Legal GRC: the convergence of privacy, legal and compliance
May 2022 | SPECIAL REPORT: BUSINESS STRATEGY & OPERATIONS
Financier Worldwide Magazine
May 2022 Issue
Data fuels organisations but it also needs effective governance. If it becomes siloed, efforts to manage it can lead to duplication of effort and heighten the risk of non-compliance. This is particularly true of data protection regulations such as the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA), and it is a problem that is set to become more urgent as regulators step-up their efforts post-pandemic.
The ‘ACC Chief Legal Officers Survey 2022’ found 71 percent of chief legal officers (CLOs) from finance and banking organisations worldwide expect privacy regulation enforcement to ramp up this year, increasing the pressure to improve compliance.
To fulfil their privacy obligations, businesses need to ensure that they have legally defensible processes in place to safeguard and preserve data, satisfy regulatory demands such as data subject access requests (DSARs) and to carry out incident and data breach notifications in a timely manner.
These requirements now encompass multiple departments – from IT to HR, finance and marketing – which now find themselves responsible for critical functions such as data privacy, data security, data retention, litigation and legal operations. Often these departments will need to access the same data, so centralising it and overlaying common processes can really create synergy.
Converging roles
An overwhelming 84 percent of CLOs expect collaboration over compliance and privacy to continue across legal and other business divisions as a result of increased regulations and the need to optimise internal processes. There is also evidence of a convergence in responsibilities, with the majority of those who oversee compliance also overseeing ethics (55 percent), privacy (51 percent) and risk (45 percent). Moreover, many of these professionals want to see more collaboration: of the 20 percent of CLOs who said that compliance did not report to them, 43 percent thought that it should.
The convergence of these responsibilities is now reflected in the form of legal governance, risk and compliance (GRC): a cross-departmental framework for the management of privacy, risk and compliance data that integrates into existing organisational IT infrastructure. As a strategy, it unifies the different people, processes and technologies needed to ensure compliance, reduce risk and optimise operations – and when used with a centralised technology framework, enables those activities to be orchestrated across all departments.
However, as of today, many organisations still have an array of disparate solutions which they have cobbled together to try and meet regulatory demands. The ACC survey found that 43 percent of CLOs did not have a comprehensive data management strategy to ensure compliance, defensibility and security, yet adopting a legal GRC strategy confers numerous advantages.
It does not just rationalise data processes but can also significantly improve turnaround times, make the business more responsive to further regulatory change, and increase engagement with leadership over governance issues. In doing so, it can also help reduce risks associated with financial activity such as M&A and company spin offs – areas which CLOs say are the most likely to cause the biggest legal challenges but which remain under-resourced.
Where to start
When looking to introduce or improve upon a legal GRC strategy, creating a data inventory is key. Determine where the legal data is, who owns it and has access to it (including third parties such as vendors), whether their certifications are commensurate with their access and which regulations apply. You should also include guidelines to help stakeholders make informed decisions when choosing to remediate or otherwise take action with the data.
This information should all be held centrally over a single system, but be warned, building a comprehensive inventory takes time. The team compiling the inventory will need to track data across the information estate and be familiar with the nuances of different regulations to ensure that data retention processes are compliant.
It is also important to keep the inventory up to date, so periodic review is a must, as is attending to retention guidelines. Most legal impacts are created by data misuse or mismanagement, with litigation and fines arising from retaining too much data through not following retention policy, keeping too little data due to spoliation or loss, or mismanaging user data, resulting in a breach or failure to fulfil a DSAR.
Equipped with the data inventory, the business can now start to connect to each data source within the business, using connectors to integrate with existing legal technology which then paves the way for the creation of orchestrated workflows – enabling compliance and speedy remediation. At the same time, these connections will help to validate the data, as well as to discover any hidden or ‘dark’ data. This can account for as much as 80 percent of the data on networks and is often the biggest threat to non-fulfilment of DSARs.
Building an enterprise-wide legal GRC strategy also means addressing departmental barriers and breaking down silos. To do this, it is necessary to enforce cross-communication and encourage interdepartmental working so that teams are aligned in their processes and their goals. Look at where bottlenecks occur in the process and how these could be resolved and share best practice between teams. And, as with any project, change management is vital to ensure buy-in, so determine roles and responsibilities and assign leaders to spearhead adoption.
Process orchestration
Once teams are aligned and communicating with one another, it becomes possible to focus on process orchestration. This sees the use of automated workflows to fulfil specific requests. Two key examples of processes that benefit from orchestration within data privacy are the DSAR and data breach notification.
The DSAR process is often more time-consuming, expensive and complex than most businesses expected. Indeed, fewer than half of all organisations believe they meet the GDPR’s 30-day request deadline. Fulfilling a request involves a number of steps, such as recording the request, validating the identity of an individual, collating information pertinent to the request and sending any potentially redacted information requested in a secure way. If deletion is requested, it is also important to evaluate whether the information is under a legal hold or another regulatory retention obligation.
It is at this point that the effort put into the data inventory pays dividends because it enables the business to confirm whether data can be remediated in a way that is consistent with the request (usually the deletion of data), or to alert the individual of a regulatory obligation or impediment that prevents the request from being completed.
Automated workflows also come into their own here, creating major efficiencies in DSAR fulfilment by helping ensure timely completion. These see each step of the process customised based on the type of request, the remediation the individual is seeking, which team or individual the step is assigned to, and the duration in days allocated to each specific step. Other technologies, such as data inventory and regulatory or corporate retention schedules for example, then help inform and fulfil each step in the workflow as each team within the organisation completes their respective tasks.
Much in the same way, the DSAR process is best orchestrated with automated workflows; the breach notification process can be used to touch all key stakeholders – legal, compliance, security, IT, records management – to ensure that the right response notification process is implemented. This includes structuring workflow during breach validation and breach investigation processes, and automatically documenting processes with an audit trail to offer to regulatory authorities that govern the breach.
Under GDPR, data privacy officers have just 72 hours to alert the Information Commissioner’s Office (ICO) of a breach, which includes a description of the nature of the breach, the categories of personal data affected and the approximate number of subjects affected. Running automated workflows in parallel can help meet this deadline and make it possible to demonstrate a legally defensible process. In fact, defensibility is now a priority, with the ACC survey finding that two-thirds of CLOs plan on establishing new processes, while over a half also intend to invest in limiting exposure to litigation and compliance threats.
Futureproof processes
Looking to the future, technology will play an increasing role in the implementation of legal GRC with processes that can adapt to changing regulations and even perform cross-border correlation with regulations in other jurisdictions. The transfer of European Union (EU) data to the UK is set to be reviewed in 2025, while the introduction of the CPRA will see the mandated disclosure of data retention with penalties for those that hold data too long and the extension of privacy protection to employees, both of which will hit businesses hard.
To help prepare for these changes, almost half of those questioned in the ACC survey intend to invest in legal technology this year, while over the next two years, 23 percent intend on investing in data privacy, 14 percent in data security and 7 percent in e-discovery (legal hold, collection, processing and review). Interestingly, 6 percent said they were looking to spend in other areas including artificial intelligence (AI). AI and machine learning are likely to make process orchestration even more efficient by refining review, for instance. Patterns, recognised in words and sentence structures, will determine which documents are most relevant or privileged allowing documents to be prioritised, giving legal teams sight of the facts sooner.
Yet, the priority right now is making sure that the business has in place a cast iron data inventory that is routinely updated, a unified legal GRC framework and a single system that integrates with other legal technology to ensure the business can keep up with regulatory demands. Without these, data management is likely to become more fragmented, impacting efficiency and decision making. As a result, the regulatory burden will increase, and with it, the risk of non-compliance.
Simon Whitburn is general manager and vice president of international business at Exterro. He can be contacted by email: simon.whitburn@exterro.com.
© Financier Worldwide
BY
Simon Whitburn
Exterro
Business strategy & operations
The new imperative for uncertain times: supply chain strategy
US business resilience: limiting the impact of the Russia-Ukraine conflict
Human capital transparency: the new competitive advantage
Increased focus on corporate culture and implications for workplace investigations
The returns from a best practices compliance programme