As the world grapples with the effects of COVID-19, news stories abound about companies using consumer data to aid in slowing the spread, raising questions about the need for increased privacy regulations at the U.S. state and federal levels. According to a survey conducted by Consilio, a global leader in eDiscovery, document review, risk management and legal consulting services, even prior to COVID-19 spurring implications across the U.S., 70% of legal professionals believed it was “very likely” or “somewhat likely” that U.S. federal privacy regulations would be passed into law in 2020. Only six percent of respondents indicated it was “very unlikely” that a nationwide statute would be enacted this year.
While most respondents thought it was likely that U.S. federal privacy regulations would be passed in 2020, only 30% of respondents stated that they were concerned about the potential forthcoming federal regulations. In fact, when asked which information governance regulations they were most concerned about, more than half of respondents cited state-level privacy laws (56%) and international privacy regulations (51%) at the top.
“The global public health crisis has made it even more complex for companies to navigate emerging state-level and international privacy regulations, and the lack of a U.S. federal law invites heightened ambiguity regarding compliance during an already unprecedented and uncertain time,” said Matthew Miller, Vice President, Global Information Governance Advisory Services at Consilio. “While these results show that the industry was expecting a nationwide regulation this year before the rise of COVID-19, today companies still need to focus on effectively responding to rigorous state laws. Numerous states including California and Nevada have passed laws or have bills in front of their state legislatures containing similar but varying obligations that businesses still must comply with now.”
Room for Improvement: Proactive Approach to Information Governance Compliance
Despite continued evolution in information governance regulations, the majority of respondents said that they were “very confident” (48%) or “somewhat confident” (48%) that their companies’ procedures and technology will remain compliant with relevant regulations and rules across the U.S. and internationally.
Nearly half of respondents (46%) noted that their companies are utilizing cross-functional teams to comply with new or existing information governance regulations. Other efforts cited to comply with new or existing information governance regulations in the survey included maintaining/updating/executing on document retention schedules (38%), assessing data governance and data privacy maturity posture (34%), and conducting a Privacy Impact Assessment (PIA) (29%). Surprisingly, only 19% of legal professionals indicated the allotment of new spend and 18% cited the development of an enterprise data map as steps taken to comply.
“While we hear our clients place an increased emphasis on effectively managing their data to remain compliant, this survey shows there is more work to be done on exactly how that is being accomplished,” said Miller. “This survey qualitatively confirms a glaring issue we see with many organizations day-to-day. Without an enterprise data map, organizations cannot clearly determine what type of personal data is collected, for what purposes or applications is the data collected and whether their processes comply with all relevant regulations.”
When asked which departments at their companies are involved in the management of the organization’s information governance practices, an overwhelming majority of respondents said the CIO/IT teams (70%) and legal departments (69%). Compliance (45%), records management (35%) and CISO/information security (33%) departments were also teams that respondents indicated are included in managing information governance practices.
“The dominance of the CIO/IT and legal departments’ involvement in managing organizations’ information governance practices is not a surprise. However, I do see a missed opportunity stemming from the lack of involvement by CISO/information security departments, as these teams have important expertise when it comes to information governance practices. This includes knowledge of what information the company has, where it is located, what it contains, what level of protection it should have, who can and should have access to it, and how to confidently find the right information in a timely fashion,” said Miller. “While information governance regulations are indeed moving a bit slower in the U.S. in comparison to other regions such as Europe, this is the opportunity for all companies, across sectors and geographies, to improve their information governance maturity by taking a more proactive approach towards compliance with data privacy regulations.”
Nearly half of respondents (48%) reported that their companies review their information governance policies yearly, while 27% stated policies are reviewed on a monthly, quarterly or biannual basis and 18% said every two or more years. Only seven percent stated that they do not have policies in place.
Consilio conducted this survey of 120 legal professionals from corporations, government-affiliated entities and law firms from February 4 – 6, 2020, at the Legalweek conference.
Consilio is a global leader in eDiscovery, document review, risk management, and legal consulting services. Through its Consilio Complete suite of capabilities, the company supports multinational law firms and corporations using innovative software, cost-effective managed services and deep legal and regulatory industry expertise. Consilio has extensive experience in litigation, HSR second requests, internal and regulatory investigations, eDiscovery, document review, information governance, compliance risk assessments, cybersecurity, law department management, contracts management, legal analytics, paper discovery and digital printing, as well as legal recruiting and placement. Consilio and its global family of companies, Advanced Discovery, Altep, Millnet Document Services and Legal Placements Inc., employ leading professionals in the industry, applying defensible workflows with patented and industry-proven technology across all phases of the eDiscovery and risk management lifecycle. ISO 27001:2013 certified, the company operates offices, document review and data centers across Europe, Asia, and North America. For more information, please visit us at www.consilio.com.