Privacy and Compliance Services: Why the Market Is Rumbling Against the Big Four

Corporate decision makers cannot assume any brand-name provider, whether it is Big Law or the Big Four, is a safe bet simply because of size or familiarity. What worked in the past does not in today's new regulatory landscape. A provider's expertise in understanding data, technology, business — and perhaps most importantly, the legal implications of each decision — is now essential to helping reduce a company's risk without sacrificing business goals.

If your potential provider is quick to offer, "We've done that before and we can do it for you," this is a serious yellow flag because what succeeded for one company won't be an exact fit for another: no two companies are the same. As time consuming as it might be in the beginning, your provider should ask numerous questions, speak to many stakeholders, and listen carefully before ever trying to sell you a solution. In the world of compliance, there are no preset solutions. There are only problems to solve, and each company's culture, industry, budget, and risk tolerance makes the set of problems unique.

Before any technology is selected, the potential provider should first focus on the root of the problem: data and how people interact with it. If your potential provider does not begin with the foundational issues including your information governance plan, data structure and capabilities, workflow requirements, and ongoing data management, then you're likely to be getting a Band-Aid rather than a robust solution that can grow with you.

It is the responsibility of your provider to uncover how your in-house business units interact with data across their varying functions so that adequate safeguards can be put in place. For example, Human resources data is assumed to be for internal use only, but if it has inadvertently landed in another internal data repository being used for an investigation, you could be at risk of exposing PII unnecessarily. Similarly, in a marketing dispute, source code, social communications or client privilege information might be uncovered. Working with an educational establishment recently on a construction dispute, we found that student data was inadvertently at risk of exposure during the litigation production. Litigators are well aware of such areas of accidental crossover between data silos and it's their job to be diligent about getting control of documents.

In other words, a strong service provider must not only see what data is present and where, they also must understand the implications of what they are not seeing and detect the cases where data has gone beyond its allotted boundaries.

If your potential provider is not asking questions or is deferential to your answers, they will also not perform well in engaging with individual departmental custodians to help you achieve your business goals. The art of persuasion and communication is essential in getting your custodians to comply. For example, in a recent privacy project to help a global telecom corporation become compliant with the California Consumer Privacy Act (CCPA), our legal team actually spent the most time on the telephone with the thousands of custodians involved. This is a good illustration of why a provider must have the expertise to provide answers to your custodian's questions and the possible legal implications of how they are answered, alleviate any fears of giving up their privacy, and be willing to spend the time needed to walk them through what seems to them to be a distraction from their daily jobs. We cannot underestimate the value of a provider who is able to practice empathy as they implement your compliance solution companywide.

Legal Expertise

You also need to confirm that your potential provider is at the forefront of all of the constant changes and requirements that will continue to place your company at risk, both legally and financially. Ensuring financial compliance does not translate to ensuring regulatory and privacy compliance. Excellence in resolving accounting and technology compliance issues does not equate to the ability to manage the finer points of privacy or other types of regulatory compliance projects. We have been called in again and again to solve implementation failures caused by lack of legal depth and project management experience in the traditional consulting teams.

While known for their high professional standards, the Big Four teams deployed for e-discovery, privacy-related, or regulatory compliance-related projects rarely include former practicing attorneys who have handled precisely the problems which they are being hired to solve. For this reason, Big Law and the Big Four have been known to collaborate on major compliance projects. This is, of course, a costly option — but then hiring one of the Big Four is a major expense in and of itself.

And yet legal workflows lie at the heart of compliance projects. It takes an understanding of legal processes to create workflows that allow organizations to properly handle compliance requests. Time is of the essence in these instances, and the ability to adapt workflows as they evolve is key to achieving proper outcomes. Does the service provider have the agility to pivot quickly to react to data?

A most important final point is your budget. The decision is not only between the different expertise offered by Big Law and the Big Four, but pay close attention to the cost of what they offer. Big Law and Big Four mean big bucks. Their structures are similar; their rates are as well.

This is not to say that one of the big firms absolutely cannot help your organization. But before bringing one on board for a privacy or regulatory compliance initiative, ask these key questions:

• Do they ask good questions — and are they asking to speak to people across business units?
• Are they asking about your information governance plan and data sources?
• Do they understand your business goals — and culture?
• Are they trying to sell before they try to understand?
• What is their legal expertise? And technology prowess?
• Do they give a sense that your project matters to them?

Organizations must resist the temptation to select big and board safe and expect the same results in the complex world of legal compliance. Choose your provider on how well they demonstrate excellence and commitment at the confluence of law, technology, people, and data. As real-life examples have proven, the market will not remain silent if the results are less than stellar.

*****

Leigh Vickery is the Chief Strategy & Innovation Officer at Level 2 Legal Solutions. She can be reached at [email protected]. Follow her on Twitter @leigholiver and on LinkedIn.