Putting a data minimization strategy in place

By Denise Prior posted 03-09-2023 03:23


Is your law firm in full control of data minimization? This question arises because in our first blog on this topic we set out the top ten reasons why firms need to destroy much more data than they do. In that piece we explained that excess data increases the likelihood of cyberattack and compliance breaches; it makes firms spend more than they need to on storage; and it hurts systems’ efficiency and firm productivity.

Yet the evidence suggests that a large proportion of firms don’t recognize the danger they’re in. In a 2021 cybersecurity survey run by the ABA, only just over half (53%) of respondents said their firm even had a policy to manage data retention.[1] A poll conducted during a recent LegalRM webinar suggested only 26% of firms with data retention policies were actively implementing them. The alarming implication is that most firms (86%+) don’t practice data minimization.[2] This is an unsustainable proposition in the long term, not to mention expensive and risky already. What should firms be doing instead?

The data minimization committee

We admit that data minimization is complicated. It’s a can that’s all too easily kicked down the road and under-prioritized. It can also fall between several IT and information governance stools because it’s not always clear who “owns” data minimization in the firm.  Nevertheless, excuses will get you nowhere. Firms need to get a grip on data minimization by being proactive. This starts with building awareness in the C-suite of what data lifecycle management and data minimization mean and why they’re important. Thereafter some form of data minimization workgroup or committee should be convened that includes wide representation from across the firm.

This committee then needs to assess what data retention policies and disposition schedules are already in place and if they’re working. If it hasn’t been done already, the committee should commission a data mapping exercise that consolidates data in dispersed systems into a data retention classification structure that reflects governance requirements. The firm should also understand the risk profile of the various data held to help you prioritize next steps.

Acting is what matters

It might then be appropriate to convene some cross-departmental teams of process, system and data owners to identify the gaps between what you have and what you need; and to determine the actions that can close those gaps. This might well include the introduction of an information governance platform, such as iCompli, that manages data across media types and systems.

Above all, what matters is acting, as opposed to burying collective heads in the sand. The reality is that data volumes are continuing to grow, and quickly. Data minimization is a bullet that must be bitten. And sooner will be better than later, before the scale of the task is too vast, and before the firm falls victim to one of the calamitous consequences of holding too much excess data.

To find out more about how to instigate a data policy review watch our webinar. We discuss the advantages of a data minimization strategy, and in particular focus on why this strategy is of particular importance to a CIO, or the IT budget holder within a firm. To register, click here.   

Chris Giles is CEO at LegalRM, which creates market-leading software, services and solutions for records, risk and compliance management and serves some of the world largest law firms as well as blue chip organizations from other industry sectors


[2] 100% - (26% of 53% = 13.78) = 86.22%