IT Privacy By Wright Studio / Shutterstock

In a word, no. Two years before GDPR came into effect in May of 2018, the EU's General Data Protection Regulation was announced to the public in early 2016. In the span of four years, then—from announcement through current day—corporations report they are approximately half-confident they can identify and mitigate risk.

Half is not that great. It's especially not great considering two years of preparation were built-in, two years of enactment, and about 12 months past the "year of enforcement" with big fines levied on British Airways, Marriott, Google and countless mid-sized companies. Wrap into this concoction that for the past three years, Chief Legal Officers reported to the ACC that compliance with changing regulations, data privacy and cybersecurity are their top concerns, we definitely need to investigate why legal departments aren't doing better.

The advent of GDPR and its global progeny—i.e., the California Consumer Protection Act (CCPA) which will shift into active enforcement this July—is logical. In just the timespan of four years since the announcement of GDPR,  we have increased our data generation by over 4,000%—and while most of it (70%) is generated by individuals, almost all of it is stored by enterprises (80%).

Of the things we know, we know: 1) data volumes will continue to increase at an exponential rate, 2) companies will store more of it, and 3) more regulations will come into existence to control what companies can do with data. And yet, the 2020 ACC Report published this January, reports 40% of companies are not confident they can even track changing regulations, and almost half have zero-to-low confidence they can act to mitigate risk if they can identify it. Acting to mitigate risk, if it needs to be said, is a vital component of compliance.

Why are legal departments failing on what appears to be their most important issue—and what can they do about it?

Facing new regulations and emerging risk is critical, and this can be accomplished via better data governance, business process-compliance and technology adoption—but the sheer volume of data, the preponderance of ROT (redundant, old, trivial) data, and the proliferation of new data types have made our manual processes of managing it dead on arrival. Legal departments need technology that can do this—specifically legal technology—but this historically has not been an area of focus for the department.

As it so happens, law firms—though continuing to also improve—have some time-tested experience in data governance from which their legal departments can learn: how to develop policy and process, what technologies are available, and how to achieve adoption to make it all work.

Document management, new to many corporate legal departments, is a great example of what legal departments can learn from law firms. And, as it so happens, it is one of the foundational elements for legal departments to improve their ability to mitigate risk and comply with changing regulations.

Just like law firms, legal departments must now govern data, which means implementing policy and process over data. But you cannot implement a process or policy over data if the department or firm does not know it possesses it. Lawyers storing documents outside of a document management system expose the firm to multiple layers of risk because it is impossible to impose manual, draconian processes on to the volumes of data we now must manage. A lawyer who stores documents where they cannot be managed by technology might as well throw the manila folder out the window and expose the enterprise to the same financial, ethical, regulatory and security risks.

This is the foundational level. Even when filed in the document management system, there's a lot of ROT, as well as many new data types being created in new applications including disruptive cloud applications—most of which are created in siloed repositories—with personal and sensitive information likely lurking throughout all of it. It simply isn't possible to identify and mitigate these risks without better technology.

One of the problems is the lack of perceived value of technology in the legal department. Just as in law firms, most technology is not perceived as valuable if it is not directly related to the delivery of legal services, and so it is difficult to make the business case for it, and even more difficult to get lawyers to adopt it.

However, when it comes to exposing the entire enterprise to risk, the business case is clear, and a way to sell the importance of the required types of technology is "interoperability." This is a category of technology that does have perceived high value—in other words, the technologies that facilitate the ability of many different types of systems in the department.

In 2020, the most important category of interoperability will be related to data challenges—being able to secure it, be compliant with it, and being able to optimize it. This is good news for technology vendors that facilitate implementing information governance policies and processes.

The great news is that technology adoption is a trend for the legal department, with just under half making greater use of the legal technology solutions they already have in house. What legal departments can benefit from is ensuring the business case is made for improving regulatory compliance—starting with data governance—tackle risky behavior, and enable those responsible for controlling enterprise data with the tools they need to be successful.

This means, in addition to making better use of technologies, key productivity enhancements between different functions in the department need to happen.  Risk mitigation is not a game of hot potato where only one person loses, and it's time for convergence between the internal data experts because the last thing that is certain about data, is that we've only just begun.

 

Christopher Zegers is the Director of Consulting for the legal division of IVIONICS. Prior to IVIONICS, Chris was the CIO of Lowenstein Sandler.