT. Every department will need different data for different lengths of time and for different purposes. Further, in the case of legal, some data needs to be kept on record for set lengths of time to ensure compliance. In discussing and outlining the needs of all stakeholders, retention policies can be developed that are suited to the entire organisation’s needs.

With all departments in alignment and mutually acceptable data retention policies in place, companies can begin to dispose of any redundant data that is no longer needed, working towards data minimisation and storage limitation – a step towards best practice. 

By definition, data minimisation principles imply that organisations obtain the minimum amount of data required to fulfil a specific purpose. Successful storage limitation, meanwhile, will see firms discarding data immediately after the purposes for which it is processed have been fulfilled. In rolling out both practices effectively, organisations will dramatically reduce their risk – simply put, data you don’t have can’t be breached.

That said, this isn’t the end of the road. To be truly effective, firms must work continuously to maintain an up-to-date data inventory that ensures data-associated risked are limited and/or averted where possible.

Doing this manually is not realistic, particularly for larger organisations processing vast quantities of data on a daily basis. Therefore, firms should look to tap into vital technologies to automate key data management processes such as discarding data, developing audit trails and even developing critical insights for quarterly or annual review.

Not only will AI-driven technologies be more accurate, mitigating the potential for human error, but tasks will be completed at much higher speeds, unlocking significant cost and time savings. 

The importance of third-party alignment

While these steps will dramatically improve any organisation’s data management processes, it is not just internal practices that firms need to worry about. Today, they must also consider the risks associated with digital supply chains and sharing data – or access privileges – with third party vendors.

Unfortunately, supply chain attacks are increasingly being leveraged by threat actors to execute cyberattacks. Indeed, in June 2022, the NCSC and Head of Microsoft’s Security Response Center, Aanchal Gupta, flagged that the increasing reliance of organisations on third-party and open-source software is likely to contribute to a further increase in these threats that have been responsible for several major attacks of late, from SolarWinds and Kaseya to Log4j. It is therefore vital that, in order to protect themselves sufficiently, organisations take the time to ensure that any digital partners operate securely. 

Further, there are several data privacy compliance and cybersecurity regulatory issues that can often slip under the radar when it comes to expanding digital supply chains with third party vendors. 

The ability to verify third party data handling processes, particularly in relation to how data is secured and deleted in core services such as payroll, for example, isn’t commonly recognised. And the fact that many cloud-related contracts give service providers effective ownership and control over data once it is spun up into the cloud poses challenges in relation to the control of sensitive and personal information. 

Importantly, the Information Commissioner’s Office (ICO) is able to hold a company accountable for data breaches or regulatory violations, even if these occur on your partners’ watch. With this in mind, firms must work to perform due diligence and audits on all partner vendors, vetting data and security controls and evaluating them against legislation. Again, this shouldn’t be a one-off process; businesses should look to streamline this aspect of risk management, implementing straightforward and repeatable auditing procedures. 

Develop a data-first culture

Implementing the right internal processes and developing the right relationships with the right partners are critical elements in enabling organisations to simultaneously reduce risk and maximise the opportunities associated with data. However, it is important to recognise that these fall within a wider picture.

To mitigate data-associated risks, protect sensitive information and limit/reduce the potential impact of breaches to the greatest extent, organisations should explore broadening their scope and consider other solutions – be it encryption, data segregation or network segmentation.

The wider point underpinning this is the idea that firms must make security a priority in all aspects of the business, ensuring it factors into all key decisions from all relevant stakeholders. 

To create such a culture, education and training are vital. By ensuring that all employees are aware of the importance of effective data management and security, all protocols are more likely to be fully observed and followed.

Today, more than ever, data management is a boardroom issue. How companies protect, manage, use, and secure data can have dramatic impacts on operational efficiency, strategic decision making and, should a breach occur, a firm’s reputation and bottom line. By achieving best practice, firms will be well placed to make data management a competitive advantage and not their downfall.