Q&A: Inés Rubio on Addressing Perpetually Shifting Data Challenges

Inés, congratulations on your award win. Before we discuss that, can you offer some background on your focus area and the types of client engagements you’ve been involved with since you joined FTI?

I joined FTI Technology at the end of 2020 as part of the Information Governance, Privacy & Security practice in Ireland, which was an adjacent area to roles I’d held before. Having started out in my career as a lawyer, I was initially working as an e-discovery and digital forensics consultant. This evolved to a focus on privacy and data breach incident response. In those roles, I got to know a lot about the content of data, the technology we use to create it and store it and the pivotal role of security on the spectrum of corporate risk.

At FTI Technology, I've been leading and participating in many matters relating to data breaches, privacy analysis of the data that has been compromised and the requirements for notification to data subjects, supervisory authorities and regulators around the globe. One of my main responsibilities has been creating innovative solutions for clients in those spaces.

So, you recently won a Relativity Innovation Award. What does that recognition mean to you?

I think the award is a recognition of the way FTI Technology understands the need for a multidisciplinary approach to data challenges. We support our clients in achieving a stronger and more proactive approach to handling their data, so they can understand it and manage its creation, storage and use in a controlled, compliant manner.

The award also recognises how we have leveraged the solutions and tools that we've been using for e-discovery for other use cases and challenges — like data breach response. Analysis using tools like Relativity gives us great insight on risk and allows us to go back to our clients with solutions on how to fix this upstream and try to avoid the same issues in the future.

While we’re focused on privacy and data protection, it’s important to also examine how they come together and interact with each other and with other data uses. It can’t be addressed in a vacuum – the adjacent areas are equally important. For example, focusing only on security can impede business users from working and collaborating the way they need to. Conversely, if users are allowed to do whatever they want, data privacy may be undermined.

It’s critical that businesses understand the needs of their people and the processes and activities they undertake. Technology can then be adjusted to those needs on an ongoing basis. As employees have new needs and processes as the organisation grows, the configuration of the supporting technology must continue to grow alongside it.

Of the six categories in the Relativity Innovation Awards, five were won by women. Does that say something about how diverse the sector is?

In data privacy and litigation, there is a significant intersection between technology and the law, and there have always been a large number of women in the legal profession. I think we’re seeing more recognition of that and it’s inspiring to see women in a variety of roles, including leadership roles, being recognised for leadership in the industry.

From your day-to-day experience, what is keeping senior leaders and the C-suite awake at night when it comes to data issues?

Two things immediately come to mind. One would be the regulatory requirements around data that are constantly changing and developing around the world. I think it’s difficult for organisations to stay on top of what is already in place, but keeping track of and implementing changes makes it all the more challenging.

This plays into the second issue, which is an organisation’s data footprint. If a particular piece of legislation comes into play, it is likely to impose new rules on how organisations manage their data, the assets they have and how they control them. If businesses don’t know what data is stored where, how it is used, accessed and shared, these legislative changes will make this issue even more obvious. For businesses with legacy systems and a global presence, for example, the task can feel insurmountable.

These factors, and more, are creating a risk environment that has to be managed effectively and appropriately. No one size fits all, so it’s important that organisations assess their data landscape and address it to stay ahead of emerging risks.

So, what are some of the steps businesses should take to address these risks?

Processes and procedures shouldn’t just be written in a document. They need to be designed, tested and measured. They need to be constantly monitoring their data and adapting accordingly.

You joined FTI Technology during the pandemic – was the data risk environment more challenging during that time or did organisations actually realise how agile they could be?

In the early days of the pandemic, there were a lot of applications that were rolled out to facilitate remote working and that certainly created a few challenges around data. Take something relatively simple like putting a document in a messaging application. The questions become, where is that being saved and what users is it available to? Is it deleted eventually?

Any time something new is added into the equation, those questions must be asked and answered with a clear plan. During Covid, those that weren’t ready for remote working and had never planned for it may have been firefighting in the beginning, and I’m sure some organisations maybe didn’t think too much about risk at first.

Broadly speaking, do you find some organisations are far more ‘switched on’ than others? That there are leaders and followers?

Yes, I think there’s a bit of both. Generally, when an industry is heavily regulated, there are more resources put into management of data and data governance. You sometimes see organisations that put that privacy, security and data governance into their core values and choose to continuously invest in that area. It may also depend on how old the organisation is — newer businesses are more digitally native and were ‘born’ in the cloud so they can create efficiencies around that.

However, those new organisations may also be quite innovative. And if they are, it's hard to stay on top of privacy practices because the innovation moves faster than their policies and practices. So, concepts like privacy by design should be included as values within the organisation. Likewise, legal and privacy leaders need to keep an eye on the organisation’s pace of innovation versus its ability to catch up.

How do you see things evolving in the next couple of years?

I think the next few years will see continued changes in the regulatory landscape. It's key for businesses to take time to look at what data they're actually sitting on, where it is and how they are managing it.

For example, if I asked you where your passport was in your house, you’ll likely be able to answer straight away. The same thing applies to organisations — they need to know where that important documentation is stored. And they should be able to protect it in a way that is aligned with its sensitivity. That may include customers’ information, employees’ information and data belonging to other third parties.

One thing is for certain — data is an area that is only going to become more complex in the coming years. Businesses need to have their house in order and really be able to answer the tough questions of where the sensitive data is stored and how it flows through the organisation.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.