Since adoption of the EU’s General Data Protection Regulation (GDPR) in 2016, government entities around the word have been proposing and implementing new data privacy measures with increasing frequency. In the U.S., several individual states are currently addressing the issue of citizens’ data privacy rights, with California and New York both recently approving new statewide regulations. Each of these directives imposes certain duties on businesses, significantly impacting the methods and processes used to manage information in their possession. For many corporations, such new data privacy rules and regulations will come at great financial and organizational expense.
In planning on how to prepare for and comply with these new regulations, it is critical to establish a proper framework that relies on a combination of people, process, and technology. Organizations should also consider why and how they are subject to regulation, and which laws will have unique impact on their business based on their industry. For example, healthcare and life sciences providers are heavily regulated in comparison with other industries.
It is also important to understand that business communications in the United States are not afforded the same level of data privacy protection as personal communications. Because U.S. law dictates that employers are vicariously liable for the actions of their employees, however, organizations have the right to control access to information transmitted via company devices. This means that when litigation arises in the United States, employers need not seek employee consent to search through an individual’s electronic business communications and emails. (This process differs in other countries, which often afford a greater level of privacy protection.)
Accordingly, concerns regarding the use of personal data, and the lack of transparency as to what was happening with that data when in the possession of an organization, have given rise to increased calls for additional data privacy rights in the United States. Individual privacy rights are being championed in the U.S. in part as the result of such exposed practices as the sale of personal data to third-party analytics companies. In addition, a growing spate of cybersecurity violations has resulted in calls for increased protection of personally identifiable information (PII). Exposing information that can lead to identify theft is a great concern in the current business climate, and data privacy regulations are designed to punish actors for failing to adequately protect against fraud and cybercrime.
In 2012, the Obama administration proposed a Consumer Privacy Bill of Rights, which failed to gain much traction in Congress. However, the principles outlined in the proposed Bill of Rights are being considered in the development of a possible framework for future federal privacy regulations, which would be enforceable by the Federal Trade Commission. The seven outlined principles that a data privacy regulation should serve to address are individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability.
When it comes to addressing new privacy regulations, technological advances both create challenges and offer solutions. For example, instant message communication platforms that are commonplace in corporate environments collect huge stores of “ephemeral,” or temporarily available, data. While existing legal and records management requirements already impact how organizations must govern official business communications, it is much more complex to address data that exists only temporarily but still must be preserved if a legal or regulatory obligation attaches to that information. Determining whether discoverable content exists within ephemeral forms of data, which also may trigger data privacy protections, is an issue that necessitates organizational examination of internal data governance practices.
Implementing a framework for data privacy compliance will serve as a multifaceted benefit to organizations, as the types of data governance controls required help shape greater understanding of an organization’s disparate data landscape. Compliance with data privacy regulations requires insight into several factors:
Having the ability to answer these questions will provide value to an organization for reasons that stem beyond just data privacy, including regulatory compliance, e-discovery, knowledge management, data mapping, data security, and user rights management. With the proper compliance practices in place, organizations can ensure more efficient data governance, while reducing risks and costs.
As new forms of communication continue to arise, organizations will face new challenges in effectively managing these types of information. Managing information at the micro-level of metadata attributes will help identify data in need of privacy protection, and further protect privacy rights. Technology that identifies the existence of sensitive data attributes can help establish compliance with a range of legal and regulatory obligations. One organizational technique used to ensure that privacy rights are adequately protected involves granting access based on different levels of security settings — from a redacted version to the complete document.
It is also critical for organizational health to protect communications containing PII and to safeguard other sensitive information in an organization’s possession and control, while at the same time preserving a reasonable expectation of privacy for certain data.
Taking steps to implement procedures and practices for identification and management of the information in your organizational control may continue to require customized solutions with workflow plans. Various stakeholders are impacted by data privacy practices. It is essential to have a consistent solution that reaches across different groups or departments in your organization.
For more information on data privacy regulations, be sure to check out Knovos’ recent webinar presented in partnership with Today’s General Counsel: Shielding Your Organization from Data Privacy Nightmares.