Information management is both a legal and strategic necessity, say In-House Counsel

In today’s highly compliant world, managing information is crucial. Failure to do so could result in serious economic and reputational consequences

Compliance is high on agendas at the moment, and managing information is fundamental, say In-House Counsel. In particular you need to know what to keep and what to eliminate, as this can have serious implications for a company in the long run, and also ensure that you have a company-wide culture based on training and awareness.
But with the wide range of legislation related to data protection, both domestic and international, navigating the compliance waters can prove a difficult task.
These issues were the subject of a recent Iberian Lawyer’s In-House Club Master Class held at the Intercontinental Hotel in Madrid in collaboration with Iron Mountain. The discussion was moderated by María Hernández, Head of Legal and Compliance at Pentair, and Ignacio Chico, Director General of Iron Mountain in Spain. Cecilia Álvarez, Counsel at Uría Menéndez, also participated as a special collaborator.
The Master Class was attended by Heads of Legal and Compliance Officers, together with a group of expert legal advisers from leading law firms in Spain.

Taking notice
“Compliance is a strategic question as well as a legal obligation,” said Hernández at Pentair. “In the market we can clearly see what happens when you don’t comply and how it can affect a company both economically and reputationally. And compliance clearly translates into competitive advantage.”
In certain industries, compliance can be a balancing act, however. “In the health sector in particular,” says Gemma Torrijos, Legal Adviser at Sanitas, “it is essential to balance the need to protect personal data and the medical history of the patient, while providing them with the best medical care”.
Law firm participants said that there has been a huge increase in companies asking for advice in relation to protecting themselves against the recent changes to the Criminal Code and preventing any future issues on non-compliance with domestic and international regulation.
Companies are looking for platforms and solutions to manage the flow of information and its security. And as they are internationalising more and more, trade and export compliance are high on agendas, as is cyber security, where working in the Cloud has increased the fear of security risks.

Cultural change needed
Participants agreed that in Spain, compliance is based on fear, and that a cultural change needs to happen before the concept is truly embraced. “Most companies take the attitude that ‘it won’t happen to me’,” says Chico at Iron Mountain. “Unfortunately, when it does happen you face a huge reputational risk.” Most people, therefore, need to see an example case to really take notice of compliance, and be aware of their every action and their implications, said Cecilia Álvarez sat Uría Menéndez.
 A fine is the least of the risks for non-compliance, said Javier Fernández-Samaniego, Managing Partner at Bird & Bird in Spain. “You have to protect your market reputation, and in front of your clients. Cyber attacks and industrial espionage, for example, are serious themes that can drown a business and you need to know how to manage an attack, communicate it to clients and investors, and to contain it.”
Therefore in-house counsel have to be extremely careful about data protection and confidentiality of documents. But even if you take all the measures possible to ensure protection, explained Marta Campomanes, Head of Legal at Pernod Ricard España, you can surprisingly discover that a contract provided to the Court comes out in the press without even deleting the personal data included therein. “It is quite difficult to explain to our holding companies that this ‘practice’ is quite frequent in Spain and there is nothing we can do about it.”
Participants agreed that the application of US or Anglo Saxon models in many cases doesn’t fit into the Spanish culture or legislation. “It needs to be adapted and tested on an almost daily basis to get it right,” explained Chico at Iron Mountain.
“The same applies when trying to use a Spanish model elsewhere in the world, and this was the cause of many of the issues that companies are having with compliance.
Excess information
A key discussion centred on the elimination of information, both paper and virtual. And the only way to really tackle compliance is to use common sense. “First, eliminate useless information,” said Gonzalo Atela, Chief Administration Officer at RBC Investor Services España. “One of the greatest problems we have to deal with is an excess of information, as people are scared to eliminate things they may need down the line so managing this is a huge issue.” Participants agreed that destroying documents can be very problematic as you never known when you might need to refer to a particular document in the future.
But they are seeing more and more policies of destroying information being implemented, especially because if there is an audit, it can be a relief to not have access to certain information.

Company-wide eyes
“Most multinationals are telling us that they have a great compliance programme, and this is usually true, but they need to make sure that it actually works in Spain,” said Cecilia Pastor, Head of Compliance at Baker & McKenzie in Spain. “And the market is maturing. Companies also want to take things a step further, and implement a system of whistle blowing, etc.” Participants agreed that it was essential to train every employee on their compliance obligations, as a big problem is that many are still not conscious of the implications of even the most seemingly innocent of actions. And the more people are trained, the more eyes you have on the lookout for potential problems.
“You can have the best systems possible, but if your employees are not aware of their duties and obligations on data protection they can be your weakness,” said Torrijos at Sanitas. “Everyone must undergo training and you need to ensure that if there is rotation of employees that they are all up to speed on compliance.”

Advantage Europe
One very positive conclusion that came out of the Master Class was that European regulations are seen by foreign clients as offering a highly regarded level of security when it comes to compliance. “Being subject to the European data protection regulations is already used as a competitive advantage for certain players, said Álvarez at Uría Menéndez, “such as cloud computing services providers. ”Therefore while Spanish Regulation offered a certain level of comfort, ultimately, it is up to the companies themselves to ensure correct and adequate implementation.
“Before giving a solution you need to make a clear plan, determine affected and types of information, and how to manage past and future information,” said Estíbaliz Gallego, Head of Legal and General Secretary of Nutreco España. “And to have one compliance solution template, but adapt it to each department as there is no ‘one size fits all’.”