This blog posting describes a webinar entitled “Data Privacy – Learn What It Takes to Protect Your Information” offered by AIIM. The speakers included Greg Reid, CEO of InFuture LLC and Rich Lauwers, InfoGov SME, Hewlett Packard Enterprise. The statements made by the presenters are summarized below.
Rich Lauwers began by describing data privacy as an intersection of information security, information governance, and the law. There is a policy-based framework that organizations need to develop to protect privacy. This framework includes business policy, IT policy, and records policy. You have to manage information through a business process. You also need to have the ability to respond to requests for holds on information at the operations level. These core services are the framework to allow you to do lots of other things. When you know what business rules apply to your information at the enterprise level, you can apply them across the organization at the operations and application levels. The hope is that once you have these rules in place you can automate processes.
Greg Reid’s objective was to provide a lot of detail about privacy obligations and then to step back and provide a higher level overview of what organizations can do to meet privacy regulations. He began with a discussion of the Federal Trade Commission. The FTC has made “reasonable data security and information governance” a legal requirement and requires companies to inventory their personal information (PI), minimize the data that is stored to that which is needed for business purposes, to lock down PI, to dispose of PI, and to plan ahead in the case of a data breach. The FTC does have the ability to impose fines on companies that fail to meet these obligations. A good electronic records management system can help organizations to achieve these requirements.
Rich described the GDPR (Global Data Protection Rules) enacted by the EU. The whole idea of the GDPR is that the EU is trying to protection its citizen’s data and is a response to their perceptions of gaps in other country’s data protection requirements. This is a broad-based set of rules that are far reaching and can be a challenge for some industry sectors to tackle. The GDPR is an evolution from the 1995 Directive which was one of the first major data protection rules in the world. The GDPR is going online in 2018, although some countries are moving faster. The obligations included in this legal framework include:
- Data protections must be built into the system “By Design and by Default”
- Data must be secured using technical means
- A determination must be made almost immediately as to whether a data breach is likely to have a “high risk to the rights and freedoms of the natural person,” as such a technical environment must be in place to identify, track and assess such breaches
- Numerous other Recitals and Articles have information governance expectations and demands
It is important for companies doing business in Europe to understand the obligations under this regulation because the infringement fines for the GDPR are substantial.
There are also privacy regulations that apply to specific industries. For example, HIPAA/HITECH apply to the healthcare sector, the Gramm-Leach-Bliley Act applies to the financial sector, and numerous US states have state-level privacy regulations. It is important for companies to understand what regulations they are required to follow based both on their industry sector and the geographic regions in which they operate. Different laws may require that personal information is handled differently, so IT teams may have to develop systems that meet multiple sets of requirements.
There are, however, several key commonalities that exist between many of the privacy laws and regulations around the world. These include:
- Most privacy laws demand administrative PI data controls
- System designs and builds that integrate privacy and information governance as an early part of the SDLC
- Anonymizing or pseudonymizing data structures
- Data minimization/retention policies and automated data deletion/disposal processes
- Accurate inventories of personal data types, their locations/technologies, and their owners
- Technical environments secured using “reasonable,” “practicable,” “industry-standard,” “state-of-the-art,” “readily available” technologies and procedures (e.g., two-factor authentication for administrators)
- Breach prevention, preparation, notification, and response technologies and process
- Data minimization
This is a complex environment. The ability to centralize legal and regulatory obligations needs to happen throughout the data management lifecycle. One of the biggest barriers that the presenters have found is that personal data is insidious. It can end up in a lot of different places and it tends to creep. In addition to being in records management systems it shows up on user laptops and mobile devices, in email, in paper, in shared drives or folder servers, external shared drives, and social media. Privacy laws don’t care where the information is shared. If a breach occurs you are still responsible for it. These locations all need to be secured. One of the best things that a company can do is go through a data minimization project. Get rid of what you don’t need. If you don’t have it, it can’t be lost, stolen, or used against you in a court of law. This data minimization concept is included in privacy legislation around the world. AIIM refers to this as records management.
You need to think about the information that you are sharing with your vendors. You need to make sure that you have provisions in your data sharing agreements that clearly describe protection and disposal of personal information.
An example of a source of PI to watch out for is log files. Log files are considered personal information, so you need to develop policies regarding how long to retain them. If you don’t have privacy shield and you transfer log files from the EU to the US then you could be performing an illegal transfer.
When we do systems design there is a system life-cycle that goes from design all the way through disposition. You need to include privacy and information governance at the very beginning at the systems development phase. If you don’t take into account privacy, information security, and information governance in the early design phases, then your systems won’t meet privacy requirements and it will cost a lot of money to go back and redesign them.
Rich provided an overview of the policy based secure content management system. This system requires several key elements. The first is the ability to perform file and content analysis. The second is document classification. The third is data extraction and application retirement mechanisms. The forth is data masking. These elements allow you to identify information and manage its lifecycle. These elements are doable. Organizations are undertaking efforts to identify PI and develop automated procedures to deal with it on a regular basis so that they can then dedicate manual efforts to “exceptional” items rather than routine resources. The financial services industry, for example, has been particularly active in implementing automation tools.
Greg provided a summary of his observations from his privacy consulting work:
- The information governance capability is critical to privacy efforts. Without it, privacy operations would be impossible to conduct
- Coordination and clarity between the CIO, the GC, Privacy, and the information governance groups are required to meet privacy obligations. No person is an island where privacy is concerned.
- No laws or regulations require “superhuman” or “extraordinary” information governance or security efforts. The words “practical,” “reasonable,” “industry-standard” are commonly used. It is also important to be “proactive”
- Many of the laws and regulations have similar, if not the same, technical, procedural and administrative security requirements. Leverage them.
- There are significant idiosyncrasies even between US States. Know what is applicable to your organization
- PI can be in any number of different repositories. You’re responsible for securing all of them according to regulatory and legal jurisdictions; not just the obvious data elements inside of the RDBMS
- If there is incremental money to spend on privacy and security, you may consider spending it on training and communications for the employees
Featured image by Blogtrepreneur