Comply or die

Legal compliance costs are increasing just as the UK seeks to recover from the recession. However, cutting compliance corners is not an option as regulators and watchdogs increasingly seek to assert their authority.

One area of law which is currently changing is the UK's data protection regime. In order to encourage businesses to take their compliance obligations seriously, the government has recently announced proposals to introduce £500,000 fines for serious breaches of the data protection principles as well as prison sentences in certain cases. It is anticipated that these will come into effect from next April. Another example is the new Bribery Bill which if enacted will impose significant new criminal sanctions for individuals, directors and companies involved in corrupt practices.

The costs of some of these regulatory burdens have been identified by the British Chambers of Commerce 'Burdens Barometer 2009'. This states that since 1998, compliance with various forms of regulation has cost UK business an astonishing £76.81bn. Of that total, compliance with data protection legislation has, according to the British Chamber of Commerce, imposed an annual cost of £667m to UK businesses.

So, businesses are stuck between a rock and a hard place. Fail to comply and face onerous fines and possibly terminal reputational damage and penal sanctions. Or spend hard-earned profits on legal and compliance costs during a period of economic downturn. Are there any other options?

Technology to the rescue

Increasingly, technological solutions are becoming available that help support compliance with reasonable investment. There has been an upward trend of IT budgets being spent on alleviating compliance pressures.

For example, according to analyst Forrester, enterprise IT security increased from 7.2 per cent of technology budgets in 2007 to 12.6 per cent in 2009. In addition, according to a survey by the Economist Intelligence Unit, 45 per cent of European companies and 74 per cent of US companies cite legislative compliance to be one of the greatest issues facing their IT departments.

There are different types of technological product available to companies to help manage the costs of legislative compliance. These range from commoditised legal advice and 'compliance tools' produced by law firms to IT solutions provided by IT suppliers.

(a) Compliance tools

When faced with a complex and potentially expensive regulatory issue, general counsel and compliance officers do not simply seek bespoke advice from external law firms. Increasingly, they are able to rely on sophisticated commoditised online products and services for practical guidance on how to address compliance issues.

For example, law firms are combining in international networks to provide comprehensive issue-specific compliance solutions which offer a level of quality that individual firms find hard to match. These tools help companies address their data privacy compliance obligations cheaply by not only identifying what the law requires, but also showing how these obligations are typically met and including relevant templates and policies to enable companies to see what compliance 'looks like'. So, the solution for addressing a potentially complicated regulatory issue is likely to involve accessing reasonably priced online legal compliance tools, rather than procuring expensive bespoke legal advice.

(b) IT solutions

In terms of pure IT, the sophistication of a business' IT systems increasingly has a direct bearing on its legal compliance. For example, a legal 'information security policy' will not stop computers and laptops being lost or stolen in practice. Recent high-profile data losses by organisations such as the Ministry of Justice illustrate that illegal data losses continue whatever compliance policies might be in place. Good IT systems are therefore key to ensuring information is kept secure in accordance with applicable law.

Much has been written about encryption of data on laptops and the strength of the algorithms that should be used to adequately protect such data. However, in terms of broader compliance requirements, organisations need solutions that allow a company to meet its compliance requirements and support wider information governance needs. These can include any or all of the following which all impact on whether information is appropriately managed:

• allowing data to be fully classified, enabling the controller to understand all aspects of the data's lifecycle;
• providing a platform for long-term data retention and preservation while ensuring that such data is not affected by technology obsolescence;
• protecting the data against damage or loss whether by accidental or malicious means;
• specifying how long certain data should be held by IT systems and then deleting that data automatically;
• performing keyword and other searches across all documents, regardless of format (emails, Word, PDF, JPEG etc.), held on its IT systems to deal with regulatory audits, e-discovery requirements and data subject requests; and
• providing a monitoring and audit capability for all events associated with the storage of specified data.

While the initial investment in technology will have its own cost, the long-term benefit to businesses cannot be overestimated both in terms of compliance with regulation and in driving value from the information they hold. In an era when regulation, enforcement and penalties are increasing, the future will belong to those companies who embrace new services and technology which help them meet their compliance burden.