The Secret Sauce for Complying with Privacy Regulations

Published On March 30, 2020

No matter how experienced and well-resourced your organization may be, compliance with privacy regulations is a challenging task right now. Your organization must react and respond quickly to privacy threats and possible data breaches while also ensuring compliance with hard-hitting regulations like the CCPA and GDPR.

Recently, I had the opportunity to speak at the AIIM Conference 2020 and, in our session, I answered questions about complying with privacy regulations – now and in the future. One common theme emerged: Information lifecycle management (ILM) is key to protecting privacy and achieving compliance.

So what’s the “secret sauce”? Here are your questions, answered:

How does properly managed information contribute to a successful privacy program?

A privacy program means treating data appropriately, by respecting and protecting it across the entire lifecycle – from creation to destruction. This means that it is important to consider each phase of the information lifecycle:

1. Creation: It’s important to consider how you are collecting personal data, why you are collecting it, and whether you are legally authorized to do so — in other words, whether you have the proper consent or another legal mechanism — to collect that data.

2. Using data: When using or processing the data you’ve collected, make sure you evaluate whether your use is consistent with what it was collected for. You must be transparent about it, and protect the data with appropriate controls. If you have the right to use the data, you’re responsible for keeping it safe!

3. Data destruction: Finally, when it comes to destroying records and information, make sure you are governing data according to a well-built retention schedule. This gives you confidence to eliminate data that’s no longer needed. If you have the option to automate your information governance processes, that is certainly preferable, and much easier than manual disposal. And when you destroy, make sure you do so securely. Secure destruction protects your stakeholders from the possibility of data breach.

Privacy laws such as the CCPA and GDPR require organizations to respond to requests within 45 days or sooner. What are steps to prepare for complying with incoming requests?

Realistically, 45 days is not enough time to locate and collect the necessary data, unless your organization has carefully thought about it in advance. Don’t try to create the process the moment you receive the request.

Your organization will need to be able to find the data no matter where it resides. Data mapping can help you quickly find what you’re looking for. Be sure to include any data that a third party service provider may possess on your behalf.

Your organization should also be classifying the data, so you know what is responsive to the particular request. For example, is the data:

• customer data

• employee data

• health data

• financial data

• EU or California consumer data

It’s also important to set up procedures for the intake of requests and test them across the various departments in your organization.

What are some of the tactics an organization can employ to prevent data breaches?

A “keep everything” culture doesn’t help. The more data you have, the more risk you carry. Think about how to change the “keep everything” culture. There are several tactics that you can employ:

• Minimize the collection of personal data by only gathering what’s necessary to fulfill your legitimate business purpose. Think about what is on your intake forms. Do you need data such as gender, age, etc.? If not, don’t collect it in the first place.

• Dispose of your data in accordance with retention rules. Good governance goes a long way here. Keeping data longer than necessary increases the chance of it being breached. Automating the application of policy and disposal rules ensures that your process is consistent and defensible.

• Protect the data that you need to keep. If data is digital, encrypt it. If you have physical data, guard it – or transfer it to a records management provider who can protect it for you. And don’t forget about administrative controls, like policies and training for your workforce.

With new privacy laws on the horizon in Brazil, India, and possibly a federal law in the US, are there any common themes?

Between time, money and resources, most organizations can’t analyze every new law. However, there are four common themes I’m seeing in privacy laws:

1. Organizations must disclose what data is collected and how it is processed, via a privacy notice. Before you can disclose what you do with personal data, though, you have to know where it is and how your company uses it – which you can achieve through a data mapping exercise. Data mapping will also help you focus protection measures on the information considered high risk.

2. Individuals now have more rights to control their personal data. Organizations need to be aware of individuals’ rights including opt-in consent, the right to have data deleted or corrected, and the right to prohibit the sale of personal data.

3. Standards for protection of personal data must be implemented. This means organizations need to get the right people engaged and trained on at least the basics of privacy law and information security. If this is not done, organizations could face high penalties for putting personal data at risk. Consider appointing privacy ambassadors within your organization, and encouraging employees to seek training from organizations like the International Association of Privacy Professionals (IAPP).

4. Organizations must perform due diligence for third parties handling personal data on their behalf. This is not the time to accept a “gentlemen’s agreement”; a written contract is a requirement. Consider what the worst case scenario could be. Require that your organization be immediately notified in the event of a breach, and that it is protected from liability if there are claims.

Whether your organization is working to protect sensitive information or comply with new privacy laws, ILM is a key part of your success.