Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1496203
49 I L T A N E T . O R G In parallel, data minimization is a discipline that can fall between the cracks that potentially exist between several roles: the Director of Information Governance, the Director of Risk, the Director of Conflicts and Records, the Data Protection Officer, the Chief Information Security Officer, the General Counsel, the Records Manager, and the Chief Information Officer. And in the melee of keeping the firm's wheels turning, data minimization's importance gets overlooked. Nor, in an economic climate dominated by inflation and rising interest rates, does it seem like a propitious time to be spending money on abstractions like risk mitigation and compliance. Yet data minimization processes and systems are not a "nice to have". They should be recognized as a priority for any law firm, both to avoid the dire consequences of cyberattack and compliance breaches, and to reduce the operational costs of slow systems and rising electronic and physical storage. So how should it be done? What firms should do now Firms first need to increase their general level of awareness around data lifecycle management, information governance and the value of data minimization. Each firm is structured differently but broadly there's a need to engage all the related stakeholders and then develop an understanding of why data minimization matters. Of course, some firms will be ahead of the game with an up-to-date information governance policy and an agreed data retention policy and schedule that is conscientiously implemented. For everyone else it's time to look at setting up an internal committee that will likely include the General Counsel, Director of IG or equivalent, CIO, CISO and/or DPO. Their objective is to mobilize a coordinated firmwide data minimization project. The committee should also include representatives from HR and finance. Together this committee should start with understanding the various retention and disposition policies that exist within the firm, as well as understanding the rules of retention and disposition and how they vary across different departments and practice areas. For instance, real estate and trademark practices will have 'wet ink signature' documents that must be kept in perpetuity. The heads of HR and finance will know how long HR and finance data respectively should be kept in the relevant jurisdictions before destruction. The committee must also fully understand the potential limitations of the systems and processes currently in place. Find your way with a data map If the firm doesn't have one already, the committee should direct a data mapping exercise. Bear in mind that the initial picture might be discouraging. It's generally the case that when systems were set up, data governance wasn't front- of-mind. Instead, systems are generally based on the user "It's generally the case that when systems were set up, data governance wasn't front-of-mind."