The Role of Legal in Information Governance

The Critical Role Your Legal Team Plays in Information Governance

Enterprises that work in highly regulated industries have in-house legal teams that ensure compliance with applicable laws, regulations and industry standards. Sometimes, the legal team is one person and, in some instances, these organizations also leverage outside legal teams with expertise in their business. Regardless of the size of your legal team, or whether it’s in-house or external, they play a critical role in your information governance strategy.

3 Ways Legal Supports Information Governance

There are a number of ways your legal team (person) can help with your information governance strategy, here are three:

Participate in the strategy definition

Legal should not be a silent party in the definition of your information governance strategy. With their proximity to the C-Suite, they can help lay the foundational elements for the strategy by helping to outline all applicable laws, regulations, and organizational and industry standards. These include privacy laws like GDPR, NYDFS, and CCPA, along with other additional regulations related to the specific industry and type of information you manage.

Once outlined, your legal team can help identify key policies or processes to put in place and what information is affected.

As I’ve discussed many times, there are often individual projects happening while you are developing your overall strategy. These projects help get governance requirements off the ground by focusing on certain departments or content types and provide provenance of the feasibility and value of your program. Again, legal should be involved from the beginning to ensure your project stays in line with all policies and regulations, and your legal organization may be a great place to start a pilot project.

In some cases, you may kick off a project to address a new regulation, like the new California Consumer Privacy Law (CCPA). With a project like this, legal will play a critical role defining the approach to take, ensuring any technology put in place does what is expected and analyzes outcomes to ensure they meet the standards for regulatory compliance.

By including your legal (and compliance, if they are separate) from the beginning, you shouldn’t run into any unexpected challenges with how you implement your policies and procedures.

Validate policies and assumptions

Along with outlining the legal and compliance requirements, your legal team can also validate the policies and assumptions you set in your strategy and individual projects.

For example, you implement a new technology to support compliance with the new California privacy law. In particular, you built a policy and process that will help you find and delete a consumer’s personal information upon request and prove you have deleted it. Because your legal organization understands the regulation and what you need to do, they can test your policy and process to ensure they work as expected.

Support the regular updating of the strategy

Compliance policies and regulations often change, especially as the wind their way through the judicial system. Your legal team is aware of these changes, sometimes before they happen. Through regular check-ins, as well as an update notification process, they can let the business know when updates are going to happen and how they will affect current policies and procedures.

Why Legal Needs to Help Select Governance Technology

No one technology can support all you information governance initiatives, but there are several you should be looking to put in place:  file and content analytics that leverage artificial intelligence, data/information archiving, and records management “in place. These should all work together and have built-in workflows.

In most organizations, there is a tendency to “leverage what you got.” I see many organizations that try (and unfortunately fail) when they to use technologies DLP (Data Loss Prevention) to comply with these newer regulations.  While most of these new regulations are very much about understanding exactly what you have, they are also about taking rules-based (or AI based)  action on that information. Things like classification and organization, moving to another location or a long-term archive, or even defensible deletion. Your legal team is very helpful in identifying what you need to do with the information and can work with IT, compliance and your data organization to select the right tools to ensure you meet those requirements.

Legal doesn’t need to own the right tools, nor do they need to understand how to implement the right tools, but they do need to understand what tools and technology are necessary to support governance strategy and individual projects.

When you include your legal team in your information governance technology evaluation process, you get a better result! Drop me a note if you’d like to talk about how your legal team should get involved in your governance technology selection process.