Article

From data sprawl to    

data discipline:

Rethinking legal risk management 

retention and disposition
Group 117 Risk to readiness: Article 1
In this article, Antony Wells explores the importance of data discipline in ensuring your data is working for you, not against you.
Data quality and security means smooth AI implementation for legal firms. This article offers advice on how to get your data in good shape for new tech.

After more than twenty years working with law firms and in-house legal teams, I’ve learned that most organisations don’t get into trouble with data because they’re reckless. They get into trouble because they’re successful.

Successful firms are busy places. Matters move quickly, teams form and reform, deadlines matter, and client service always comes first. Along the way, information piles up. Files are created, copied, emailed, stored “just in case”, and then quietly forgotten about. Over time, that accumulation turns into something far more complicated — and far riskier — than anyone intended.

This is the first article in the Risk to Readiness series, and it starts with a simple but often uncomfortable truth: unmanaged information is one of the biggest sources of risk in legal organisations today, and it’s not something you can fix with security controls alone.

 

When “secure” still isn’t safe

 

I speak to firms all the time that have invested heavily in security. They’ve done the right things. Access is locked down, systems are hardened, and cyber risk is taken seriously. That’s all essential, particularly given the threat landscape we’re dealing with.

But security only protects what you know about.

If you don’t have a clear view of what information you’re holding, where it sits, how sensitive it is, or how long it should be kept, risk doesn’t disappear — it just sits quietly in the background. Old matter files that should have been disposed of years ago are still there. Personal data exists in multiple places, some of which no one remembers setting up. Information is duplicated across systems, making it harder to manage and harder to defend.

When a subject access request arrives, or a regulator asks a question, that lack of visibility becomes very real, very quickly. Suddenly, teams are scrambling. Confidence drops. What felt under control no longer does.

That’s not a failure of security. It’s a lack of data discipline.

 

How data sprawl really happens

 

What’s important to say here is that data sprawl is rarely the result of poor behaviour. In most cases, it’s the by-product of sensible decisions made over time.

A new system is introduced to solve a genuine problem. A workaround is created to help a team hit a deadline. Someone decides to keep hold of a set of documents because it feels safer than deleting them. None of those decisions are unreasonable in isolation. The issue is that no one ever joins the dots afterwards.

Fast forward a few years and you’ve got information spread across multiple platforms, different retention practices depending on who created the content, and no shared understanding of what should still exist and what shouldn’t. Responsibility becomes blurred, and risk becomes harder to spot.

The consequences show up in predictable ways. Storage and review costs increase. Responding to audits and access requests takes longer than it should. Clients start asking tougher questions about how their data is managed. Internally, there’s often a general sense of unease that things aren’t quite as tidy as they ought to be.

 

Shifting the conversation

 

One of the biggest mindset shifts firms have to make is moving away from the idea that risk management is purely about keeping information safe from external threats. That matters, of course, but it’s only half the story.

The more useful question is not “How do we secure all this data?” but “Why are we holding it in the first place?”

Information governance, when it’s done properly, brings intention back into the picture. It helps organisations decide what information they genuinely need to keep, what has ongoing value, and what has simply been hanging around because no one has taken responsibility for it.

That doesn’t mean deleting everything or taking extreme positions. It means being able to explain, with confidence, why information exists, how it’s managed, and when it will be disposed of. That ability to explain and evidence decisions is what separates organisations that are exposed from those that are prepared.

 

Discipline without disruption

 

One of the reasons firms hesitate to tackle data discipline is the assumption that it requires a massive programme of change. Large teams, lengthy projects, and significant disruption to fee earners’ day jobs. In reality, that assumption often does more harm than good.

The firms that make the most progress tend to start small and focus on clarity rather than completeness. They begin by understanding what they hold today, identifying the areas of highest risk, and agreeing on some basic rules that everyone can stand behind. From there, discipline is built gradually.

What’s important is that the approach fits the organisation. A global firm with complex regulatory obligations will take a different path to a smaller practice, but the principle is the same. Readiness doesn’t come from doing everything at once. It comes from knowing where you are and having a credible plan to improve.

 

Why readiness starts here

 

Moving from data sprawl to data discipline is the foundation for everything else in this series. Without it, strategy becomes guesswork, technology becomes underused, and accountability remains unclear.

With it, conversations change. Governance stops being abstract and starts being practical. Decisions become easier to defend. Risk feels manageable rather than overwhelming.

I’ve seen first-hand how this shift changes the tone inside organisations. Teams are less reactive. Leadership has more confidence. Clients notice the difference, even if they never see the mechanics behind it.

In the next article, I’ll look at what happens once that awareness is there — how firms turn good intentions into a governance strategy that’s realistic, phased, and actually deliverable.

 

Risk to Readiness Series

About the author

 

Antony Wells is a seasoned professional committed to helping organisations optimise their information management responsibilities. In his role as Commercial Director, EMEA at LegalRM, Antony leads initiatives aimed at enhancing firms' information governance strategies, with a keen focus on compliance, risk mitigation, and cost reduction.

Before joining LegalRM, Antony amassed invaluable experience guiding firms in selecting and implementing document management solutions, throughout the legal and professional services market.

To get in touch with Antony to discuss how we could help you with your information governance strategy connect on Linkedin. 

Originally published in Australia.