Best practice can mean different things to different people, so, what does best practice mean when it comes to the management of IT-related legal issues? From my experience, it means having robust processes and systems across three broad areas: legal compliance and other requirements; data storage, security and accessibility; and third party contracting processes. Legal compliance and other requirements
- Best practice requires that your organisation first needs to identify all of its legal compliance obligations and other (organisation-specific) risks and requirements with a view to ensuring that your IT systems and processes address those requirements in the best possible way. This is done by liaising with your various departments to understand what they are doing and what their future plans are; engaging with any internal risk and compliance managers (in-house lawyers and/or risk managers); and working with external lawyers and possibly other risk managers. Some sort of table or spreadsheet of risks and requirements should be produced as the result of this process.
- Map this agreed list of requirements to the components of your current or proposed IT systems and assess the extent to which each requirement is (or is not) addressed. From this, create an ‘actions list’ to tackle those areas that need attention.
- Once the above points have been addressed, you need to monitor and refresh the above processes at regular intervals (annually, for example) via some sort of self-review or other audit process.
- In addition to the above points, you need to ensure that any new IT systems (or outsourced cloud services) are assessed against the above processes before signing a contract.
Unfortunately, in many instances, companies only engage in quick and high-level interaction between IT, the business unit concerned, and the compliance staff. Even then, this tends to be centred around specific business needs and user acceptance only. Most of the above steps are often largely overlooked, which can result in costly compliance or other legal issues later. Data storage, security and accessibility This is a hot topic given that most organisations are suffering from electronic information overload. Best practice dictates that your organisation must have clear policies in terms of data storage, security and accessibility, with systems that are aligned with those policies. The policies must, as a minimum, meet any specific legislative requirements, such as the seven-year storage minimum under the Companies Act 1993 for certain types of company information, and time/expiry limits in respect of “personal information” under the Privacy Act 1993, to name a few. The policies should also set other desired parameters, for example: should any litigation or regulatory enforcement issue arise, will your organisation be able to quickly lay its hands on the specific archived information required? And is that information likely to be helpful? The latter question raises an issue as to the existence or effectiveness of your organisation’s wider internal compliance training programmes, which is a topic in itself. The security of your data will be dependent on the effectiveness of your systems and processes in that regard – or those of your external service providers (eg: via the cloud). Best practice requires that you rigorously assess those systems and processes, including what information may not be caught and therefore may be at risk. Third party contracting processes Best practice requires that you have sound but appropriate third party contracting documents and processes, and ensure that all staff involved abide by them. This involves professionally reviewing all aspects of your tendering and other contracting documents and processes (including HR training), whether as supplier or customer, to ensure they meet all legal and other organisation-specific requirements. Other best practice points are:
- Undertaking supplier due diligence, especially in the case of a proposed major ‘cloud’ supplier arrangement; and
- knowing when and for how long to engage professional service providers such as specialist lawyers.
Supply or procurement best practice should result in quicker, more efficient contracting; minimal disputes; reduced longer-term total legal spend; and better commercial and technical outcomes for your organisation. The above points are scalable for the size and type of your organisation. Even if the above processes result in short documents and minimal changes from the status quo, it is certainly worth doing, and worth doing well. The time, effort and cost spent will likely result in savings on a multiple scale going forward.