Posted by Chris Giles, CEO at Legal Futures Associate LegalRM
Is your law firm in full control of data minimisation? This question arises because in our first blog on this topic we set out the top ten reasons why firms need to destroy much more data than they do.
In that piece, we explained that excess data increases the likelihood of cyberattack and compliance breaches; it makes firms spend more than they need to on storage; and it hurts systems’ efficiency and firm productivity.
Yet the evidence suggests that a large proportion of firms don’t recognise the danger they’re in. In a 2021 cybersecurity survey run by the American Bar Association, only just over half (53%) of respondents said their firm even had a policy to manage data retention. A poll conducted during a recent LegalRM webinar suggested only 26% of firms with data retention policies were actively implementing them.
The alarming implication is that the vast majority of firms don’t practice data minimisation. This is an unsustainable proposition in the long term, not to mention expensive and risky already. What should firms be doing instead?
The data minimisation committee
We admit that data minimisation is complicated. It’s a can that’s all too easily kicked down the road and under-prioritised. It can also fall between several IT and information governance stools because it’s not always clear who ‘owns’ data minimisation in the firm.
Nevertheless, excuses will get you nowhere. Firms need to get a grip on data minimisation by being proactive. This starts with building awareness in the C-suite of what data lifecycle management and data minimisation mean and why they’re important.
Thereafter some form of data minimisation workgroup or committee should be convened that includes wide representation from across the firm.
This committee then needs to assess what data retention policies and disposition schedules are already in place and if they’re working. If it hasn’t been done already, the committee should commission a data-mapping exercise that consolidates data in dispersed systems into a data retention classification structure that reflects governance requirements.
The firm should also understand the risk profile of the various data held to help you prioritise next steps.
Acting is what matters
It might then be appropriate to convene some cross-departmental teams of process, system and data owners to identify the gaps between what you have and what you need; and to determine the actions that can close those gaps.
This might well include the introduction of an information governance platform, such as iCompli, that manages data across media types and systems.
Above all, what matters is acting, as opposed to burying collective heads in the sand. The reality is that data volumes are continuing to grow, and quickly. Data minimisation is a bullet that must be bitten.
Sooner will be better than later, before the scale of the task is too vast, and before the firm falls victim to one of the calamitous consequences of holding too much excess data.
To find out more about how to instigate a data and data policy review join us for our upcoming webinar. We will discuss the advantages of a data minimisation strategy, and in particular focus on why this strategy is of particular importance to a CIO, or the IT budget holder within a firm. To register, click here.