Background

A regulatory authority has requested information about the company's internal data governance practices. The compliance team has been asked whether to share an internal policy document and an intra-group agreement that outlines how data flows between entities within the corporate group.

The Dilemma

There are different views on how to respond:

• How much information should be shared? Should we provide the full policy document or only a summary?

• Is consent required? Do we need approval from other group entities or other regulator(s) before sharing documents that reference their operations?

• What are the risks? Could sharing too much information create future obligations or expose the company to additional scrutiny?

Legal Perspective

Position: Exercise caution and limit disclosure to what is strictly required by law.

Key Arguments:

• We should carefully review the regulator's legal authority to request this information. Not all requests are mandatory.

• Sharing comprehensive internal policies may set a precedent and create expectations for future disclosures beyond what is legally required.

• Internal documents may contain confidential business strategies, competitive information, or references to other jurisdictions that could complicate matters.

• We should provide a tailored response that addresses the regulator's specific concerns without volunteering additional information.

• Consent from other group entities may be necessary if the documents reference their operations, as this could have legal implications for them.

Suggested Approach: Propose a limited disclosure strategy with a carefully drafted cover letter explaining the scope and context of what is being shared.