A recent article in Corporate Disputes Magazine looks at some of the factors – notably leadership and strategy – involved in building a global information governance and discovery programme. It includes input from Craig Earnshaw and Sonia Cheng of FTI Consulting in London, and Daniel Lim of Shook, Hardy & Bacon LLP in the US.
Two key things appear from the title alone – that information governance and discovery are interlinked and that, for many organisations, the implications are global. In the old days (about four years ago) the focus of most organisations, especially US ones, was the ability to find documents and information relevant to actual litigation or regulatory investigations. The concept of information governance to pre-empt or head off problems, not merely reduce their impact, is relatively new.
This basic idea was slow to take off because organisations failed to spot what now seems obvious – that control of information, including knowing where it is and disposing of useless information – reduces the time scale and cost of reaction to discovery requests.
As Craig Earnshaw puts it in the article:
Increasingly, corporations are looking to implement integrated IG and
e-discovery programmes as they are typically two sides of the same coin: if a company knows what information it holds, where it stores it and has disposed of that which it does not need to retain, it has a significantly better ability to rapidly, and at considerably lower cost, respond to its discovery obligations in disputes and investigations.
We have now moved on even from that into an understanding that good information governance will not merely solve problems but help anticipate them.
Reacting to a discovery request can be relatively straightforward – there may be arguments about how to do it, but there is usually little option but to engage with it. Proactive Information governance requires something more. Someone needs to take control and promote policies in anticipation of future problems.
Craig Earnshaw says:
The role of senior management in a global IG and e-discovery programme is primarily that of budgetary support and sponsorship to drive a ‘tone from the top’ that the correct management of the corporation’s data assets is critical to the risk management practices of the business.
Sonia Cheng adds
While a one-time clean-up or one-time policy project can provide a temporary boost, meaningful change needs to be understood and supported from the top. The challenge with IG is that typically there is no single owner due to its cross-stakeholder nature. IG leaders often work in silos, which is one of the core root-causes of data compliance gaps.
What has led to this change? One very significant factor is data privacy, not least the General Data Protection Regulation. Another is the extent to which regulators increasingly have roles in matters which go beyond actual pending disputes. Craig Earnshaw puts it this way:
Data privacy is the topic that is top of mind with almost all companies implementing e-discovery and IG programmes around the globe. In recent years the privacy of personal data has become a very hot topic, heightened by the implementation of the General Data Protection Regulation (GDPR) in Europe, and the progression into legislation around of world of similar instruments.
Not all the external requirements relate to a dispute or investigation. Craig Earnshaw says:
Additionally, we are seeing regulatory requirements – other than government investigations or litigation – such as the provision of documents to regulators as part of the merger approval process, become heavily focused on the provision of internal company documents, requiring a company to go through a process akin to disclosure in litigation.
All three participants emphasised the need for training in both legal and technical subjects.
All this is hard enough within a single jurisdiction. The position is much complicated by the differences between jurisdictions. Craig Earnshaw says:
Companies are often surprised that there cannot be a single, consistent approach to data privacy, document retention or data transfer that can be applied globally, due to the patchwork of different requirements that exist across different countries, industries and legal systems.
Cultural differences matter – not just between countries but between organisations brought together by merger or acquisition.
Sonia Cheng identifies four factors relevant to global IT programmes namely cross-border data flows, the varying laws and regulations governing personal information in different countries, and different rules about retention and record-keeping, plus, not least, cultural differences.
Daniel Lim urges organisations to be proportionate in their reaction. Sonia Cheng suggests starting with identifying preservation obligations as a first step to disposal of unregulated material. Craig Earnshaw advises “not try to boil the ocean” coupled with a reiteration of his earlier point about education.
None of this is easy, and there are few prescriptions which will apply equally to every organisation. This article provides some general thoughts which will apply in most circumstances.