publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/1188906
I L T A W H I T E P A P E R | I N F O R M A T I O N G O V E R N E N C E 22 constitutes personal data expands, having less classification buckets has become a prudent and easier tactic to manage. Specifically, for law firms, it is fair to say that all the information we amass, whether from our client, from our employees, or what we create internally is confidential. This makes for simplified control and retention parameters. When going through a GDPR preparedness exercise with a law firm, the head partner of their privacy group posited the question, "If you put it all in one bucket, does that require more effort to discovery relevant data in the case of a GDPR request?" My answer was, "No, it will require more effort to devise technical segmentation strategies, and these classifications will continually dictate and complicate how we build out future infrastructure." This advice works well for law firms but is not necessarily applicable to other industries where they have more disparate data to control, and buckets where they can classify information as non-sensitive. Another core principle of data governance is restricting data storage to their applicable repositories. Documents and email should be saved to a Document Management System (DMS). Practitioners should have little to no ability to store their document elsewhere. This includes limiting the size of email boxes and promoting, "File it or Delete it" practices. Personal and shared network drives should be avoided or used for transitory purposes and be controlled by strict retention and deletion schedules, so that nothing remains there for longer than necessary. For practice, resource, customer-relationship and financial systems, it is common to leverage Excel for data manipulation and reporting. Ensure that these documents are saved to and shared through the DMS. This may seem redundant, but it is not uncommon for business service groups like Finance, Marketing and HR to avoid using the DMS for a variety of perceived limitations or, ironically, security concerns. Utility, Directives and Enforcement It is equally important that data governance practices include clear directives and easy to use systems for how to properly describe clients, matters, and work product. Despite all the efforts of New Matter Intake Systems, DMS Document Types, Practice Group restructurings, and the like, firms grapple with accurately documenting key information about their clients and their matters. Here we have the adage: garbage in, garbage out. Good data governance practices include proper data curation. All of this is much easier said than done and requires direction and enforcement from the top. Most likely, your General Counsel is the appropriate champion for the cause. They are the risk experts and are placed in that role to advise the Managing Director, who also needs to back the initiatives. History tells us that people will find their own way to work if a practical way is not presented to them, and if they get burned once by a system, for instance losing two hours of document editing, they will avoid or have parallel processes to protect themselves from that system going forward. These parallel processes usually manifest as documents saved to their desktops and emailed to themselves, essentially providing two additional places where data can be compromised, email being the absolute worst place to store redundant copies of information, as they reside on personal devices that can be lost or stolen in an unlocked state. (See Figure 1.) Consequently, in addition to policy and enforcement, you must provide stable, easily accessible systems on which your practitioners can rely. D A T A G O V E R N A N C E F O R L A W F I R M G R O W T H A N D C L I E N T S U C C E S S F I G U R E 1