FTI Consulting has been offering information governance services since before the General Data Protection Regulation was a twinkle in the eye of the EU. It was among the first of the major players to draw attention to the fact that both eDiscovery and compliance obligations become easier to manage if you have less data and more understanding of the data which you must keep. In addition, the ability to keep better control of corporate data enables organisations to extract value from the data they have – to make a better business, not just to anticipate and defend against risks.
Sonia Cheng, European Information Governance Leader at FTI Consulting adds a further point in her article Perfect storm: navigating the compliance landscape in 2018. While the chief focus in 2018 is on the GDPR, she says, that is only one of several regulations which affect the collection, storage, processing and sharing of data. Organisations face not just jurisdictional conflicts (where the law of one country conflicts with those of another) but apparent conflicts between obligations in different regulations within a single jurisdiction. One regulation appears to require you to keep data while another imposes restrictions on keeping that same data.
The focus on high fines, particularly in the GDPR, is perhaps understandable as a means of getting boardroom attention, but most companies analysing the risks properly will focus rather more on whether they can keep doing business, and do so profitably, with their present level of oversight and control of their data.
Two difficulties have recurred over recent years since the GDPR was first mentioned. Accepting the relatively simplistic “we have a lot of data”, the issues have been a lack of cooperation between different parts of an organisation, and the perceived lack of a return on any investment in addressing the problems. Sonia Cheng refers to getting “a task force of leaders from the business including legal, privacy, security, IT, compliance and the C Suite to work together”, going on to refer to “the potential to unlock the value of data within organisations”.
If it takes talk of large fines to bring this about then so be it. What is much more interesting are the signs that some organisations at least are seeing positive benefits in the information governance which they have ignored for so long.
FTI has a page about its General Data Protection Regulation (GDPR) Preparedness Services which cover a range of things which organisations should be thinking about. These include wide concepts like the GDPR assessment and programme implementation through to more specific components such as data about development, the remediation of sensitive data, the development of standardised processes to handle data subject requests, and the development of privacy impact assessments and privacy by design.
The range of services include cyber security assessments, preparedness of data breach response and, not least, the relatively new heading Contract Intelligence which helps identify contracts both past and new which give rise to most potential risks and to lost opportunities.
Sonia Cheng’s article accepts that few organisations are going to be able to tackle all these areas at once. Part of the service which FTI offers is to help build list of priorities. Which areas contain the biggest risk? What will show the best and most immediate return for the smallest outlay of money, time and resources? What can we get rid of prudently which diminishes risk and costs?
No one suggests that any of this is easy, but this kind of analysis helps separate the urgent from the non-urgent and, just as importantly, the achievable from that which, for the moment at least, is not achievable.