This write-up is a companion piece to a previous blog by Bill Tolson, President at Tolson Communications LLC., “The Evolving Data Privacy Landscape: Trends in Data Privacy Laws.” This post will tie the emerging data privacy law requirements discussed in the last blog into the new data privacy laws that will affect how organizations change their information management.
Data privacy laws are becoming increasingly prevalent and disruptive for businesses across many industries. Corporate leaders such as Chief Privacy Officers, Chief Information Security Officers, Chief Information Officers, General Counsels, Chief Technology Officers, and Chief Compliance Officers will all face new job descriptions and responsibilities. However, information managers will bear the brunt of new process changes.
As more digital information is collected, stored, shared, used, processed, and sold by various businesses, the need to fully embrace the new data privacy environment will become a corporate imperative. Because individual states are quickly adopting new (and differing) data privacy laws, corporations across the globe will notice increased legal action by state Attorney Generals and state privacy boards, not to mention individual data subjects via the private right of action.
Since the passage of the European Union’s GDPR and California’s CCPA/CPRA, governments at all levels have become much more focused on citizen data privacy and security. These new privacy laws were created to protect the rights and interests of individuals (data subjects) regarding their personal and sensitive data, such as electronic health records (EHR) and other personally identifiable information (PII) — including biometric identifiers and online behavior.
However, corporations have been slow to realize that data privacy laws also pose significant challenges (and risks) for managing and securing PII. The new data risk landscape means that information managers must scramble to come up to speed on data privacy quickly.
The EU’s GDPR has paved the way
One of the main impacts of data privacy laws on the information management profession is the need to comply with a wide range and sometimes conflicting regulations and legal responsibilities across industries and jurisdictions. For example, GDPR is one of the world’s most comprehensive and stringent data privacy and protection frameworks. It also impacts more than just European Union companies. All companies that collect or process the PII of EU residents, regardless of where the organization is located, must abide by the GDPR requirements. This means that US organizations collecting EU PII are also subject to the GDPR rules and fines.
The European Union takes citizen data privacy extremely seriously. In fact, through the GDPR the EU has stated that data privacy is now considered a human right. The GDPR grants citizens various fundamental rights over their data, such as the right to:
- Access and review their data
- Rectify mistakes
- Delete PII held by the organization if there are no regulatory or legal holds on the data (also called the right to be forgotten)
- Restrict the transfer of their PII
- Limit the use of AI on their data
- Restrict the sale of their PII
- Object to the processing of their PII
It also imposes obligations on data controllers and processors, such as:
- Obtaining consent on using their PII
- Conducting data privacy impact assessments
- Providing for straightforward data subject access requests
- Implementing “reasonable” security measures
- Reporting breaches
- Appointing data protection officers
Failure to comply with the GDPR can result in fines of up to 20 million euros or 4% of global annual turnover, whichever is higher.
All these rights and obligations will also affect how information is managed, stored and protected.
The US feds are lagging, but states are catching up
Conversely, the United States does not yet have a federal data privacy law that covers all US citizens, companies, sectors, and activities. Instead, it has a patchwork of federal and state laws regulating specific data types or industries, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), and the New York SHIELD Act. On a positive note, the US House of Representatives has been pushing for a US-wide data privacy bill called the American Data Privacy and Protection Act (ADPPA).
Many industry pundits believed the ADPPA had the best chance of making it into law; however, that still remains in question. The ADPPA was reported out of the House Energy and Commerce Committee on an unheard-of positive 53-2 vote in July 2022. However, the ADPPA has not yet been brought to the House floor for a total vote. If passed in the House, the next step would be to move the ADPPA to the US Senate for a vote. The bottom line is that businesses are pushing for the ADPPA to eventually pass with a preemption provision that would override all the state laws so that companies only have one US data privacy law to follow instead of potentially 50 state laws.
State data privacy laws are on the rise
As previously mentioned, the states have not been idle. As of the date of this blog, eleven state data privacy laws have been passed into law. These laws vary in scope, definitions, requirements, exemptions, enforcement mechanisms, and penalties, but all have jurisdiction outside their respective states over collecting and using their citizen’s PII.
Moreover, many of these state laws can conflict with each other or with other foreign data privacy laws. For example, the CCPA grants California residents the right to opt out of the sale of their personal information to third parties. At the same time, the GDPR requires explicit consent for any transfer of personal data outside the EU. Another data privacy law deviation is with the CCPA’s private right of action, which allows the data subject to sue a company directly instead of waiting for the state Attorney General to take legal action. California’s data privacy laws (so far) are the only state laws that include the private right of action provision.
Information management professionals are now on the front line
Because of this growing network of differing federal and state data privacy laws, information management professionals will need to be aware of the differing data privacy law requirements that apply to their organization’s activities and operations so they can ensure their procedures, technology, and training activities address and comply with the legal requirements accordingly.
This reparation could involve:
- Conducting PII audits
- Assisting IT and legal with data searches
- Adapting to new role-based access controls and zero-trust architectures
- Assisting with building enterprise data maps and data flows
- Updating policies and procedures
- Implementing technical and organizational safeguards
- Obtaining ongoing legal advice
- Training staff on the new and changing privacy laws
Another impact the new data privacy laws will have on information managers is balancing the protection of PII with utilizing that data for various business purposes. Data is a valuable asset that can provide insights, innovation, efficiency, and competitive advantage for organizations, but it can also be a huge liability.
Many data privacy laws require that the collection and use of PII be minimized to what is necessary and relevant for the original stated purpose. For example, companies should not ask for too much of a client’s PII so they can subscribe to the company newsletter. This would be considered an overreach by many governments. Furthermore, data privacy laws grant individuals the right to object to processing their personal data for direct marketing. Therefore, information management professionals must ensure that they have an explicit and lawful basis for collecting, storing and processing PII.
Additionally, information management professionals must adopt a data minimization approach, which means collecting only necessary PII, using it only for what is intended based on the consent received, and deleting it when it is no longer required. A third impact of data privacy laws on information management is the need to ensure the security and integrity of personal data throughout its lifecycle. Data privacy laws require that personal data be protected from unauthorized or unlawful access, use, disclosure, alteration, or destruction. Most state data privacy laws use the same terminology for data security requirements – data collectors and processors must “maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”
Using the term “reasonable” in the data security provisions of the state data privacy laws leaves a lot of room for interpretation and should be tightened up in future amendments.
Data security provisions will become more prescriptive
The data security requirements apply not only to storage devices and systems but also to transmission channels and networks. For example, the GDPR requires that appropriate technical and organizational measures be taken to ensure a level of security appropriate to the risk posed by the processing. It also requires that any personal data breach be reported to the relevant authorities and affected individuals immediately.
Due to these non-prescriptive data security requirements, information management professionals must implement robust security policies and practices to always safeguard personal data.
This may involve:
- Encrypting data
- Using strong passwords
- Limiting access rights
- Utilizing role-based access controls
- Multi-factor authorization access
- Monitoring activity logs
- Conducting regular backups
Additionally, information management professionals, along with corporate legal and the CISO, need to establish a breach response plan that outlines the steps to take in the event of a data breach, such as notifying the various governmental authorities, informing the individuals, isolating the affected systems, and investigating the cause and extent of the breach.
Data privacy laws will significantly impact the information management professional and require careful attention and change. Information management professionals must comply with different and sometimes conflicting regulations across jurisdictions, balance the protection of PII with the utilization of data for various purposes, and ensure the security and integrity of PII throughout its lifecycle.
Compliance will avoid legal risks and penalties and enhance their reputation and trustworthiness as responsible and ethical data stewards.
Data privacy laws are uncovering a new inflection point
My last blog referenced the coming data privacy law/information management inflection point, which will be the primary driver for completely restructuring how all information is managed.
To review: An information management/compliance inflection point is a point in time when the regulatory landscape changes significantly, requiring organizations to make important changes to their compliance programs – including new technology capabilities.
This critical change can be due to several factors, such as new data privacy laws or regulations, changes in enforcement priorities, or technological advancements that make it easier to comply with regulations.
Regulatory compliance inflection points can have a major impact on businesses, both positive and negative. On the positive side, they can create new opportunities for companies to comply with regulations more efficiently and cost-effectively, which could set them apart from their competition.
In the case of the data privacy law/information management inflection point, all the current (and future) state laws provide for the data subject to query an organization about several areas, including:
- What PII they have collected on them
- How their PII has been used
- If consent was granted for the PII collection
- If artificial intelligence has been used on their PII
Data subjects also have the right to correct incorrect PII as well as the right to delete.
For organizations to be able to respond to these queries, the collecting organization must know where all the data subject’s PII is stored, especially for PII deletion requests. The right to deletion implies that if a data subject requests the erasure of their PII, the legal implication is that all the data subject’s PII is unrecoverably deleted — not just the easily found PII.
DSAR reporting requirements are absolute
Let’s look at an example of the dangers of the data privacy laws’ right to deletion and how most companies manage their information.
Suppose your organization receives a data subject access request (DSAR) asking your company to catalog and report on the PII you have collected on the data subject and how it has been used in the past. In this case, most organizations will search their enterprise systems, and if they find the requested PII, they can report on how it was used in the past, whether it has been sold to others and when.
In many cases, a PII deletion request will quickly follow. Those same organizations will again search the enterprise systems and delete all instances of that particular PII. They will then report to the data subject that all copies of their PII have been deleted. However, how would the IT department know for sure that all copies of PII have been deleted? What about employee laptops, workstations, smartphones, personal cloud accounts and removable media? Data subject PII could have transferred between sales or marketing employees working on customer lists for email campaigns, newsletters or call lists for sales.
Because of the new data privacy laws and accompanying data subject rights, organizations must start collecting and indexing ALL data created or received within the corporation. This means that data on laptops/workstations, etc., must also be captured, synced, and indexed so that when the organization responds to a PII deletion request, they can find all of it. This includes the data that has been ignored by information management/records management and left to the individual employees to deal with because it was not subject to regulatory retention requirements in the past.
If a company’s response to a PII deletion request is incomplete, and they don’t search employee devices and cloud accounts, they could potentially be non-compliant and risk receiving huge penalties and fines, not to mention terrible PR in the marketplace. To counter new data privacy law liabilities, companies will need to adopt new technology capabilities and employee processes that will enable them to access, index, and view all digital data in the organization — not just the 5% to 10% of data they have previously considered regulated records.
For information management professionals, this means they will be looking at managing far more electronically stored information than they have in the past.
This new information management requirement will also be a sensitive corporate culture issue for many employees. Most information workers consider the data they store on their company devices as “theirs” and under their control and management. Turning over control of that data will be challenging for employees, and IT should consider how they will convince the employee base to go along – willingly.
Change leads to more change
The global push toward data privacy as a human right affects every organization, regardless of industry. Information managers will become increasingly involved in setting information management policies and procedures and becoming an influencer for new technology adoption. Information managers would be well advised to become more engaged in transitioning to the coming inflection point.
About Bill Tolson
Bill Tolson is President of Tolson Communications LLC, an advisory and consulting firm. He has 25-plus years in the archiving, information governance, data privacy, data security, and eDiscovery industries. Bill has held executive leadership positions in a wide range of high technology organizations, from consulting firms and technology startups to multinationals. Companies include Contoural, Hewlett Packard, StorageTek, Iomega, Hitachi Data Systems, Recommind, Actiance and Archive360 where he was the Vice President of Global Compliance and eDiscovery for seven years.
Bill is a frequent speaker at legal and information governance industry events and has authored four eBooks including Email Archiving for Dummies, Cloud Archiving for Dummies, The Bartenders Guide to eDiscovery and the Know IT All’s Guide to eDiscovery. Bill has also authored 60 plus industry articles and hundreds of blogs as well as hosting 37 podcasts with industry pundits, subject matter experts, state legislators, and attorneys.
Smarsh® is the recognized global leader in electronic communications archiving solutions for regulated organizations. Smarsh provides innovative capture, archiving, e-discovery, and supervision solutions across the industry’s widest breadth of communication channels.
Scalable for organizations of all sizes, the Smarsh platform provides customers with compliance built on confidence. It enables them to strategically future-proof as new communication channels are adopted, and to realize more insight and value from the data in their archive. Customers strengthen their compliance and e-discovery initiatives and benefit from the productive use of email, social media, mobile/text messaging, instant messaging and collaboration, web, and voice channels.
Smarsh serves a global client base that spans the top banks in North America and Europe, along with leading brokerage firms, insurers, and registered investment advisors. Smarsh also enables state and local government agencies to meet their public records and e-discovery requirements. For more information, visit www.smarsh.com.
Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.
Need A Regulatory Marketing Compliance Consultant? A Bit More About Us
Why Not Download our FREE Brochures! Click here.
Call Us Today on 020 8087 2377 or send us an email.
We welcome individual bloggers / Professional Writers / Freelancers to submit high quality contents. Find out more…
Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.