Legal GRC: A New Way To Think About Business Risk & The Role Of The CLO
The role of the General Counsel/Chief Legal Officer looks very different these days than even just 10 years ago—having gone from a position of largely exclusively providing legal expertise to now playing a key role in business strategy and overseeing a much broader scope of responsibilities. Driving much of this change is the increased liability that comes with noncompliance with regulations like the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA), and the cost and reputational risks associated with data breaches and cybersecurity attacks.
Thus, in addition to overseeing the legal operations of the organization, the CLO today must also play a central role in ensuring the company’s compliance and data governance capabilities meet all regulatory obligations. She must also understand other enterprise risks facing the company, and implement appropriate processes to prevent them from occurring, and quickly and efficiently address these risks should they occur.
The Evolving Role of the CLO
As the role of the CLO has evolved, so too has the organizational structure. It is now common to see Legal Operations, Privacy, Compliance and Ethics all reporting up to the CLO, with cross functional dotted lines to IT Security and Enterprise Risk Management departments. As these organizational units have been added, the formerly distinct lines separating these departments are blurring. No longer can the privacy department be siloed from Legal or Compliance. Business challenges—such as complying with privacy laws or implementing robust data minimization policies and procedures—span organizational units. And as these organizational lines are blurred, an opportunity to streamline processes, share technology and gain efficiencies emerge.
A useful way to categorize the new role of the CLO is to think of it as being responsible for overseeing and managing the Legal Governance, Risks and Compliance efforts for the company— or Legal GRC in shorthand.
All New Roads Lead Through the Legal Department
Legal GRC, in part, represents not just the new landscape for the CLO, but also the convergence of data governance and data management practices between departments at an organization. Data is what ties all these responsibilities together: How an organization collects, stores, uses and secures its data ultimately determines the extent to which that data poses risks, incurs costs and provides value.
For example, at most organizations, many different departments hold sensitive data on customers, employees, third party vendors or partners, business practices and more. When it comes to the DSARs referenced earlier, understanding where this data is stored, how it is being used and having the ability to easily access it, collect it, review and redact it is essential to complying with various privacy laws—and it’s almost impossible to do so without knowing your data. Knowing both what data is stored in a particular application or storage unit and how much of it is stored is critical when faced with a security breach and the need to implement your breach response plan. Having insight into the age, content and any legal or regulatory retention requirements is critical before undertaking a data minimization project.
Thus, Legal GRC can both be seen as a way to concisely describe the evolving role of the CLO, as well as an approach to solving cross-functional business challenges related to new privacy regulations, compliance obligations and enterprise risks like data breaches. Furthermore, it is also a new class of enterprise software, designed to seamlessly orchestrate the tasks and activities required to implement processes to address these business challenges.
Business processes like responding to a Data Subject Access Request (DSAR) as required by GDPR and the CCPA, which impact multiple organizational units (Privacy, IT, E-Discovery, Compliance), require a much more integrated, holistic approach. Your technology solution must support the organizational structure (people) and policies and procedures (process) in place to address these challenges. Just as siloed business units cannot adequately perform in this new environment, neither can single point solutions, used by only one set of stakeholders. Rather, a unified technology platform that offers applications that solve complex Legal GRC business challenges and are integrated on a common platform, unified through process orchestration and available to all stakeholders is required.
