Information Governance

Taking Care of Business: Keeping Up with Data Privacy Regulations

Since adoption of the EU’s General Data Protection Regulation (GDPR) in 2016, government entities around the word have been proposing and implementing new data privacy measures with increasing frequency. In the U.S., several individual states are currently addressing the issue of citizens’ data privacy rights, with California and New York both recently approving new statewide regulations. Each of these directives imposes certain duties on businesses, significantly impacting the methods and processes used to manage information in their possession. For many corporations, such new data privacy rules and regulations will come at great financial and organizational expense.

In planning on how to prepare for and comply with these new regulations, it is critical to establish a proper framework that relies on a combination of people, process, and technology. Organizations should also consider why and how they are subject to regulation, and which laws will have unique impact on their business based on their industry. For example, healthcare and life sciences providers are heavily regulated in comparison with other industries.

It is also important to understand that business communications in the United States are not afforded the same level of data privacy protection as personal communications. Because U.S. law dictates that employers are vicariously liable for the actions of their employees, however, organizations have the right to control access to information transmitted via company devices. This means that when litigation arises in the United States, employers need not seek employee consent to search through an individual’s electronic business communications and emails. (This process differs in other countries, which often afford a greater level of privacy protection.)

Accordingly, concerns regarding the use of personal data, and the lack of transparency as to what was happening with that data when in the possession of an organization, have given rise to increased calls for additional data privacy rights in the United States. Individual privacy rights are being championed in the U.S. in part as the result of such exposed practices as the sale of personal data to third-party analytics companies. In addition, a growing spate of cybersecurity violations has resulted in calls for increased protection of personally identifiable information (PII). Exposing information that can lead to identify theft is a great concern in the current business climate, and data privacy regulations are designed to punish actors for failing to adequately protect against fraud and cybercrime.

In 2012, the Obama administration proposed a Consumer Privacy Bill of Rights, which failed to gain much traction in Congress. However, the principles outlined in the proposed Bill of Rights are being considered in the development of a possible framework for future federal privacy regulations, which would be enforceable by the Federal Trade Commission. The seven outlined principles that a data privacy regulation should serve to address are individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability.

When it comes to addressing new privacy regulations, technological advances both create challenges and offer solutions. For example, instant message communication platforms that are commonplace in corporate environments collect huge stores of “ephemeral,” or temporarily available, data. While existing legal and records management requirements already impact how organizations must govern official business communications, it is much more complex to address data that exists only temporarily but still must be preserved if a legal or regulatory obligation attaches to that information. Determining whether discoverable content exists within ephemeral forms of data, which also may trigger data privacy protections, is an issue that necessitates organizational examination of internal data governance practices.

Implementing a framework for data privacy compliance will serve as a multifaceted benefit to organizations, as the types of data governance controls required help shape greater understanding of an organization’s disparate data landscape. Compliance with data privacy regulations requires insight into several factors:

Important Factors for Compliance with data privacy regulations

Having the ability to answer these questions will provide value to an organization for reasons that stem beyond just data privacy, including regulatory compliance, e-discovery, knowledge management, data mapping, data security, and user rights management. With the proper compliance practices in place, organizations can ensure more efficient data governance, while reducing risks and costs.

As new forms of communication continue to arise, organizations will face new challenges in effectively managing these types of information. Managing information at the micro-level of metadata attributes will help identify data in need of privacy protection, and further protect privacy rights. Technology that identifies the existence of sensitive data attributes can help establish compliance with a range of legal and regulatory obligations. One organizational technique used to ensure that privacy rights are adequately protected involves granting access based on different levels of security settings — from a redacted version to the complete document.

It is also critical for organizational health to protect communications containing PII and to safeguard other sensitive information in an organization’s possession and control, while at the same time preserving a reasonable expectation of privacy for certain data.

Taking steps to implement procedures and practices for identification and management of the information in your organizational control may continue to require customized solutions with workflow plans. Various stakeholders are impacted by data privacy practices. It is essential to have a consistent solution that reaches across different groups or departments in your organization.

For more information on data privacy regulations, be sure to check out Knovos’ recent webinar presented in partnership with Today’s General Counsel: Shielding Your Organization from Data Privacy Nightmares.

Document Collaboration

How to Identify and Evaluate an Enterprise DMS: Part 1

When selecting a document management system (DMS) to assist with various organizational requirements, enterprises should seek a multi-pronged solution — one that functions as both a secure collaboration platform and document repository, enables automated information management and classification, and is highly compatible and scalable.

The need to identify the right DMS for your organization is more important now than ever, with the exponential growth in digital data and documents generated across an enterprise demanding solutions that efficiently manage information while saving costs and increasing productivity.

A truly effective DMS delivers a seamless collaboration experience while enabling enterprises to securely manage their critical documents using advanced encryption algorithms and granular permission-based access control. Other features of a quality DMS include an automated document approval workflow, as well as the ability to easily download, edit, share, and electronically sign documents.

Specific considerations for DMS evaluation

Enterprises face a vast number of challenges that stand to benefit from the use of a DMS:

  1. Facilitating collaboration among a large number of geographically dispersed employees
  2. Meeting multilingual communication demands
  3. Handling a wide array of products across multiple verticals
  4. Navigating different file formats for document storage
  5. Managing documentation with multiple organizational stakeholders
  6. Conforming with legal, statutory, and regulatory requirements
  • Scalability & Accessibility

    It is essential to select a DMS that can efficiently handle a growing number of employees and the variety of organizational changes associated with such expansion. The solution architecture must be scalable in terms of hardware and software and readily flexible to match future requirements. The ability to access the DMS through a mobile device provides users better flexibility to work on the go.

  • Security

    Safeguarding confidential documents and protecting them from unauthorized access is another critical consideration when selecting a DMS. The system must employ the latest security standards, including high-end encryption algorithms that encrypt documents while at rest or in transit. Other essential features include in-built, permission-based access controls to restrict unauthorized access, secure communication channels, and Q&A functionality.

  • Intuitive structure

    An intuitive solution design leads to easy comprehension of information and well-organized management of documents. Complex user interface designs, intertwined processes and workflows, and disorganized information can easily perplex users and reduce workforce productivity. The DMS must be easy to set up and use, with a manageable learning curve.

  • Integration

    The DMS must also offer seamless integration capabilities to ensure a smooth transition or collaboration experience while working with any existing or third-party applications. This will help ensure process efficiency and excellent customer experience.

Conducting extensive research using the above-mentioned factors to identify the most appropriate DMS can help enterprises improve productivity, enhance collaboration, promote paperless processes, and ensure greater data control and security.