Proper governance means collaboration and risk assessment, and no longer can corporate law departments be the siloed voice on proper data usage, said a recent panel of GCs
NEW YORK 鈥 The current data governance environment can seem near-impossible to navigate for even the most experienced corporate lawyer. There are changing expectations and dynamics among hundreds of US governmental agencies and sub-agencies 鈥 all of which will be changing personnel upon the change of administrations.
Also, artificial intelligence (AI) is creating more data than ever thought possible, resulting in shadow IT pockets across an organization. And as hackers and other bad actors gain access to new technologies such as quantum computing, data breaches may become more common and increasingly hard to police.
It’s far too much for one in-house legal department, let alone one attorney, to handle. That鈥檚 why corporate legal leaders speaking at the panel, Synergy in Action: Collaborative Dynamics between Data Security, Data Privacy, and Information Governance Teams during the recent stressed that properly handling today鈥檚 data problems requires a village.
鈥淣o longer can you be the siloed voice,鈥 said panelist Kelly Clay, Assistant General Counsel and Global eDiscovery Counsel of Global Operations at pharmaceutical giant GSK. 鈥淵ou all have to be coordinating and understand each other鈥檚 areas so you can give that well-rounded advice.鈥
Teams on the same page
Proper data governance has been a regular topic of conversation among general counsel for more than a decade, the panel noted, but the pace of change brought by new technologies, exemplified by the rapid adoption of generative AI (GenAI), has necessitated renewed attention towards using proper data protocols.
Another panelist 鈥 Jordan Thompson, General Counsel and Secretary at education company Penn Foster Group 鈥 said this means companies should not be too rigid when adopting data governance standards. 鈥淲hat鈥檚 good today might not be good tomorrow,鈥 he explained.
This starts with having a set goal for proper data usage across the company 鈥 one in which the company鈥檚 legal, IT, business functions, and others play a role, but nobody controls the entire process. 鈥淭his is a culture change for a lot of groups,鈥 Thompson said. 鈥淵ou have to have that mutual partnership going into it and know that your role isn鈥檛 the most important thing, the outcome is the most important thing.鈥
“No longer can you be the siloed voice 鈥 you all have to be coordinating and understand each other鈥檚 areas so you can give that well-rounded advice.鈥
Clay agreed, saying the biggest data risk in less stringent organizations is that 鈥減eople have not taken data accountability.鈥 Many people believe accountability will fall to one group or another, or perhaps even be automated using AI systems 鈥 an attitude that lets governance fall through the cracks.
At GSK, her group is aligned to the enterprise at large, while the security team is aligned to the technology function, she explained. This allows legal and security to be 鈥渁 counterbalance鈥 to each other with their differing but complementary department goals, she said, noting that 鈥渙n a very high level you have to have checks and balances, because one area doesn鈥檛 trump the other area.鈥
This counterbalance will also include outside third parties 鈥 perhaps even outsourced Chief Information Security Officers (CISO), which Thompson noted are on the rise at many companies. 鈥淏ut that brings about a whole bunch of other issues with the vendor relationship and holding the vendor accountable,鈥 he said.
For example, many companies may have a chain of command in which the outsourced CISO is hired by IT and not by the legal department, Thompson explained. As a result, the legal department needs to go through IT to ask questions of the CISO, rather than having the ability to engage directly. Plus, the data at question also would not sit within the legal department itself, but rather throughout the entire organization.
This makes collaboration not just a good business practice, but a necessity to make sure proper data governance is followed. 鈥淗aving a collaborative relationship with those business partners is essential to making sure you have a say in how it鈥檚 being handled,鈥 Thompson added.
Assessment is the first step to governance
For corporate law departments looking to regain a handle on their data, panelists said the first step is to know how your organization鈥檚 data is being handled, both internally and externally. Kenya Dixon, General Counsel and Director of Information Governance at IT services provider TechCentrics, stressed the importance of robust third-party risk assessments as a necessary starting point.
鈥淚f you collect data 鈥 and every organization does 鈥 and you鈥檙e giving that data to a third party, you should be conducting a third-party risk assessment,鈥 Dixon said. 鈥淎nd that assessment is not the spreadsheet with the , and they check a box. It has to be more in-depth.鈥 This means asking questions about compliance with regulations, examining contract provisions for data access, and exploring what personnel will have access to that data, among other factors.
The goal may not even be to prevent a data breach, Dixon added, because after all, hackers have increasingly more access points and complex technological ways to break into a system. But if a breach does occur, a company will want to prove that the lawyers have 鈥渄one their homework鈥 to comply with US security standards such as NIST and international security standards such as ISO or SOC, Dixon explained.
鈥淚f you collect data 鈥 and every organization does 鈥 and you鈥檙e giving that data to a third party, you should be conducting a third-party risk assessment.鈥
鈥淚t may not keep you from being breached, but it can keep you from being liable for a breach,鈥 Dixon said. 鈥淚f your ducks are in a row, it鈥檚 not your fault that the technology is so far advanced that nobody can keep up with what鈥檚 happening.鈥
GSK鈥檚 Clay also noted that these assessments are not meant to be static, suggesting that organizations should regularly audit their vendors to make sure whether the scope of what those vendors need to access has changed. For example, she pointed to the many legal technology vendors that have AI embedded into their products, fundamentally changing how they interact with a company鈥檚 data. 鈥淗ave they re-upped their third-party risk assessments?鈥 Clay asked. 鈥淥nly if they were forced to.鈥
Once a company understands its current data governance posture, it can then move on to planning for incident response. Dixon extolled the virtue of data breach tabletop exercises to keep all of these stakeholders on the same page, 鈥渟o when it happens, everyone is calm and says, this is what we practiced for.鈥
Thompson added that cyber insurance providers can be a crucial source of information to benchmark what other insureds are doing, so if an event doesn鈥檛 rise to the level of needing outside counsel. 鈥淚t鈥檚 not going to cost anything, and it might be helpful,鈥 he said.
However, perhaps most importantly, the panel stressed that communication is necessary moving forward, because the pace of technological change means novel data governance issues are only going to continue to arise.
鈥淎I is not only here and doing its thing, but we鈥檙e going to move past AI really rapidly,鈥 said Clay. 鈥淭he question is, are we going to be able to keep up with what鈥檚 coming?鈥
You can find out more about the importance of data governance to service organizations here.
