Bill Piwonka, chief marketing officer at Exterro, discusses key ways that legal departments have evolved in the last decade, including operational and process changes, technological advancements, and the new role of the general counsel.

CCBJ: The role of the general counsel has changed dramatically in the last 10 years. What’s been the driving force behind these changes?

Bill Piwonka: The general counsel (GC) or chief legal officer (CLO) used to simply be responsible for providing legal advice and managing litigation and other legal operations for the organization. In the last 10 to 15 years, the role has evolved and grown so that different parts of the organization are now actually reporting up to the GC or CLO – I use those terms interchangeably. These days, you’ll see privacy reporting to that person; you’ll see compliance and ethics reporting to that person.

Over the last six or seven years, we’ve seen legal operations taking on a much broader and more important role. I think it’s in response to the C-suite focusing more on legal and saying, OK, how do we continue to provide the best legal representation and legal advice to the organization, while controlling costs at the same time? And consequently you’re seeing a lot more functions that previously had been outsourced being brought in-house. We’re seeing more project-management-certified individuals come in and really treat legal as a business process. So you’re seeing a much broader scope for the GC or CLO – and I’d say that what’s driving it has a lot to do with what’s happening in society itself. Privacy has become a very big focus, really coming into play with the implementation of the General Data Protection Regulation (GDPR) in Europe, and then this year in the U.S. with the California Consumer Privacy Act. There are 13 or 14 other states that have privacy legislation winding through their legislatures as well.

Clearly consumers and governments are focused on privacy. So organizations need to make sure that they’re compliant with all these various privacy regulations. Cyberattacks and hacking are a constant threat. You’ve got to focus on compliance in terms of regulatory mandates. If you think about a company that’s in pharmaceuticals, or finance, or utilities, for instance, these industries are heavily regulated, and you absolutely have to make sure that you’re compliant. So having somebody who understands the various implications from a legal perspective overseeing different groups or departments makes a tremendous amount of sense.

What are some of the changes in organizational structure that youve observed?

Previously, you might have had some of these different groups and departments within a company being more independent. Now they are reporting up to the GC or CLO. So there’s more of a need for collaboration and communication than ever before. I’ll give you a couple of examples. The GDPR and CCPA give individual consumers the right to ask companies what data they have stored on them, what they’re doing with that data, and which third parties have access to that data. They can request to see the data, and in some cases, they can request to have that data deleted. At the surface level, you might look at that and think, OK, that’s the responsibility of the privacy group, right? These are privacy regulations, so privacy should handle that. But if you think about the process, you realize that a consumer comes in via the Web or an online portal, or even over the phone, and requests this information, right, that’s going to kick off some workflow that makes sure the request goes to the right person. If it’s an employee making the request, you probably want to send it to somebody in human resources to get the information, as opposed to somebody in the privacy group or IT – which may be very different than if it was a consumer making the request.

After somebody is tasked with finding the information, you have to collect it, and you have to review it. Often you’ll have to redact certain information, because it may not pertain to that specific requester, and then you have to produce it back. When you think of it that way, it’s e-discovery, right? So a lot of these companies have e-discovery technologies in their legal group, but the privacy people may not even be aware of it. So if you’re trying to operationalize and become more efficient, you want to have privacy and the legal ops or e-discovery professionals working together on these data subject access requests. And it gets even more complicated if the request is to delete the information. Because on the surface you say, OK, the law says we have to delete it if we’re requested to do so – but before you do that, you have to have an understanding of whether that data is under a legal hold or is subject to retention regulations from some other piece of legislation.

So now you start thinking, well, the compliance group needs to be able to say, OK, we have to be compliant with this regulatory obligation. Legal has to be involved to say we can’t delete something that’s part of a legal hold. So now you’re seeing how multiple departments, which are all reporting up to the GC or CLO, need to work together and harmonize their efforts to ensure that everything is being done appropriately. From an organizational perspective, what we’re seeing is a blurring of the lines between these formerly distinct departments, which used to be more siloed in their day-to-day activities.

Could you talk a bit about legal governance, risk and compliance (GRC) and why its important?

First, it’s important to point out that GRC is a term that’s been around for a while, right? And it has different focus areas. There’s information technology GRC, there’s finance GRC, there’s human resources GRC. But in terms of legal GRC, say you’re the person responsible for legal compliance, and you also have strong ties to privacy and security from the perspective of what your legal obligations are in a breach response. If an unfortunate cyber event happens, if you get hacked, there are legal requirements about when and how and to whom you have to communicate the breach information. If you’re the person at the top of the organization, you need to have a way to consolidate these different activities and tasks and leverage the information and technology you have in your organization. So ideally you’ll want one platform that has commonalities that can be used across all of these different departments to help people do their jobs.

I would argue that you need to start with a robust, modern enterprise-class data inventory system, where you know where your data is and who owns it, the data-retention regulations that govern that data, of course, as well as what third parties have access to it. That will allow you to effectively analyze the data and respond to various requests for it. But on top of that, you also need to have the ability to connect to those data sources, so that you can verify what’s in your data inventory, go find the information you’re looking for, and find information that’s potentially stored inappropriately or in the wrong place. Legal GRC is an approach – from a technological perspective – to becoming more efficient and productive and operationalizing all of those different tasks and activities across the various departments that report to the GC.

How are general counsel, legal ops professionals and others in the industry increasing their technical competency?

Partially it’s just a natural demographic evolution. As the workforce changes and gets younger, there’s a growing percentage of digital natives who are already very comfortable with technology. As the part of the workforce that is less comfortable with technology reaches the end of their careers, they’re gradually being replaced by that younger generation. But also, purely from a process standpoint, if you go back to what I was saying about legal operations business-process optimization or business-process reengineering, those ideas have been around for 30 years already. The discipline of applying technology and process management and process optimization has been applied to all kinds of things: how we close out our financial books every month, how we manage our supply chains, how we develop applications, how we run our manufacturing lines. Over the last 30 years, organizations have used strategies like Six Sigma and other process methodologies to become more productive and effective, to do things at a lower cost but with higher quality. And over the last five to seven years, we’re finally seeing legal get process optimization and process management applied to it. As the C-suite is taking a sharper eye to the cost of the legal organization, they’re saying OK, we can do things more effectively. We can utilize technology to better manage our internal operations from a legal perspective. So I don’t think it’s necessarily that the industry is going out and taking computer classes or something like that to increase its technical competency. It’s just a natural evolution of understanding that technology can be applied to the legal department’s day-to-day activities, to make everyone’s jobs easier while reducing costs and increasing efficiency.