A New Era of Governance, Risk and Compliance

Bill Piwonka, chief marketing officer of Exterro, discusses the way the role of chief legal officer has expanded in recent years, as well as what organizations can do internally to stay ahead of changing regulations around data privacy and cybersecurity.

CCBJ: Let’s start with an overview of Exterro and your role there.

Bill Piwonka: Exterro was founded on the simple belief that applying concepts of process optimization and data science to the ways that companies manage digital information and respond to litigation would drive more successful outcomes at lower costs. The company’s early history was focused on legal operations and helping companies manage the e-discovery process, but over time we’ve expanded our products and services to address a much larger set of business challenges, beyond just legal operations and litigation support to include things like privacy and compliance and information governance.

I’m Exterro’s chief marketing officer, so I’m responsible for the company’s brand positioning and messaging, as well as demand generation and working with existing clients. It’s a pretty broad spectrum.

What are some emerging trends that you are seeing among your clients, as relates to their overall legal strategies?

Probably the biggest trend we’re seeing is the way that the role of the chief legal officer (CLO), or general counsel (GC), has evolved over the last 10 years. Previously the CLO almost exclusively provided legal expertise. Now they are playing a much larger role in terms of business strategy and have a broader scope of responsibilities. Much of the change, I would say, has been driven by regulations like the European Union’s General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA) and the increased liability that comes with noncompliance. Then there are also the escalating costs and reputational risks associated with data breaches and cybersecurity attacks. And that’s in addition to overseeing the legal operations of the organization. So today’s CLOs must play a central role in ensuring that the company’s compliance and data governance capabilities meet all of the various regulatory obligations. They must also understand other enterprise risks facing the company and be able to implement appropriate processes to, ideally, prevent negative outcomes from occurring, while also being able to efficiently address these issues if they do occur.

Take a cybersecurity attack or data breach for example. As the role of the CLO has evolved, so too has the organizational structure underneath that role. These days it’s common to see legal operations, privacy, compliance and ethics all reporting to the CLO. Certainly there’s also going to be tight cross-functional cooperation with security and enterprise risk. So, as the organizational units are changing in terms of their reporting structures, the distinct lines between these different organizational units are blurring as well. And it’s because some of the really big challenges that companies are facing today can’t be solved by one department.

Consider the privacy regulations I just mentioned, the GDPR or the CCPA. Both of those laws give consumers, and in some cases employees, the right to say to companies: “What data do you have stored on me? How is it being used? Who have you shared it with? I want to see all of it.” And in some cases, they are able to say, “I want you to delete all of it.” Normally, you would think, “Well, this belongs to the privacy group, because these are privacy regulations.” Now the privacy team is charged with having to take those requests and use some kind of workflow to make sure that the requests get routed to the right person. To actually act on the request, you need to be able to connect to all of the different enterprise data sources that reside within an organization in which that data is stored. You need to be able to identify the data, collect it, review it, redact anything that’s not related to that particular requester, then produce it for the requester. That process is really what e-discovery is. Then, if the requester says, “I’d like you to have it deleted,” you need to understand any kind of legal hold obligation or regulatory compliance retention obligation that the data might be under before you can simply delete it. You can see how now one business challenge – responding to these data subject access requests – spans privacy, compliance, legal operations and e-discovery. So organizations are looking for new approaches to solving these cross-departmental business challenges.

What shifts are you seeing in the way clients are approaching governance, risk and compliance issues?

Everything that I just described, we have labeled “Legal Governance, Risk and Compliance.” It’s a subset of the larger global risks to the enterprise, of governance, risk and compliance. But again, it’s about asking, “What are the governance, risk and compliance activities and challenges that fall under the auspices of the chief legal officer?

Let’s go back to what I was saying about how these different departments are now all underneath the CLO, and how the distinct lines between the different departments are blurring. What our customers are saying is, “We want solutions that enable us to more effectively collaborate and communicate across each of these different organizational units. We want to have a workflow that spans each of these different departments. We want to have, for instance, one data inventory where everybody in the organization can understand: Where is my data stored? What kind of data is stored in those applications, or on what hardware? Who has access to it? How do I ensure that when I’m doing something like a data minimization, or defensible disposition, or responding to data subject access requests, how do I orchestrate the workflow? How do I orchestrate the process across all these different people, and in some cases with third parties?”

Companies are coming to us and saying, “Help us, from a technology perspective, codify and implement our processes and leverage the people we have internally more effectively.” So how do you solve this problem? It’s a combination of people, processes and technology. And what our clients are saying is, “We need a single unified platform that is able to coordinate all of these different tasks and activities, as well as unify all of these different stakeholders in one common area, so that we can be more efficient.”

What are the most pressing issues your clients expect to face in governance, risk and compliance over the next two or three years?

There are a number of big issues right now. First and foremost, our clients want to know how to comply with the existing privacy legislation and prepare for legislation that may not be ratified yet but is coming down the pike. Many companies that were multinational and did business in Europe scrambled to comply with the GDPR last year. This year, companies that do business in California are saying, “Oh my gosh, I have to ensure that I’m compliant with the California law.” And there are something like 13 other states are planning to implement their own version of these privacy regulations that have legislation winding through the various states legislatures. So, one of the top challenges facing organizations right now is how they will comply with all of these new privacy regulations. Second, there is the ongoing threat and costs and reputational risks associated with data breaches and other cybersecurity attacks. And then finally, from a legal perspective, how can the legal department continually improve its operations? What we’ve seen over the last few years, and it’s absolutely a continuing trend, is that the legal department is under increased scrutiny in terms of their costs and how they’re doing their work. More and more of the work that previously had been outsourced is now being brought in-house. And as operations are brought in-house, companies start getting more visibility and transparency into what’s happening. They’re much better able to control costs and predict future costs and run their operations more efficiently.

What are some key findings from your 2019 In-House Legal Benchmarking Report that our readers should be aware of?

Most organizations in the U.S. today are unprepared for the privacy regulations that are about to be unleashed. One of the key technologies that can help address privacy issues is an accurate, modern, enterprise-class data inventory. While pretty much every company will say that they have a data map, or a data inventory, the percentage of those inventories that are actually utilized is very, very low. So the first takeaway from the benchmarking survey is that most companies are not prepared to address these new challenges. They really need to look at their underlying technology and data inventory capabilities and determine whether what they have internally is actually helping them address these impending challenges, right now and in the future.

The second main takeaway is that, from a legal operations perspective, more and more of the e-discovery process is being brought in-house. Previously a lot of the e-discovery process that was done in-house was more on the preservation side. Now what we’re seeing is that in addition to preservation happening in-house, collection and processing are being insourced as well.