The report details this shifting reality and enumerates the ways the field is changing, specifically with respect to the increased responsibility these legal pros have dealing with compliance regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GRPD) in Europe.
“The role of General Counsel and Chief Legal Officers looks very different these days than even just 10 years ago—having gone from a position of largely exclusively providing legal expertise to now playing a key role in business strategy and overseeing a much broader scope of responsibilities,” reads the report, which is entitled 'The New Role of General Counsel and Chief Legal Officers: Legal GRC Creates a New Way to Think About Business Risk.'
These officers have a lot on their plate, and they must be agile with respect to mitigating enterprise risks and data governance issues, notes the Exterro paper.
“Driving much of this change is the increased liability that comes with non-compliance with regulations like the [GDPR] or [CCPA] and the cost and reputational risks associated with data breaches and cybersecurity attacks,” it continues.
According to information from California’s Department of Justice, the CCPA gives consumers greater control of personal data being collected by businesses. This includes the right to know how the data is being used, the right to delete certain pieces of personal information and the right to opt out of the sale of that data, among other provisions.
"The next Being the GC! live event and discussion will happen on Thursday, March 25th from 12-1 pm EST. Chapter President, Gemma Dreher will host Kathleen Burke Sr. VP & General Counsel of MKS Instruments. Register today."
In addition to the role itself changing, notes the report, so too has the organizational structure surrounding it. Now, privacy, legal operations, compliance and ethics departments are all expected to report to these legal experts with “cross functional dotted lines to IT Security and Enterprise Risk Management departments.” As these organizational units are blurring, so too are the lines separating these once-distinct departments.
As a result, these legal professionals are being asked to take on a lot of responsibility, some of which is relatively new in the space. “It’s ‘please send me a copy of all my personal data,’ effectively," notes one industry insider cited by Exterro. "And that causes a headache for companies, because if you’re faced with that, if it’s come from a customer you’ve had for 20 years or whatever, where do you start? What are they looking for? How do you find it? How do you separate it from data that they’re not really entitled to get? Are there any exemptions that apply? Is it privileged?” asks Philip Thomas, partner at Reed Smith.
“It’s a big headache, and the problem with this, it can be very challenging to respond to these requests in a cost-effective way,” adds Thomas.