While moderating Thomson Reuters West Coast Law Firm Leadership Forum panel concerning GDPR-readiness last week in San Francisco, it became apparent that there was an opportunity hiding in the all of the stress of the upcoming GDPR May 25th compliance date. GDPR, or the General Data Protection Regulation, is an overhaul of the Data Protection Directive that looks to standardize data protection and privacy for EU citizen and residents. This reaches beyond the borders of the EU to touch any organization selling goods and services into the EU (or monitoring user behavior of EU subjects).
This presents a challenge to US organizations that take a different approach to privacy than their European counterparts (e.g., right to consent, opt-out versus opt-in, etc.) and generally lack the visibility into whether their information assets contain protected data covered by the regulation. In working with law firms regarding general Information Governance assessments, Mattern has seen a recurring issue with firms lacking the proper data mapping and integrated technology stack that would allow for the searching and identification of relevant data throughout disparate data stores under firm control (email, files shares, Document Management Systems, SharePoint, FTP sharing locations, physical media, etc.). Thus, if an EU subject requested a report on what personal information the firm possessed, many firms would be at a loss at where to begin.
While many firms are struggling to get up to speed with the impact of GDPR, the tenets of compliance (e.g., visibility, privacy, security, right to be forgotten, etc.) can be seen as the model for effective document handling as part of an overall, firm-wide Information Governance initiative. In essence, GDPR can be the catalyst that some firms need to enact proper document handling including proper use of systems, access control, and purging per retentions schedules. In past engagements, Mattern has leveraged client scrutiny as part of the initial engagement process and the prevalence of security audits as drivers to move firms from inaction to enacting defensible programs. GDPR adds a new lever with the backing of a formal regulation.
It was mentioned more than once by panelists on the Thomson Reuters panel that firms need to create a culture of privacy first and enact a defensible program that allows proper visibility into information assets under the firm’s control. With GDPR as the driving force, firms can implement a compliance program that touches all practice and administrative areas.