GDPR – A Catalyst for Information Governance Programs
Information governance (IG) is no longer simply an efficiency opportunity. It is a critical framework for your organization’s approach to managing information that needs to be consistently updated as laws, practices, and technology continue to rapidly change. Successful IG programs for organizations support four major value propositions:
- Cost containment - lead to reductions in offsite/onsite storage, supplies, and eDiscovery costs
- Collaboration - support and enhance knowledge management efforts and cross-department/practice information sharing
- Client satisfaction – improve client response timeliness, promote efficient case management, and lead to a competitive advantage through practice modernization
- Compliance & risk mitigation – protect from ethical, regulatory and industry requirements with supporting information security best practice implementation
If these four potential drivers weren’t reason enough to invest in the resources as a commitment to an IG program, the General Data Protection Regulation (GDPR) certainly is. GDPR is the catalyst IG professionals have needed. With major sanctions on the line, along with the ability to do business with the entire European continent, getting your house in order is no longer an option, but now a mandate.
“Information Governance is an organizations coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.” – The Sedona Conference.
IG programs serve to disconnect siloed processes and allow organizations to make “eyes wide open” decisions on data governance with participation from all key stakeholders representing:
- Business – people who create value for the organization - you can’t maximize ability of or your employees without understanding the core business needs
- Privacy and security – people who make sure information is being protected including proper security controls, you can’t protect it if you don’t know what it is
- Information Technology (IT) – people who have a stake in making sure electronic content is optimized and aligned with user needs
- Records & Information Management (RIM) – people who ensure retention policy enablement and compliance
- Legal and risk – people who take actions that defend the best interests of the organization through official policy approval and defensible practices
This cross-functional team of business function owners and staff is tasked with creating and enforcing IG policies, including a data privacy terms to establish a foundation for GDPR compliance. The GDPR, that replaced the 1995 EU Data Protection Directive, provides for uniform European privacy rules and is applicable to all entities doing business in, or having operations, employees or customers in Europe. It increases the maximum fine for non-compliance to the greater of 4% of annual worldwide turnover or 20 million Euros. It requires (except for limited exceptions) explicit consent for processing of personal data, and gives the power to the individual instead of the organization when it comes to personal privacy.
There are several provisions of the GDPR, including the storage limitation principle, the data subjects’ right of access, and the data subjects’ right to be forgotten. The storage limitation principle (Art. 5(1)(e)) is especially interesting to IG professionals because it requires that personal data be kept in a form that permits identification of a data subject for no longer than necessary for the purpose for which such data is processed. Simply put, you most delete personal data when you no longer need it. To act on this principle, traditional retention policies for global law firms are often in need of a refresh since it is common to execute only on physical records, and establish minimum record keeping requirements, based on the global and domestic jurisdictions they do business. In order to be GDPR compliant and act on the storage limitation principle, it is now critical to be able to identify a maximum record-keeping requirement for personal data and execute retention regardless of media format, since the majority of data is stored electronically.
GDPR, Art. 15 includes a right for data owners to access, and requires data controllers to provide copies of, the data owners’ personal information, at no fee, with a 45-day mandatory response time, and with large listing of the categories of information that must be provided in response to a request. You can’t become GDPR compliant with IG policy documentation alone; you need supporting technology, process, and human resources. For example, you can’t execute on the right to be forgotten provision if you don’t know what you have, where it’s stored, or the value of the information to the organization and data subject.
A well-executed IG program centralizes the focus around data governance and will prepare your organization to identify risk and gaps between current and desired state (often significant). Implementing a long-term IG strategy will reap the benefits of containing costs, enhancing attorney/staff collaboration, improving the client experience, and protecting the organization from risk and regulatory requirements like GDPR, and more.
About the Author: Scott Mahoney serves as Director for Records and Information Management (RIM) practice for Epiq’s law firm clients. With more than 14 years of experience, Scott provides consulting and project management services, including oversight and support of outsourced RIM operations and the design and implementation of practical RIM programs aligned with firm culture and strategic goals. Scott’s guidance to law firms includes performing site assessments, creating policies and procedures, evaluating and implementing records software, and creating electronic workflows as firms migrate to a reduced paper environment. Scott and his team of SMEs enhance RIM programs by implementing best practices and efficiencies to reduce risk and improve firm operations. Scott has experience in the legal environment having worked directly for law firms and in the outsourced environment.
Scott Mahoney is a director for records and information management at Epiq. Read more about him or contact him here.