Skip to content
Data Governance

GCC East: The pace of tech change means that keeping up with data governance requires a village

Zach Warren  Manager for Enterprise Content for Technology & Innovation / Thomson Reuters Institute

· 7 minute read

Zach Warren  Manager for Enterprise Content for Technology & Innovation / Thomson Reuters Institute

· 7 minute read

Proper governance means collaboration and risk assessment, and no longer can corporate law departments be the siloed voice on proper data usage, said a recent panel of GCs

NEW YORK — The current data governance environment can seem near-impossible to navigate for even the most experienced corporate lawyer. There are changing expectations and dynamics among hundreds of US governmental agencies and sub-agencies — all of which will be changing personnel upon the change of administrations.

Also, artificial intelligence (AI) is creating more data than ever thought possible, resulting in shadow IT pockets across an organization. And as hackers and other bad actors gain access to new technologies such as quantum computing, data breaches may become more common and increasingly hard to police.

It’s far too much for one in-house legal department, let alone one attorney, to handle. That’s why corporate legal leaders speaking at the panel, Synergy in Action: Collaborative Dynamics between Data Security, Data Privacy, and Information Governance Teams during the recent General Counsel Conference (GCC) East stressed that properly handling today’s data problems requires a village.

“No longer can you be the siloed voice,” said panelist Kelly Clay, Assistant General Counsel and Global eDiscovery Counsel of Global Operations at pharmaceutical giant GSK. “You all have to be coordinating and understand each other’s areas so you can give that well-rounded advice.”

Teams on the same page

Proper data governance has been a regular topic of conversation among general counsel for more than a decade, the panel noted, but the pace of change brought by new technologies, exemplified by the rapid adoption of generative AI (GenAI), has necessitated renewed attention towards using proper data protocols.

Another panelist — Jordan Thompson, General Counsel and Secretary at education company Penn Foster Group — said this means companies should not be too rigid when adopting data governance standards. “What’s good today might not be good tomorrow,” he explained.

This starts with having a set goal for proper data usage across the company — one in which the company’s legal, IT, business functions, and others play a role, but nobody controls the entire process. “This is a culture change for a lot of groups,” Thompson said. “You have to have that mutual partnership going into it and know that your role isn’t the most important thing, the outcome is the most important thing.”


“No longer can you be the siloed voice — you all have to be coordinating and understand each other’s areas so you can give that well-rounded advice.”


Clay agreed, saying the biggest data risk in less stringent organizations is that “people have not taken data accountability.” Many people believe accountability will fall to one group or another, or perhaps even be automated using AI systems — an attitude that lets governance fall through the cracks.

At GSK, her group is aligned to the enterprise at large, while the security team is aligned to the technology function, she explained. This allows legal and security to be “a counterbalance” to each other with their differing but complementary department goals, she said, noting that “on a very high level you have to have checks and balances, because one area doesn’t trump the other area.”

This counterbalance will also include outside third parties — perhaps even outsourced Chief Information Security Officers (CISO), which Thompson noted are on the rise at many companies. “But that brings about a whole bunch of other issues with the vendor relationship and holding the vendor accountable,” he said.

For example, many companies may have a chain of command in which the outsourced CISO is hired by IT and not by the legal department, Thompson explained. As a result, the legal department needs to go through IT to ask questions of the CISO, rather than having the ability to engage directly. Plus, the data at question also would not sit within the legal department itself, but rather throughout the entire organization.

This makes collaboration not just a good business practice, but a necessity to make sure proper data governance is followed. “Having a collaborative relationship with those business partners is essential to making sure you have a say in how it’s being handled,” Thompson added.

Assessment is the first step to governance

For corporate law departments looking to regain a handle on their data, panelists said the first step is to know how your organization’s data is being handled, both internally and externally. Kenya Dixon, General Counsel and Director of Information Governance at IT services provider TechCentrics, stressed the importance of robust third-party risk assessments as a necessary starting point.

“If you collect data — and every organization does — and you’re giving that data to a third party, you should be conducting a third-party risk assessment,” Dixon said. “And that assessment is not the spreadsheet with the NIST protocols, and they check a box. It has to be more in-depth.” This means asking questions about compliance with regulations, examining contract provisions for data access, and exploring what personnel will have access to that data, among other factors.

The goal may not even be to prevent a data breach, Dixon added, because after all, hackers have increasingly more access points and complex technological ways to break into a system. But if a breach does occur, a company will want to prove that the lawyers have “done their homework” to comply with US security standards such as NIST and international security standards such as ISO or SOC, Dixon explained.


“If you collect data — and every organization does — and you’re giving that data to a third party, you should be conducting a third-party risk assessment.”


“It may not keep you from being breached, but it can keep you from being liable for a breach,” Dixon said. “If your ducks are in a row, it’s not your fault that the technology is so far advanced that nobody can keep up with what’s happening.”

GSK’s Clay also noted that these assessments are not meant to be static, suggesting that organizations should regularly audit their vendors to make sure whether the scope of what those vendors need to access has changed. For example, she pointed to the many legal technology vendors that have AI embedded into their products, fundamentally changing how they interact with a company’s data. “Have they re-upped their third-party risk assessments?” Clay asked. “Only if they were forced to.”

Once a company understands its current data governance posture, it can then move on to planning for incident response. Dixon extolled the virtue of data breach tabletop exercises to keep all of these stakeholders on the same page, “so when it happens, everyone is calm and says, this is what we practiced for.”

Thompson added that cyber insurance providers can be a crucial source of information to benchmark what other insureds are doing, so if an event doesn’t rise to the level of needing outside counsel. “It’s not going to cost anything, and it might be helpful,” he said.

However, perhaps most importantly, the panel stressed that communication is necessary moving forward, because the pace of technological change means novel data governance issues are only going to continue to arise.

“AI is not only here and doing its thing, but we’re going to move past AI really rapidly,” said Clay. “The question is, are we going to be able to keep up with what’s coming?”


You can find out more about the importance of data governance to service organizations here.

More insights