Expanding Data Brings Growing Risks
Companies today face a growing number of complex legal and regulatory obligations related to managing and protecting consumers’ personal data. And the total amount of personal data collected is increasing at a dramatic rate; Gartner estimates 65% of the world’s population will have its personal data covered under privacy regulations by 2023. By implementing best practice Information Governance solutions organizations can mitigate these risks.
Limiting Potential Exposure and Damages
Privacy laws are expanding and evolving, and organizations’ risks are increasing significantly. Ungoverned personal data creates greater potential for non-compliant activity, such as unauthorized use and selling or sharing. When organizations that retain personal data experience a data breach their bottom lines, customers, and reputations all suffer. Consumers, government agencies, and courts will demand to know what specific data was impacted, and fines and enforcement actions may follow.
Facing Regulatory Scrutiny
The U.S. currently lacks any single data privacy and protection law. But state laws, federal regulation (such as FTC consumer protection), and industry regulation (such as HIPAA) are wide-reaching. The California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) are coming to dominate the actions of other legislative and regulatory bodies. Enforcement actions under those laws are already underway with fines in the millions of dollars and organizations of all sizes face scrutiny.
Four U.S. states have already enacted consumer data privacy laws and all states have laws requiring response to data breaches. Certain U.S. industries are subject to specific regulations, including consumer finance, telemarketing, and healthcare. Even before a federal consumer privacy law is passed, the FTC is increasingly fining companies for data privacy and protection shortfalls by extending its consumer protection mandate to view failures to protect personal data as subject to FTC action.
Regulators are also including more prescriptive Information Governance requirements in recent settlement agreements, directing companies to implement specific data privacy concepts such as “minimization” and “limitation”.
Providing Consumers Access to Their Personal Data
Increasingly, data privacy and protection laws give consumers rights regarding the personal data a company may hold about them – a Data Subject Access Request (or DSAR). Consumers can ask an organization to correct, delete, or provide their personal information. A 2022 report by Data Grail found that U.S. businesses, on average, receive 30 DSARs monthly for each one million personal identities in their files, and manually processing a single DSAR request costs $1,524, according to Gartner research.
Organizations will struggle to meet these requests, further increasing costs, if they do not have good Information Governance capabilities, including a solid understanding of what information they have and reliable methods and effective tools to find it.
- Identify Internally Hosted Data – Strategy-based processes, with accompanying technology, to identify records and personal data in existing data stores, applications, and business tools.
- Identify and Review Externally Hosted Data – Procedures to identify “externalized” data subject to IG concerns (including cloud-based storage, SaaS, BYOD, and social media platforms) and apply IG policies and procedures to such data.
- Respond to Courts and Regulators – A consistent and coordinated legal and regulatory response process to records management and eDiscovery inquiries, working with IT and other “operations” functions, to assure that complete and necessary information is provided.
- IT Governance that Assures IG Requirements – IG standards, policies, and processes incorporated into IT Change and IT Asset Management governance and operations (such as SDLC processes) to assure that new and changing technology solutions remain in compliance with IG requirements (such as continuing to capture records in archives).
- Business and Geographic Data Regulation – A process that maps retention and data privacy requirements to its businesses and geographies, to identify the presence of records and personal data. (Can the organization identify all the requirements that apply to a particular business or geography? Can the organization identify all the businesses or locations to which a requirement applies?)
Solutions are built from a comprehensive set of Information Governance capabilities utilizing our proprietary IG Operating Framework. Click to view full set of solutions and capabilities.
"*" indicates required fields