Why information governance is more important than ever for privacy

Organizations that can’t efficiently locate personal data will be hard-pressed to demonstrate compliance with privacy regulations, including responding to data subject access requests (DSARs) within prescribed timelines, implementing proper controls for protecting personal data in systems and repositories, and implementing appropriate transfer tools and safeguards when transferring data across jurisdictions and to third parties.

Organizations should leverage their data inventories to build a data map, which links data to systems or repositories, both within and outside the organization. Data maps are an essential tool for managing data and complying with privacy regulations, since they can be used to track data throughout its life cycle and as it moves across jurisdictions, allowing the organization to identify relevant global privacy and protection requirements.

While data discovery and mapping technology can certainly accelerate the development of a data map, a rich and comprehensive data map can be developed only with substantial engagement of the organization’s business and IT stakeholders. Where technologies may prove most useful is in the ongoing maintenance of the data map, where ongoing reviews and updates to the data map can be streamlined through automation.

From a privacy perspective, understanding the business purpose of data aids in data minimization, a principle of both the GDPR and California Privacy Rights and Enforcement Act (CPRA) requiring organizations to limit the collection, storage and use of personal data to only what is relevant and absolutely necessary for carrying out the purpose for which the data is processed.

Data minimization is equally important to an organization’s IG program, as it allows organizations to focus their resources on managing and protecting their most valuable information.

Organizations subject to GDPR must document the purpose for which different categories of personal data are processed in Records of Processing Activities (ROPAs), as required by Article 30. This information can often be captured and updated as part of broader data mapping activities undertaken by the organization.

Organizations should consider implementing additional controls and processes to flag new processing activities, including changes to how data is being used internally or by third parties, to which data subjects may not have consented and may need to be evaluated as part of a privacy impact assessment (PIA).

Compromised or stolen data can be exploited by criminals and shared publicly. The reputational damage from a major breach can impact a company’s revenues for years. Protecting the privacy of customer and employee data is impossible without appropriate technical and organizational security measures. All personal data must be safeguarded from unauthorized access, processing, destruction and damage.

Many organizations are striving to embed privacy directly into their business, technology and culture by embracing privacy by design. PIAs are tools an organization uses to assess and identify how data protection and privacy are being addressed in both product- and service-based solutions before the product, service or technology is implemented or deployed.

Under the GDPR, a data protection impact assessment (DPIA) is required for any type of processing that poses a high degree of privacy risk — in particular, the use of new technologies. Both of these assessments help organizations identify risks and mitigation controls for products, processes, systems or initiatives that involve collecting, processing and transferring personal data.

Before the new breed of data privacy regulations, strong IG programs enabled organizations to respond to complex, time-sensitive, and resource-intensive requests for data stemming from regulatory examinations, litigation and M&A transactions. Similarly, a sound IG program facilitates an organization’s ability to pivot and efficiently respond to data privacy events as well, such as DSARs, privacy incidents and data breaches.

An essential component to an IG program is to leverage knowledge from resources like data maps, and align technology to create efficiencies in identifying, collecting, reviewing and providing relevant data to the requesting party. At a minimum, standardized efficient workflows should be developed for DSAR processing.

New technologies should be considered to support compliance with privacy requirements as more people around the globe gain access rights. When considering technologies to support DSARs, for example, organizations should think holistically of the external events they may face about how existing or new tools can be leveraged to support the organization across all areas of exposure. 

Just as companies work to restrict gathering personal data, they need to limit the retention of information beyond what is necessary for business purposes. While companies historically have worked with third-party providers and law firms to develop retention schedules that identify both state and federal recordkeeping requirements, along with any industry-specific requirements, many have lacked the funding, resources and internal support to keep those schedules current with the rapidly evolving privacy regulations.

Companies should leverage privacy initiatives to draw attention to outdated retention schedules and procedures to create a more holistic approach to managing retention. Privacy-related retention limitations should be mapped so that companies have a comprehensive view of the information they need to retain, including for how long and why.

Records management systems and advanced technologies, such as AI-enhanced automation using predefined business rules, can also help organizations manage records throughout their life cycles, in accordance with relevant regulations. Systems can be configured to retain records in accordance with the schedule or defined retention requirement, while also suspending disposition in the event of a legal or regulatory matter, ultimately reducing the burden typically placed on individual employees.

Removing data allows a business to reduce privacy risks while helping control legal and business costs. Organizations must determine how to best dispose of different types of data, with some information requiring a combination of methods. A sound IG strategy is pre-emptively disposing of data before it exceeds retention requirements and propagates across systems.

Deletion requests from data subjects pose a growing privacy risk as they must be handled in compliance with relevant regulations, under strict deadlines. Under both the GDPR and CCPA, it is not enough for an organization to dispose of personal data upon request — its processors and service providers must delete that information as well.

Technology-enabled processes allow an organization to operationalize disposition and improve efficiencies, using advanced analytics, AI and automation. The goal is routine disposition of routine, outdated and trivial information, embedded into the organizations’ broader data management activities. The disposition process must be both defensible and auditable, and many organizations work with outside counsel and third-party providers to consider the legal and operational aspects of a disposition framework. Disposition methods include deletion, de-identification and aggregation.