Leveraging new technologies to fulfil organisational governance, risk and compliance mandates

May 2020  |  SPECIAL REPORT: BUSINESS STRATEGY AND OPERATIONAL PERFORMANCE

Financier Worldwide Magazine

May 2020 Issue

Two years into what has been a seismic shift in the world of data management and data privacy, it is a good time to step back and ask: how has the General Data Protection Regulation (GDPR) been treating you and your organisation? Have you reached a point of compliance, or are you still working out how to get there?

Based on a 2019 survey, the answer to these questions likely varies significantly from company to company. Security testing firm ImmuniWeb found that half of the 100 most-visited websites in the then-28 EU Member States ended up falling short of the GDPR requirements. And those were the websites with the most traffic, companies you would have expected to be ready by the GDPR launch date.

When Microsoft opened its self-service data subject access request (DSAR) portal in compliance with the GDPR, it received 18 million data requests in the first year. More than six million of those came from the US, which shows the breadth of this regulation. Two years later, businesses are still struggling with the manpower and labour hours needed to remain compliant.

Neither the risks nor the expenses are sustainable, and many businesses do not suddenly have the budget to hire new employees to take on new regulations. That is why it is important to develop a solution that is efficient, comprehensive, automated and, if possible, utilises technologies that are already in place within the organisation.

Legal governance, risk management and compliance (GRC) at your organisation

Corporate general counsel (GC) and chief legal officers (CLO) have been noticing for quite some time that their roles and decisions are not only important to the legal health of the company, but they are increasingly important to the overall health of the business. In fact, the forward-looking CLO or GC will likely have noticed this convergence over the last decade or more of multiple facets that make up the overall risk and compliance profile of the business. Their roles are no longer siloed in the legal department alone. Rather, they help manage the overall enforcement of risk and compliance rules, which means taking a strategic role in the decisions that help steer the business toward that overall compliance.

Privacy laws have accelerated that convergence. For example, security and IT must now work with legal to help determine workflows and deploy technology that allows for compliance with these laws. Any solution must be comprehensive enough to cover all regulatory needs, which means that many aspects of business governance are now directed by legal.

The legal GRC efforts of the company represent not just the new landscape for the GC or CLO, but also the convergence of data governance and data management practices between departments within an organisation. Data is what ties all these responsibilities together, and how an organisation collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and creates value.

For example, within most organisations, many different departments hold sensitive data on customers, employees, third-party vendors or partners, business practices and more. When it comes to DSARs, understanding where this data is stored, how it is being used and having the ability to easily access, collect, review and redact it, is critical to compliance, and it is almost impossible to do this without knowing your data.

Thus, legal GRC is both a way to concisely describe the evolution of business data management practices, as well as an approach to solving cross-functional business challenges related to new privacy regulations, compliance obligations and enterprise risks like data breaches.

Furthermore, it is also a new class of enterprise software, designed to seamlessly orchestrate the tasks and activities required to implement processes to address these business challenges. Business processes, like responding to a DSAR, impact multiple organisational units, including privacy, IT, e-discovery and compliance, and therefore require a much more integrated, holistic approach. Given the thousands of potential pathways that a DSAR might take, an end-to-end technology solution with orchestrated workflows is the most efficient way to manage risks created by data privacy laws.

Your technology solution must support the organisational structure (people) and policies and procedures (process) in place to address these challenges. Just as siloed business units cannot adequately perform in this new environment, neither can single-point solutions, used by only one set of stakeholders. An end-to-end, unified technology platform is best suited to help solve complex legal GRC business challenges.

Your data inventory is the foundation

Logically, the first step to protecting, using appropriately, preserving or eliminating information is to know what you have, where you have it, why you have it, what regulations govern it, and with whom you share it. In other words, it is an inventory of where all your data lives. Without the data inventory, you have limited chances of success in achieving any GRC objectives.

Data lives across all areas of all different departments. Often, it lives in places that some employees might not even be aware of, including forgotten Excel spreadsheets and file folders, or perhaps it is simply ‘tribal’ knowledge owned by long-tenured employees.

According to our 2019 In-House Benchmarking Report, if there is an inventory of data at your organisation, it is likely on a spreadsheet rather than a software platform. This may be the norm for now, but it will be extraordinarily difficult for organisations and businesses to maintain compliance going forward if that remains the status quo.

The best way to achieve and maintain a comprehensive, up-to-date data inventory is to use technology with enterprise connectors that can pull disparate data from across the organisation. This means a full sweep of all the electronically stored information (ESI), removal of redundant, obsolete or trivial (ROT) data, and implementing a new way of organising and maintaining that data in accordance with not only legal standards but changing business standards. From there, the related processes change depending on the legal requirement, but this is a great opportunity to establish cross-functionality in workflow processes.

For example, DSARs require the collection, review and redaction of information. Litigation requires data preservation (a legal hold), collection, review and redaction. These are similar processes, but you will also need to consider other legal hurdles. You may not be able to execute a request to delete data if the data is on legal hold or subject to other regulatory retention obligations. Therefore, establishing process workflows and utilising the same underlying technology can be helpful in making critical determinations that allow DSAR, compliance and legal hold processes to work in concert.

You can imagine, then, that the required processes for data retention and remediation, in-place preservation, and early case assessments probably need to change as well. It is easier to make a shift when every piece of technology talks to the other, and it helps uncover gaps that could prevent any chance of defensible compliance.

Without a unified technology platform, organisations will continue to face an uphill battle. Unfortunately, these recent regulatory changes and activities are not optional. They are mandatory and come with huge risk for non-compliance.

The Information Commissioner’s Office (ICO) fined a London-based pharmacy £275,000 for excessive data retention and failing to ensure the security of their data, with approximately 500,000 documents left in unlocked containers at the back of its premises. Unfortunately, this is just one case in a wide variety of notable fines for non-compliance. There is no question that fines and penalties resulting from privacy regulations will continue, as organisations in the US will soon come to understand when the California Consumer Privacy Act (CCPA) begins enforcement on 1 July.

Regulatory challenges represent an increasing risk to businesses

Recent regulatory change has created significant challenges in data management practices that, at some level, affect almost all business operations. It is now clear that leveraging new technologies that address modern GRC efforts should be a major priority for organisations today.

Today’s legal GRC creates a new way to think about business risk. Compliance is not optional, and without a new way to think about these rapidly evolving risks, and the technology to help solve them, it is going to be increasingly difficult, costly and inefficient for organisations to establish, and maintain, defensible compliance.

Stuart Davidson is European marketing director at Exterro. He can be contacted on +44 (0)203 858 9587 or by email: stuart.davidson@exterro.com.

© Financier Worldwide

BY

Stuart Davidson

Exterro

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.