GRC, which stands for Governance, Risk and Compliance, refers to a strategy for managing an organization’s overall governance, risk management, and compliance with regulations. This kind of structured approach aligns your business objectives with IT activities, risk management procedures and your efforts to meet compliance requirements. Typically, a company’s GRC strategy calls for setting controls to manage identified risks and maintain compliance, as well as regularly auditing these controls to ensure they’re working correctly.
In an environment with rapidly evolving regulations and laws governing IT and data management, your current GRC strategy may need to be updated. It’s more important than ever that you include legal experts such as your Chief Legal Officer and General Counsel in your approach to GRC. That is essentially what legal GRC is; a framework for better integrating your legal functions with your organization’s other GRC functions.
The Growing Risks of Data
These days, every company has data, and with data comes more opportunities for noncompliance. In the US alone, there are hundreds of bills addressing privacy, cybersecurity and data breaches currently pending in all 50 states, territories and the District of Columbia. This is on top of already enacted laws such as the California Consumer Privacy Act (CCPA), which was inspired by the EU’s groundbreaking General Privacy Data Protection Regulation (GDPR).
And, GDPR fines are no joke. Between January 26, 2020, and January 27, 2021, research firm DLA Piper reports that:
- GDPR fines rose by nearly 40%
- Penalties under the GDPR totaled $191.5 million
- Data protection authorities recorded 121,165 data breaches (19% more than the previous 12 months)
Some recent notable penalties include a $56.6 million fine issued to Google for failing to allow users to have control over how their data is processed, a $41 million fine to H&M for mismanaging employee data, and British Airways’ $26 million fine for a data breach that affected 400,000 customers in 2018.
Between new consumer privacy laws, an increased risk of data breaches from hackers around the world, and stricter data management rules, you face the potential of crippling fines, as well as reputational damage and even criminal misconduct if you don’t manage your data with the utmost care.
Laying the Groundwork: How Legal GRC Can Help
In response to increasing cybersecurity, privacy and compliance risks, a legal GRC strategy unifies your personnel, processes, and technologies to ensure compliance, reduce risk and optimize operations. It accomplishes this by allowing legal departments to utilize their expertise of the evolving legal and regulatory landscape regarding data management to influence changes to systems and processes on a companywide scale.
Update Your Current Organizational Structure
The responsibility – and challenges – of data compliance span multiple departments. HR can get in trouble for unlawfully using employees’ fingerprint scans for attendance and timekeeping records; the Marketing department can be docked for emailing nonconsenting users; Operations can be punished for misusing CCTVs on-premises or mishandling footage. You may find that your current, siloed organizational structure isn’t set up to adequately manage a legal GRC strategy.
To understand the scope of the changes you’ll need to make in order to effectively integrate a legal understanding of data management into GRC activities, you need to thoroughly analyze both your current business processes and proposed processes. First and foremost, you need to determine which team leaders and employees are involved in your current processes and if their roles will continue. If so, how will they change as you adapt a legal GRC strategy?
For example, if new processes require email marketing campaigns to acquire consumers’ direct consent, who is responsible for orchestrating that? Is there a similar process already managed by someone in your organization, and would this new process relate to it? You can’t simply bundle consent for marketing communications with acknowledgement of other policies. That would risk exposing you to noncompliance of “opt-in” rules in some privacy laws, especially those laws in Europe and Canada.
Once you’ve identified key personnel, you should then assess the culture and resources presently available to your teams. You need to make sure that these individuals not only understand the importance of a legal GRC strategy, but that they are able to effectively communicate the importance of it to their teams. People aren’t likely to be thrilled by the prospect of a new organizational structure, of integrating new employees into their workflows, and adjusting processes to be more compliant. It’s up to your team leaders to make any changes sustainable.
Just remember that undertaking such a comprehensive transformation of your GRC strategy isn’t likely to be fast or easy. You have plenty of time for reassessment and project check-ins to ensure that your goals are being met.
Improve Communications to Sync Processes
It should not surprise you that within the framework of a legal GRC strategy, your legal department plays a more central role, helping to develop and implement a more compliant approach to processes and technologies. For your legal experts in particular, this may mean learning more about the risk landscape as a whole. In the past it was probably not necessary for your CLO to know the specific risks facing your supply chain, but in order to achieve synchronicity of processes across departments, it could be relevant. In trying to manage data more effectively, you wouldn’t want to neglect or pull resources away from another threat.
Better communication is key to ensuring that your Legal, Compliance, Security and IT teams are all on the same page. The best way to facilitate clear, open communication pathways is to consolidate legal GRC activities to a central GRC platform. By doing so, all stakeholders will be involved in determining current and forecasted risks to compliance, assessing and reassessing processes, establishing and managing risk mitigation efforts and performing check-ins to document progress.
Manage Legal GRC Activities With TotalCompliance Risk
Knowledge is key to successfully managing your organization’s overall governance, risk management, and compliance with regulations; this truth is even more evident in the maintenance of a legal GRC strategy. With our powerful GRC management software module, TotalCompliance allows you to automate the risk assessment process. Easily create consistent question sets every time, define and weigh your questions, distribute your question sets to your audience and review your results in real-time.
Our GRC solution gives you ultimate control over the entire process. Collaborate with others to build assessments to be as simple or complex as you need them to be, distribute them to as many or as few individuals as you want, customize compliance thresholds for more accurate monitoring – even create and run your own reports whenever you want in our system. Finally manage all your risk assessments, audits, check-ins and surveys in one central location.
Nearly all negative legal impacts of data management are caused by data misuse or mismanagement; actions such as failing to follow retention and deletion policies, losing data there was a legal obligation to keep or failing to prevent a data breach. By committing to a legal GRC strategy, every level of your business will be better prepared to meet the demands of stricter data management regulations, and TotalCompliance Risk is the best partner for this tremendous undertaking.
To learn more about our powerful, flexible and cost-effective solution, request a demo with ComplianceBridge today.