Do you need a data policy?

Season 1 Episode 10

In this last episode of Season One, CJ Anderson begins at the beginning by talking about the data governance policy.

She explains what it is and what usually goes in one.

But then she shares why she doesn’t believe you need one!


Law Firm Data Governance Podcast

  • Do you want learn more about the podcast?
  • Are you curious about what’s coming up in future seasons?
  • Do you want to listen to the latest episode?

Answers to these questions and more can be found on the podcast page.

Episode Transcript

Welcome to the law firm Data Governance Podcast, the Data Governance Companion for law firm leaders who want to know more about implementing and improving data governance.

Each week I’ll help you with your law firm’s data governance initiative by sharing something I’ve learned in my 20-plus years of working with information and data in law firms.

In this last episode of Season One: “begin at the beginning”, I’ll talk about the data governance policy.

I’ll explain what it is and what usually goes in one, but then I’ll share why I genuinely don’t believe that you need one, and most law firms can live without one.

A data governance policy is one of those things that if you Google it, you’ll find lots and lots of wordy and worthy definitions for.

A simple definition is that a data governance policy is a set of rules that help safeguard data and establish standards for its access, use, and integrity.

It guides your company’s decisions about data assets.

Another definition is that data governance policies establish roles and responsibilities for data that include access, disposal, storage, backup, and protection.

These policies are typically accompanied by standards, which provide more detailed rules for implementing the policy.

There are many guides and training courses out there that talk about the steps for developing a solid data governance policy.

Broadly, they cover similar steps.

Identify your senior leaders that you trust, or the key stakeholders from most areas of your business.

Two, set out the rules and expectations and the consequences of non compliance, and three, figure out what roles, data stewards and so on are needed and how they will help implement the new practices.

Now I can understand why this is important for very large firms or heavily regulated environments.

I’m probably at risk of making a heretical statement here, but in my experience and my experiences with law firms, the conventional wisdom that you need to start with a data governance policy just isn’t true.

As I’ve already said, most of those data governance guides, books, training courses start with first writer policy.

And the idea behind that is that it will be easier to monitor and manage compliance with the agreed standards if you codify the data rules and the consequences of not complying with those rules into one big document, the policy document, and then your data governance leads can use it to enforce compliance and to monitor compliance.

The nature of a law firm internal structure makes getting a policy drafted, consulted on, and communicated a massive challenge.

It can become a painful protracted multi-year process as the policy needs to be agreed by both business service leaders and partners.

And I’ve got a few reasons why new policies, data governance or otherwise, are challenging to achieve in a law firm.

Firstly, policies tend to only get created and published where there is a legislative or regulatory obligation to do so, and while there are obligations around some elements of data governance, these are already addressed in existing policies.

Secondly, when the firm already has a robust data retention or privacy or security or usage policy, it can be really hard to persuade stakeholders that a new data governance policy is necessary.

Stakeholder perception that the content of the policy overlaps with what is already published can be hard to shake.

Thirdly, perfection really can be the enemy of the good, lawyers by training, and I’m not dissing it at all, focus on the meaning and intent of every word.

So even a simple document can take many months of wordsmithing and it can double in length.

All the partners and other stakeholders need to get to a place where they are happy that each word says what it means and means what it says.

Finally, junior team members disengaged with top down policies.

It’s not enough to publish a policy on the intranet and have some team meetings to explain what it says.

After years of crafting that policy document no-one has the energy or appetite to tailor the messaging to each team or to each role and help them to adopt the policy.

Overall, a data governance policy means that a firm can spend a lot of effort for hard fought change and little reward.

So if you don’t need a policy, what do you need? I favour a bottom-up approach to data governance that does away with the need to create, agree, and adopt a policy.

It puts a greater emphasis on the structural and relational mechanisms as the focus for law firm data governance, the people, and how they’re going to work together.

This collaborative methodology means that it’s more important to identify the right people to have those conversations about data and to create a structure that enables and supports them.

Now don’t get me wrong, just because there’s no policy it doesn’t mean that things don’t get written down.

But I found that getting the subject matter experts at an operational level to collectively agree and write down the best practices that they are prepared to take responsibility for implementing, is much more effective in achieving lasting change and in improving data standards, data quality and compliance with rules.

While this involves the same, if not more effort, it achieves much greater rewards for the firm over the long term.

In short, sometimes policies are great, but you don’t need one for data governance.

You do need to have collaboration and communication in a forum that’s focused on doing the right thing with the firm’s data.

If you’ve got questions on why I think you don’t need a data policy or anything else to do With data governance hop over to and let me know.