Ensuring collaboration tool compliance and governance

Challenges facing collaboration governance and compliance

Many compliance tools haven't caught up to collaboration feature advancements and the different modes of communication. The infrastructure behind most compliance tools is built to record and capture email or voice communications, English said. This can lead to compliance gaps if organizations don't have a way to record and capture video or whiteboard content.

Collaboration tools themselves can also create their own governance and compliance headaches. Most collaboration tools are SaaS-based, which means vendors are constantly pushing out new features.

Compliance teams that may have initially approved a tool may not know when a new feature is rolled out to end users, said Brian Mannion, chief legal officer at Aware, a collaboration governance, compliance and monitoring platform.

For example, many collaboration vendors are adding new AI features. But vendors aren't always clear about how user data is training their AI models and how they store that data. Even though a compliance team may have reviewed and approved a collaboration tool, that team may not have had the chance to review whether the data generated by the AI features meets governance and compliance standards, Mannion said.

"[Tools are] updated daily and not in your data center," he said. "I think new features and video [are] probably the place where legal teams are the most uncomfortable."

Managing PII in public cloud services is also a challenge for organizations, Bertrand said. About 44% of organizations said the public cloud has made managing data governance more difficult, according to an ESG data governance study of 376 organizations. One-third of respondents said they could not search, discover or manage personal data stored in the public cloud.

"That's a big issue," Bertrand said. The objective of compliance strategies should be that all personal data can be searched, discovered and managed, regardless of whether the data is stored on premises or in the cloud, he said.

The risks of not having a proactive strategy

External compliance and governance audits have become normal practice. In the last three years, organizations have had an average of seven audits by outside regulatory agencies and failed an average of two, according to the ESG study.

While failing an internal audit can provide an opportunity to improve compliance and governance, failing an external audit has consequences, Bertrand said. These consequences could include fines, increased costs to fix compliance gaps and loss of reputation.

Some organizations may think that turning off certain collaboration features addresses governance and compliance gaps. According to the Theta Lake study, more than two-thirds of organizations reported disabling collaboration features, including in-meeting chat, comments on files and screen sharing.

But disabling access may push employees to unsanctioned apps where organizations have no control or visibility.

"You're creating this unmonitored environment, and you have no idea what your staff are doing," English said.

Several large enterprises have paid fines after employees used consumer communication apps, like WhatsApp and Signal. Wells Fargo, for example, paid $125 million to the Securities and Exchange Commission after an investigation found the financial services firm used WhatsApp to conduct business communications. The firm also violated regulatory requirements by failing to retain or archive WhatsApp messages.

Creating a user agreement that's clear and concise is one way to prevent employees from using unsanctioned tools, Mannion said. These user agreements should explain how to use a collaboration tool and what employees can and can't do.

But organizations aren't just risking fines if employees move to unsanctioned apps. They're also risking not achieving ROI on their tools, Mannion said. Collaboration tool deployments can be costly. If they're not managed properly, employees might look for other apps that make their jobs easier. That lack of user adoption translates to not seeing desired ROI, he said.

IT and compliance teams must work together

A key feature of a proactive collaboration tool compliance and governance strategy is a strong partnership between IT and compliance teams.

Many organizations use multiple collaboration tools to serve different communication needs. The IT team responsible for managing collaboration deployments has the best knowledge of how tools are used by employees. IT is also responsible for managing app data collection, storage and access, which is key for compliance teams when data must be pulled and presented for compliance needs, Mannion said.

High-level executives are also getting more involved in compliance and governance strategies, Bertrand said. This benefits cross-functional teams because executive-level visibility often means more funding for compliance and governance projects, he said.

Katherine Finnell is senior site editor for TechTarget's Unified Communications site. She writes and edits articles on a variety of business communications technology topics, including unified communications as a service, video conferencing and collaboration.