As data privacy laws such as GDPR and CCPA have gone into effect, organizations that need to comply have put policies in place to manage their data, particularly relative to privacy regulations and information management requirements.
However, what we’ve seen is that while organizations may be good at implementing these policies, many fall short when what they are actually doing is tested. They lack the program — of people, process, and technology — to operationalize the policies. And so, when regulators come in and ask for proof, fines for noncompliance often follow.
In 2020, for example, there were more than €171 million ($210 million U.S.) in fines related to GDPR. And while enforcement of CCPA only started July 1, 2020, and its impact on fines is not yet clear, in general it is safe to say that the more data privacy measures come under scrutiny, the more fines we can expect to see.
In addition, as existing data privacy laws evolve, organizations may be at added risk of noncompliance due to new or changing regulations.
So, what can organizations do to keep up with changes and ensure compliance with data privacy requirements?
Why cybersecurity alone is not enough to satisfy data privacy laws
With cybersecurity dominating the headlines and affecting people both personally and at work, it is understandable that data protection and information security is the top priority for most organizations. In fact, it is a core requirement for doing business in a number of highly regulated industries, such as healthcare, telecommunications, and the financial sector.
In many organizations, the tasks of safeguarding data and managing data breaches — two of the core elements of many global privacy laws — fall neatly into their ongoing cybersecurity and information security efforts.
In addition, some organizations put governance in place to help manage the growing volume of data — establishing rules and processes to ensure their data is more controlled and not “all over the place.” Coupling this governance with cybersecurity policies and technology, these organizations may be confident they’ve also addressed their data privacy requirements.
But while cybersecurity does satisfy requirements for some aspects of data privacy needs, it does NOT address the regulatory and data privacy law requirements for recordkeeping and ongoing data management (such as disposal).
And while cybersecurity grabs all the attention, recordkeeping is often what sabotages data privacy compliance — something organizations are often not aware of until a regulator comes in and raises a red flag.
The vital link between IG, recordkeeping, and cybersecurity
Don’t get us wrong: Cybersecurity IS critically important. But good information governance (IG) and recordkeeping go hand in hand with cybersecurity in achieving regulatory compliance.
For instance, having a secure wall around your data is little help if your organization doesn’t know where information is and how to respond effectively when there is a request from a regulator. And retaining data you no longer need just increases risk IF your cybersecurity defenses are breached.
You also need to operationalize governance inside the wall, putting strong controls in place to address the recordkeeping and information management aspects of data privacy compliance.
In addition to meeting the fundamental requirements of data privacy regulations as they are today, organizations must plan for compliance with new laws and keep up with changes to existing data privacy laws. And keeping up these evolving data privacy needs is yet another area where information governance is key.
Putting the right people, processes, and technologies in place
You can begin by reassessing the recordkeeping properties of your data governance, policies, and procedures to ensure they fully align with the data privacy requirements of GDPR, CCPA, and other regulations your organization may be subject to. That involves determining:
- What personally identifiable information (PII) you have
- Where it is located
- How it is stored and accessed
- Who has access to it (and why)
- How to respond to requests related to PII
- When you can and should dispose of it
- How you’ll track and document the lifecycle
Once you have thoroughly documented what information the organization has, you can implement the right people, processes, and technologies to operationalize recordkeeping — including information classification, retention, disposal, and other aspects of defensible disposition — across the organization.
In addition, good governance and recordkeeping are key to recovery in the event of a data breach or other failure of cybersecurity. They help you determine what information is affected, who needs to be notified, and where you may be able to reduce risk by improving your data retention and disposal strategy.
Maintaining data privacy compliance for the long term
Of course, organizations also need the ability to adapt their current governance, policies, and processes to new laws and evolving data privacy requirements.
For instance, in late 2020, California voters approved an amendment to the recently enacted CCPA; the California Privacy Rights Act (CPRA) expands the privacy rights of state residents and puts additional restrictions on how organizations can use residents’ PII.
That is where an information governance program allows you to build an operating model you can expand or tweak in response to evolving privacy laws — adjusting what you are already doing to efficiently manage new or changing requirements, such as CPRA and other mandates.
To learn more about how information governance (IG) can help you achieve and maintain data privacy compliance, please contact lynn@bernsteindatao.wpenginepowered.com, or watch our on-demand webinar on operationalizing data privacy in a changing enforcement environment.
One Liberty Plaza, 23rd Floor
