The problem in everyday life
We know we have to follow laws and internal rules – but we don't do it fully. The policy is not only incomprehensible, it doesn't bridge the gap. our reality. There are no simple, common “this is how we do it” answers.
- The customer accidentally sends sensitive information to the wrong recipient – what do we do then?
- Printer password – is it “sensitive” or “internal”?
- Different managers say different things. The lawyer says “it depends” and so begins a never-ending philosophy lesson.
Responsibilities are unclear, systems are older than our routines, and when someone asks for support, the answer is easily a wet blanket: “someone else is responsible,” “late.” In the meantime, people guess – and guessing creates risk.
Why is it difficult?
Law sees risk (it's the job) and easily becomes a "no-machine". Business responds with shortcuts and shadow routines. No one speaks the same language: legal interpretations meet the reality of technology and human habits.
Often, legal is not a particularly large department in the business, quite often maybe just one and they have to rely on colleagues in the industry.
Information owners are rarely identified in practice. The result: slow decisions, different interpretations – and the wrong risk still falls through.
Ways forward – comprehensive solution
Principle #1: “Yes, if …” instead of “no”. Risk cannot be removed to 100 %. We aim for a good enough solution – clearly described, possible to follow and fast enough for the business.
- Get the governance group in order – the lawyer sits in the room and stays. Law leads interpretation of frameworks and evaluates whether the solution is sufficient together with IT, communication/HR and information owner (managers in the business: e.g. the finance manager for invoices/receipts, the sales manager for agreements/quotes).
- Appoint real information owners. The lawyer shares responsibility for information security with the respective information owner. IT ensures controls and logging; communications/HR ensures clear language and training.
- Decisions in plain language. Write “yes, if…” decisions that people understand: standard sharing, labels/classification, permission levels, retention/backup, incident flow. Put in a decision register that everyone can find.
- Secure default modes. Make the easy choice the right choice: pre-populated labels, default sharing levels, minimum permissions, save policy, and versioning.
- The right hands on sensitive tools. eDiscovery etc. are handled by legal/authorized role – not helpdesk. Minimize access and document traceability.
When the foundation is laid
Lawyers and information owners are in the room. “It depends” becomes “yes, if …” with clear language, decided levels and functioning incident flows. The technology does the right things – and the people know how.
This post is part of the series Common mistakes in the digital workplace.
