By Lisa Burton

Published on Fri, January 5, 2018

All posts by this person

Regulatory change in 2018 is here, and it is BIG! As new technology continues to develop rapidly, how can legal and compliance practitioners stay in control? It could be said that commercial data proliferation and the resultant need for updated handling strategies to support effective compliance and governance, is the catalyst for EU regulatory changes.  With new rules taking time to come into effect, technology will continue to advance at great speed.  Smart businesses are dealing with legacy compliance issues in addition to creating new strategies, policies, playbooks, and processes to update their compliance and information governance strategy.  Many are struggling with where to start.   

So, what are these new regulations addressing?

The 1995 EU Data Protection Regulation, now over 20 years old, became steadily outdated as technological advances created obstacles to data privacy and protection for EU residents.  Initialised in 2012, the EU General Data Protection Regulation (GDPR) has undergone some stringent testing and strong opposition from EU lobbyists, 75% of whom are corporations such as Google, who attended 29 European Commission meetings in 2015 alone and spend an average £2.9m per year in support (source link here). Headlines such as “EU Fines Facebook Over $122m Disclosures in WhatsApp Deal” in May 2017 make the degree of lobbying activity very apparent. These large ‘data’ conglomerates have much to protect in terms of profit and wealth expansion.

Similarly, the new Senior Managers and Certification (SMC) will replace the Approved Persons regime regulated by the FCA since March 2016 to banks. The new responsibilities are more stringent as they perform the Significant Influence Functions (SIFs) carried out by those closely involved in the banking, insurance, and investment industries.

All of these forthcoming regulations seek to improve accountability, transparency, and protection. They also have one single, common, and usually risk-imposing denominator - data.  Effective accountability and transparency at the corporate and personal level will certainly involve data. And, as we all know, data has become seemingly inexhaustible, varied, fragile, and unprotected from attack and abuse.  

The devil is in the detail.

Happily, proactive strategising is becoming the norm around managing risk. However, we are still often engaged in moments of crisis. Typically, a crisis will occur when, for example, a regulator has requested information within a timeframe or under a formal regulatory notice (such as a S.166) and there is need to identify, extract, and process data for review in order to generate the timely and accurate response.

In anticipation of GDPR, emphasis is on assisting with issues such as how to deploy profiling activities. In the context of big data analytics, how and where is explicit consent of subjects found in large and disparate data sets? How do IP addresses, genetic data, data from cookies affect profiling activities? 

When asked questions like - i) where is your data held? ii) who is responsible for the data? iii) can you remove it? iv) who has access? v) do you have consent to use that data? vi) what types of personally identifiable information do you have on file? - most businesses simply do not know or have a hybrid response which is not always thorough enough and can leave them exposed to risk.

The financial risk of not knowing the answers to these questions, especially under GDPR, is well publicised and high, aside from the valuable time and effort absorbed from day-to-day activities.    

How to stay in control?  

The importance of data and information governance has become critical, and it should not be underestimated. Legal and compliance validation for corporate cultural and policy success can be achieved with the use of technology, to identify data types and categories, as well as repeatable, best practice testing processes. 

In cooperation with legal, compliance, and internal IT, this work should be proactively included as part of managing business risk and incorporated into a regulatory readiness strategy.  Responding to issues in a reactionary fashion can often reveal the tip of the iceberg and result in much bigger costs and higher risk. Keep a couple key points in mind:

  1. It is not just about technology. A bit like when buying a new TV and searching Google for the right product to meet your needs, you are presented with the vast variety on the market. They all function relatively the same with a few variations in quality.  Similarly, there are many technology solutions to choose from and most of them will do the job. But, don’t rely on the technology alone. Third-party providers can bring additional experience and expertise to the table, and can work in collaboration with in-house teams to find the best solution.
  2. The people are as important as the technology. Find the right people who understand your business to help avoid wasted time, budget, or resources on the wrong technology or technology that only takes you so far. The benefits are far wider than preparedness for new regulations. Vigilance, validation, and dashboard reporting to the board is achievable across many aspects of the business when data is your key informant. This is where true value can be derived from a key asset.
If you are interested in discussing this topic further or have questions, please feel free to reach out to me at LBurton@lhediscovery.com.
About the Author
Lisa Burton

Director of Advisory Services in Europe

As Director of Advisory Services in Europe, Lisa works with the international team to create thriving outcomes for clients in the UK and Europe on regulatory, contentious and non-contentious matters. She has 18 years’ experience in both legal technology and regulatory compliance, having worked on high profile projects within financial crime, insurance, pharmaceutical, automotive, and telecoms. Lisa specializes in business and strategic consulting in the governance, regulatory and compliance sectors, managed document review, LIBOR, FX surveillance and reporting, AML and remediation solutions, project management, eCourt and eDisclosure, and cloud platforms, such as Microsoft Office 365, to assist clients in successfully supporting the legal/compliance function.

Prior to her role at Lighthouse, Lisa was a Director at PwC where she assisted the Forensic Technology and Corporate Investigations department to develop external market awareness for the company’s legal technology support services and worked closely with the Data Analytics and Business Consulting teams to effectively deliver solutions to clients. She also supported clients with contract lifestyle governance and compliance alongside PwC Legal.

Before joining PwC, Lisa was the Director of Professional Services at UNIFIED, where she oversaw and lead complex projects across the EDRM. She was responsible for supporting business growth through strategic objectives, building a corporate profile and market presence. Prior to PwC, Lisa was the Head of eDisclosure at Grant Thorton UK LLP and worked to ensure client engagement, internal education and training, as well as vender management. Beyond this, Lisa was the owner of Legal Inc Ltd. and has held a number of legal roles for several UK law firms.

Lisa is PRINCE II certified and is a legally trained graduate of Birkbeck, London University LLB.