Data privacy and records management are two sides of the same coin. Both disciplines are concerned with the proper acquisition, transformation, analysis, use, management, retention and disposition of data, based on what the files truly are, meaning what their contents actually say. For this reason (among many to come in this post), Data Privacy and Records Management should be considered together.
It should be no big surprise, then, that many Information Governance professionals find themselves “suddenly” having to take on data privacy tasks in addition to records activities, typically without additional staff, budget or resources. The good news is that adding data privacy to the records plate helps increase the awareness and importance of good data hygiene, all while increasing the ROI of tools, staffing and systems, as well as reducing enterprise risk.
While there are many reasons that organizations acquire, create and store data, including financial/transactional, legal, and operational, it is crucial that they maintain compliance with all data protection laws and regulatory protocols. There are some serious consequences associated with being out of compliance, such as hefty fines and sanctions, access revocations, and business license forfeitures. Maintaining records and data privacy protocols together helps prevent these consequences from occurring.
How can this be done? Well, organizations need to balance Data Privacy with Records Management, or enhance Records Management with Data Privacy, if you prefer. To do this, they need clear policies, focused processes, applicable and performant tools, and possibly even consultative help.
Data Privacy and Compliance
Data Privacy refers to the collective actions of protecting personal and sensitive information from misuse, data breaches, and wrongful exposure. There are numerous regulations related to data privacy. Here are some important ones to know:
- General Data Protection Regulation (GDPR) – the sweeping 2018 EU law that governs citizens’ rights to know what data organizations hold about them, the ability to edit that data, and to request that the organization remove it (also known as the right to be forgotten)
- California Privacy Rights Act (CPRA) & California Consumer Privacy Act (CCPA) – CA state laws that give residents rights to access, delete, and opt out of the sale of their information and establishes an enforcement agency
- Health Insurance Portability and Accountability Act (HIPAA) – 1996 US federal law that protects the privacy and security of individuals’ medical information
Each of these are associated with strict rules regarding how sensitive data is collected, stored, used and handled. Organizations must comply with these regulations, or they will be held accountable. How? Well, organizations could experience fines and penalties; they could be subject to legal action; they could be audited or have business rights revoked; they could even be faced with criminal charges or sanctions. In addition, the consumers, patients, employees and the media hold organizations accountable in the “court of public opinion” or by “voting with their feet.”
The objective here is for organizations to be compliant by having stellar data privacy management practices which include secure acquisition and storage of data; policy-driven transformation, utilization and disposition; strict access controls; retention policies; and adherence to all litigation procedures (such as enacting legal holds).
Managing Records and Data Privacy Together
Organizations are faced with large volumes of data, which means that resources need to be used well. Given the overlap between data privacy and records management, it doesn’t make either logical or economic sense to treat or manage them separately. It does, however, make incredible sense to handle them together.
Here’s a look at how organizations can combine forces between them:
- Policies. Pay attention to data privacy policies. Laws evolve all the time, and organizations need to stay on top of how to be compliant. Consider adding criteria for sensitivity, provenance, and legal hold to your Records Retention Schedule.
- Data Classification. Combine efforts wisely by scanning and tagging content concurrently, hitting both areas at once. Classify for Record Class and Sensitivity simultaneously. While you are at it, why not rope in legal hold and AI readiness/suitability, too?
- Storage. Combine the concepts of data minimization (privacy concept) and data lifecycle (records concept) to set a minimum and maximum retention “window” for data. This dual ROI approach will optimize storage and remediation costs to ensure only appropriate information is kept long-term.
- Access Control. Monitor access control of data and records. Set up alerts reading for unusual activity. Keep detailed logs of who has access.
Automate Data Retention and Disposal
Another important point for successfully managing data privacy with records is that it helps to automate data retention and disposal. Organizations handle a lot of data and managing it all manually is a poor system because it can cause costly errors and oversights.
Both Data Privacy and Records Management have a vested interest in the proper and defensible deletion of corporate information. However, the Records point of view is typically how long may we defensibly keep this data (a viewpoint typically inherited from Legal and its former “keep everything” mentality), whereas the Data Privacy point of view is the typically the inverse – how quickly can we remove this data (a viewpoint inherited from Compliance and their inclination to reduce risk)?
It helps to automate the process, such as using an AutoClassification platform and working with a service provider like Valora. It improves the chances of compliance with data privacy laws and provides a defensible, demonstrable approach to data management practices.
Managing Data Privacy and Records shouldn’t be treated as individual efforts. They should be handled together as a single, cohesive approach that optimizes both objectives.
