Organizations with customers or operations in more than one country face a wave of new and proposed privacy and data protection laws. Traditional archiving approaches often fail to meet the patchwork of organizations’ requirements, forcing many to rethink how they manage information.
Business leaders should try to implement a comprehensive privacy program designed to meet new requirements without radically redesigning the program each time a new law is introduced.
While tempting, it would be a mistake for business leaders to draft a privacy policy but delay its implementation until additional regulatory clarity on new and proposed privacy and data protection laws is shared. Business leaders commit to how their organization will handle personal information by establishing a policy.
Failure to implement a policy or comply with data protection guidelines once adopted may be viewed by courts, regulators, customers, employees, and other stakeholders as bad faith in their commitment or, at worst, a deliberate attempt to undermine the new requirements. Business leaders can also face significant fines or other regulatory action if they fail to guarantee and demonstrate compliance.
Despite uncertain and unclear requirements, the challenge of implementing a privacy program or data protection guidelines can be addressed by meeting key needs for managing personal information. These requirements are shared by almost all international and local privacy laws and data protection obligations.
Implementing basic capabilities to identify, secure, manage, and selectively delete personal information that meets these requirements helps organizations comply with most, in some cases, of existing privacy regulations. Rather than implementing privacy and data protection law compliance piecemeal, organizations can address additional variations of a particular privacy law, usually with little effort.
1. Identification of Personal Information
All privacy regulations require organizations to identify what personal information is created, received, and shared with others. This includes tracking the workflow of personal information through and between different applications and determining where personal information is stored.
Many regulations also require organizations to track and report on who privacy information is shared, so it is essential to establish and keep an inventory of personal information up to date. Using a broader definition of personal information also protects organizations if current regulations defining personal information expand their scope in the future.
Organizations should also pay special attention to structured data in databases. All structured data repositories containing personal information must be identified, including older, outdated databases that may no longer be active. Organizations also need to look at the data flows between structured systems, both within the company and to third parties.
2. Securing Personal Information
Once identified, personal information must be secured against the potential breach or accidental disclosure. Typically, the greatest risk of a breach incident is not the large, centralized databases of customer information but personal data at the edge.
These can be extracted from databases on file shares and laptops containing customer list files. Many breaches also occur from locations believed not to have personal information, so employees must complete a thorough inventory of personal information to uncover unprotected personal information.
3. Scalable, Efficient Access Requests
Almost all new and emerging privacy laws have access request requirements. This allows consumers to find out what personal information a company has and who else it has been shared with. While the timeline for responding to access requests varies, they typically require a response within 30 to 45 days.
In addition, the response should relate to personal information in all locations, not just larger customer service applications. Any organization that receives more than a handful of these requests per week must be efficient with scalable processes for performing these queries.
4. Scalable Processes for Producing Personal Information
Many laws give data subjects the right to ask organizations to make copies of their personal information. To comply, organizations must be able to collect and produce reports from various sources and then consolidate this information into a single package.
5. Compliant Processes for Deleting Personal Information
Consumers and other data subjects have the right to have their personal information deleted or, in some cases, anonymized. To comply, organizations must not delete or delete records maintained under compliance regulations or data held by law. The organization must also be careful not to accidentally lose referential integrity with a database system during deletion, encryption, or de-identification.
Customers share their personal information with the confidence that organizations will effectively control it. Organizations that fail to protect personal information properly will lose the trust of their customers, while privacy capabilities implemented today will enable companies to run a better overall business tomorrow.
Any privacy compliance strategy must include the right technology. Businesses need systematic and preferably automated processes for tracking, managing, and securing all their personal information and continuing that tracking throughout the life of the data.