Skip to content

Information governance for Luddites

 

Contents 

  • The risks of compromised data security for businesses 
  • The challenges created by the ‘hybrid’ era of work 
  • The matter of PII 
  • Changes you can make to address common issues in information governance 
  • The importance of a solid data retention policy 

The risks of compromised data security for businesses 

Non-compliance and compromised data security represent some of the most significant long-term risks facing legal teams today. These areas have changed so dramatically that the effective handling of electronically stored information (ESI) is more challenging and more urgent than ever. 

The increase in remote and hybrid working arrangements has created several operational problems, many of which businesses and organisations are still struggling to overcome. 

To make matters worse, regulations around data handling continue to grow more complex. This has resulted in mounting pressure to level up how legal partners manage data for their clients and firms. 

But when faced with the intense daily balancing act of juggling their ongoing commitments, such as managing staff, attracting new clients and ensuring existing ones receive a high level of service, a serious question remains: 

Where can partners find the support they need to reflect on their data practices and work on making them more effective? 

You can find all the answers in this handy guide we’ve created for you.

Knowing the difficulties that partners face, we’ve developed this asset to help you improve your knowledge of data management practices and protect you from security and compliance risks.

Read on to discover more about:

  • The critical data handling challenges facing legal teams today
  • The tools and technologies that can help you address these challenges
  • The strategic practices you can adopt to ensure all private information is handled appropriately — both now and in the future

 

The challenges created by the ‘hybrid’ era of work

Following the meteoric rise of remote and ‘hybrid’ working practices, many formerly office-bound employees now split their working week between their home and their place of work. 

While this has presented many benefits in terms of increased employee morale, a better work-life balance and the ability to attract and retain the best talent, it’s a transformation that has led to the growth of numerous data security challenges.

Data is becoming less centralised

With organisations being more dispersed due to hybrid working, many have grown reliant on more digitally-enabled ways for staff to carry out their responsibilities. This has resulted in file storage practices becoming decentralised and fragmented. 

Let’s say multiple members of the same team are working remotely on the same project. If they all download, print, edit and resend the same set of documents independently, it can be easy to lose track of who has access to these documents and which version is the original.

This can leave you more vulnerable to a data breach from a security perspective by presenting cybercriminals with multiple attack routes.

Data formats continue to increase

The workforce relies on digital conversations more than ever before. Your team will also have more ways to communicate than ever before — video conferencing platforms, instant messaging apps, social media channels and so on. 

As a result, not only has the volume of data increased within the average organisation, but the sheer variety of sources this data comes from is also overwhelming. This can create challenges, as each communications channel creates data in a different format with different metadata. 

Metadata is the information within a file that holds details such as when it was published or modified.

When dealing with litigation or Data Subject Access Requests (also known as DSARs, you can learn more about those here), accessing this metadata is crucial as it can contain information vital to the case.

The matter of PII

One example of increasingly regulated data is personally identifiable information, or PII. 

PII refers to any data that could be used to confirm an individual’s identity — from their full name, to their national insurance number, to their medical and healthcare records. With data volumes and formats spreading across more communications tools, there are more places that PII can reside without an organisation being aware of it.

Changes you can make

So, how can legal firms hope to address these issues? 

First, the key is to know what tools and technologies can help. The good news is that as the data landscape keeps evolving, the technologies capable of handling data also keep growing. 

Having the right technology 

Cloud-based eDiscovery platforms (like RelativityOne) can consolidate and centralise data, thereby eliminating the problems associated with file duplication. The best platforms also use end-to-end encryption to keep data highly secure. End-to-end encryption means the intended sender and recipient are the only people with access to a file. 

Legal professionals can train AI and machine learning capabilities to recognise PII or other sensitive information — financial, health-related, etc. — before trawling through enormous document batches and automatically identifying (and, if needed, redacting) PII in text fields. This can significantly cut the costs and labour associated with eDiscovery projects. 

Analytics tools can sift through newer media formats and their unique metadata, such as video and image data, and translate them into readable text. This text can be searched for relevant keywords or phrases if used for a legal case. 

Alternatively, if it’s being used for data security practices, PII can then be identified and extracted from the text as needed. 

Learn more about automation, AI and analytics in our previous Luddite’s guide. Click here to read.

By adopting and applying advanced eDiscovery technologies, legal firms can not only enhance data management standards but also use the findings from these technologies to identify patterns of communication or collaboration that create data security or compliance risks. Following this, necessary measures can be implemented to mitigate these risks.

Having the right approach

Technology is key to effective data management for you and your clients. But to attain the highest standards of compliance and data security, having the right technology is just one piece of the puzzle. 

You also need the right approach to handling data. That means setting up systems and processes to ensure all data your organisation creates is handled in a manner that’s 100% secure and 100% compliant. 

The way to do this is by setting up a policy-driven framework for the retention or deletion of data within your organisation.

The importance of a solid data retention policy

A data retention policy is a pre-determined set of rules that outline how data should be managed within your organisation. 

This is important to remain compliant with GDPR (General Data Protection Regulation). While this regulation doesn’t state a definitive statutory period for data retention, it explicitly states that no business should keep PII for ‘longer than necessary.’

The best way to remain compliant with this, and to raise the standards of your data management practices in general, is to map out a document lifecycle. This means working out a routine process for how data should be handled, depending on what type of data it is and its intended use. 

These factors should correspond to an appropriate procedure whereby the data is either retained or deleted. The first step in building out your data retention policy is to have a prescribed method for classifying data. This will help you judge the data's purpose and the appropriate next action for the individual in charge of it. 

What type of data is it?

To classify your data effectively, your process should aim to answer the following questions:

  • Is it for public use or internal?
  • Is it confidential? Or should it be restricted in some way?
  • Are there any other additional security measures to consider?

The answers to these questions should correspond to an appropriate process for the following:

  • Where the data should be stored
  • What devices or systems should be used for storage
  • What happens when the data is no longer needed
  • Which members of staff are authorised to move, modify or delete the data

Remember to keep things clear and concise to make your guidelines easier to follow. Once you’ve worked those things out, it’s time to put the work in to make sure this new way of doing things is carried forward by your team.

We highly recommend creating slide decks or documents for employees that break down how data should be classified and your data retention lifecycle. Or, you can present them at your next internal meeting with an open Q&A at the end.

Want to learn more about any of the topics discussed in this guide? Altlaw can help. 

Contact one of our team members today for an informal chat. 

eDiscovery Services: 020 7566 7566 

Print/Hard Copy Services: 020 7490 1646 

Email us: enquiries@altlaw.co.uk