Once a law firm understands why data minimisation is important, it’s time to act by putting policies and actions in place that deliver a data minimisation strategy. In this second article on the topic, Chris Giles suggests how firms can tackle this pragmatically and effectively.
Every day, in every way, your firm is accumulating data that needs to be managed. And, as outlined in the first article, your firm is at increased risk if you hold excess data.
You present a juicier target to cybercriminals. You have an ever-growing list of OCGs, regulatory obligations and professional requirements to fulfil, and that becomes more challenging the more data you hold. The costs of electronic data storage and hard copy storage are rising, and there’s a danger that as the volume of data held by the firm increases, it starts to impede operational efficiency. If you haven’t already done so, your firm needs to take control by imposing a firm-wide data minimisation strategy to mitigate its risks as well as underpin resilience and competitiveness. What does that look like in practice?
Interested parties
One of the challenges of data minimisation is that data can belong to everyone and no one in the firm. There are several interested parties, including the Director of Information Governance, the Director of Risk, the Director of Conflicts and Records, the Data Protection Officer, the Chief Information Security Officer, the General Counsel, the Records Manager, and the Chief Information Officer. Someone on this list needs to start making the case for data minimisation in the C-suite among the CIO, CISO, COO, and General Counsel. Without top management leadership any strategy is likely to be piecemeal and short-lived, which is the very opposite of what you need. Also, only top management has the clout to ensure that a strategy has the necessary firm-wide scope and gets the necessary resource.
Understanding data minimization
Next, it’s useful to increase general awareness of data minimisation among relevant postholders. To get people on board, they need to understand how data minimisation, or its lack, might impact their role and the firm. Awareness will also help recruit members to your new data minimisation taskforce or committee that will develop and mobilise the firm’s data minimisation strategy. This should include representatives from across the firm including HR and finance. It will also likely include the General Counsel, Director of IG or equivalent, CIO, CISO and/or DPO.
The rules of retention and disposition
The committee’s first task is to understand what the firm already has. Do you now, or have you ever had a data retention and disposition policy? Are there any disposition schedules? What processes, procedures and controls are already developed? What systems are already in place to deal with data minimisation, and what are their limitations?
The committee needs to understand and map the rules of retention and disposition that apply in the jurisdictions in which the firm operates. You need to note how these vary across the firm’s different practice areas. For instance, different countries have different rules on how long financial records need to be kept before destruction. No matter where you’re practicing, the Personally Identifiable Information (PII) of EU citizens can only be retained for a limited period. Conversely, real estate and trademark practices will likely have “wet signature” documents that need to be kept in perpetuity.
Find your way with a map
If the firm doesn’t have one already, you’ll need to do a data mapping exercise. This can be tough at first because of the many dispersed physical and electronic data repositories you might find: including the firm’s document management system, File Share, OneDrive, SharePoint, HR databases, and the firm’s practice or case management systems; not to mention physical records in many forms, including paper files and folders, videos, photographs, blueprints and audio tape recordings, in office filing cabinets, on-site storage and off-site archives.
The mapping exercise includes putting data in systems into a data retention classification structure that reflects the governance requirements around retention and disposition. You also need to understand your data risk profile. How valuable and covetable is the data you hold? For example, hackers have gone to considerable lengths to target M&A practices holding some extremely market-sensitive information.
Data governance requirements
The committee is now getting to the point of setting up cross-departmental teams of process, system and data owners to do a gap analysis. This involves assessing what’s needed, what’s possible with existing systems and processes, and identifying what gaps need to be filled and with what.
It’s often the case that existing systems lack the functionality to allow data to be held in ways that meet retention and disposition requirements. This is because systems aren’t usually created with data governance requirements as a priority. For instance, a system dealing with contracts likely can’t distinguish between contracts that do and don’t include PII. For help, firms can introduce firmwide information governance platforms like iCompli that can go into multiple data stores and media types to manage data retention and disposition across systems.
Whatever actions the firm chooses to take, the important takeaway is that you should do something rather than nothing. You can’t run from the fact that data will accumulate inexorably unless, and until, you act on data minimisation.
For more on how to instigate a data policy review join our upcoming webinar. We’ll discuss the advantages of a data minimisation strategy, and in particular focus on why this strategy is of particular importance to a CIO, or the IT budget holder within a firm. To register, click here.
Copyright © 2023 Legal IT Professionals. All Rights Reserved.