comprehensive scoping across a global
organization is tedious. The timeline
for completing this work should not
Organizations that currently have
a keep-everything culture will face
much greater difficulty in remediating expired legal holds and separating
redundant and outdated data from
that which must be preserved. More
sophisticated organizations likely have
taken some of the necessary steps to
bring data under control, but many
find that programs have too many
owners to be effective or that ongoing policy enforcement is not in place.
When considering privacy in the
context of data volumes, it is important to acknowledge and address that
sensitive customer data such as credit
card information, social security numbers, and other PII is coming into the
organization all the time, in a variety of
formats, and from a range of sources.
This information ends up in structured
databases, into which counsel typically
has little to no visibility, but is nevertheless responsible for protecting from
breach or privacy invasion. Any effort
to establish data governance programs
must take all of these challenging and
complex factors into consideration.
It is inevitable that counsel will
continue to see an increasing ten-
sion between privacy demands and
preservation obligations, and struggle
to marry the two in a defensible and
sustainable way. Conflicts between
counsel in Europe looking to main-
tain data protection compliance and
those in the United States focused on
following the letter of the FRCP laws
will surely arise in cross-border mat-
ters. The ongoing evolution of global
policy — with GDPR at the current
forefront — must be the lens through
which local procedures are regularly
reevaluated and refined. With in-house
counsel at the helm of a collaborative
and global effort, multinational corpo-
rations will be much better positioned
to sufficiently meet obligations in every
region in which they operate. ACC
ACC EXTRAS ON… Information governance
Cover Your Assets (Sept. 2017).
A Role of Its Own: The Importance of
Protecting a Company’s Knowledge Assets
(July/Aug. 2017). www.accdocket.com/
Creating an ROI for Information Governance,
with No Budget (Sept. 2016). www.accdocket.
Ground Zero Governance (Jan./Feb. 2016).
Employee Behavior Change Management
Programs for Information Governance
(July/Aug. 2017). www.acc.com/
Building a Business Case for an Information
Governance Program 2016 (Oct. 2016).
ACC HAS MORE MATERIAL ON THIS SUBJECT
ON OUR WEBSITE. VISIT WWW.ACC.COM,
WHERE YOU CAN BROWSE OUR RESOURCES BY
PRACTICE AREA OR SEARCH BY KEYWORD.
WANT MORE ARTICLES LIKE THIS? VISIT US ONLINE AT WWW. ACCDOCKET.COM.
Enforcing and maintaining IG programs
Once a data management program is off the ground, with privacy and
preservation teams working collaboratively, it must be well maintained. A
sound IG program is only as strong as its enforcement. Ensuring compliance
with retention and disposal policies is in and of itself an intensive
process, but there are a handful of practices that will help legal teams
build long-term success into their overall IG programs. These include:
■ ■ Risk framework: Allow the company’s tolerance for risk and how programs
impact the business to guide decisions about policies, so they are
properly aligned and fit into the organization for the long term.
■ ■ Change management: Examine company culture, incentive programs,
and general attitudes towards compliance, privacy, and security;
leverage best practices from established change management
guidelines such as the Kotter 8-Step Change Model.
■ ■ Training: Customize training materials that encompass policies
and new software tools and make them accessible through a
variety of mediums that employees are likely to consume.
■ ■ Work with local counsel: In cross-border situations, it is important to
work closely with local counsel in each jurisdiction to ensure ongoing
understanding of and compliance with data protection requirements.
■ ■ Strategic technology selection: Ensure all key stakeholders are
involved in technology evaluations and that deployed solutions offer
automated retention schedules and built-in compliance features.
■ ■ Monitoring: With the proper tools in place, ongoing compliance monitoring
and flagging can take place, notifying the legal team when legal holds
are not being followed; tools can also automatically preserve a copy of
data that falls under legal hold parameters, even if the user deletes it.