LPM: Do you actually know where your client data lives?
Nigel Williams, product director and interim head at LexisNexis Enterprise Solutions, shares the importance of robust data management along with the operational and regulatory risks of fragmented or siloed data storage
Law firms take compliance seriously. There are written policies and risk registers. Processes are documented as much as possible. If you ask a partner whether their firm manages data responsibly, the answer will almost always be a confident "yes."
But, the certainty softens at the slightly uncomfortable question: “Do you know exactly where your client data lives?”
When every system tells a different story
The reality is that most firms are not operating with a single, clean source of truth. They are operating with layers. Layers of systems, processes, historical decisions and workarounds built for speed rather than structure.
Add a merger or acquisition, and the complexity instantly multiplies. When a firm acquires another organisation, they also acquire different tools and different ways of working. Mapping and pointing all those systems, processes, and data points back to the firm’s core data engine is a huge, time-consuming, and complicated exercise.
The easier option then becomes workarounds — a practice group implements a tool that solves an immediate problem. Another team builds a spreadsheet that makes life easier. A legacy system remains because no one has the appetite to replace it.
Each decision makes sense in isolation. However, together, they create fragmentation, with the firm ending up with different data silos for different types of information. Of course, from the outside it looks manageable, but for most stakeholders on the inside, the situation is immensely frustrating.
Blind spots in governance
From a governance perspective, it’s something else entirely.
Consider what happens when duplication creeps in. A client record exists more than once. A matter is recorded in one system but referenced differently in another. A debtor flag is attached to one entity but not its duplicate. A conflict check relies on incomplete information.
The operational risk is stark. Say a client is recorded four times in the system with a ‘do not act’ flag in one instance because they haven’t paid their bill. The firm will not know if all four sets of records have been considered, because no system is responsible for resolving them into one authoritative view.
This isn’t theoretical exposure, it’s practical vulnerability — and vulnerability does not always present as a crisis. Sometimes it presents as doubt or perhaps as a quiet anxiety in risk committees. In such situations, a compliance officer will know that if the regulator asked the right question, their answer might potentially involve several caveats.
