If the 2010s were defined by the rise of Big Data, then the 2020s will be defined by data privacy and information security.
With the explosion in the number of data collection points in our lives comes an ever-growing level of risk that data will be mishandled or accidentally disclosed. Several recent data breaches have brought that reality firmly into the public eye. New levels of scrutiny are changing both the regulatory and best practice landscape for businesses across the board, particularly those who handle sensitive user or client data.
A Shift in Perception
In the age of Big Data, consumers became part of the largest experiment in widespread data collection in history. Most of them unwittingly. Even for those with some awareness of the level of data collection occurring, the potential implications of mismanagement of that data were largely not understood or appreciated. Then, with data mishandling or breaches being connected to the influencing of a US presidential election and the disclosure of the Social Security information of nearly 150 million Americans, the public was forced to sit up and take notice.
While the collection of data continues at unprecedented levels, the regulatory framework for companies which handle user data is becoming increasingly complex. Public action has led to the emergence of both the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA). Both of these regulations have far-reaching implications beyond the geographic boundaries of their influence. They mark a shift towards data being recognized as the valuable, powerful commodity that it is. A shift that is forcing companies to change how they think about data collection, security, and management.
Considerations for Records & Information Management
Naturally, records and information management is one of the sectors most directly affected by this change in public perception and legislation. Records and information management professionals need to be hyper-aware of what kind of data they are handling and how it is being managed. Not only to ensure that they are in compliance with new regulations but also to prevent any potential breaches that would undermine the confidence of their customers.
New regulatory frameworks offer robust guidelines for records management professionals to follow. However, the key to staying on top of data privacy is to constantly question and evaluate your systems and processes. With that in mind, we’ve put together some fundamental questions for records and information management professionals to ask themselves.
1. Are you in compliance with GDPR and CCPA guidelines?
The first protocol for businesses dealing with sensitive data and records should be to test themselves against the GDPR and CCPA guidelines. These regulations are aimed specifically at meeting modern standards of data privacy. For most businesses operating at a national or international level, compliance will be a necessity. However, all records and information management professionals can benefit from a clear understanding of their standards.
The standards and guidelines laid out by the GDPR and CCPA are excellent tools. By evaluating your information governance infrastructure and processes for compliance with these standards, you can easily ensure that you are building from a strong foundation of data privacy. However, you can only do this if you have systems and processes in place that can be easily audited.
2. Are your systems and processes easily accessible for audits?
Having clear visibility of your data pipeline is critical to finding and identifying potential vulnerabilities. It is also vital that, in the event that a breach occurs, you are able to properly audit the events leading up to it. This will allow you to identify precisely how it occurred and may be hugely beneficial to any legal defense or action.
The first step is to ensure that you are using software that allows for easy reporting and accurately logs all transfers of records or data. Secondly, it is essential to document all personnel with access to data containing sensitive information. This way, accountability for a breach can be understood and managed appropriately. The Standard Operating Procedures (SOPs) for handling and transferring records should also be clearly documented so that any deviation from SOPs can be identified.
3. Are all records with Personally Identifiable Information secure?
Personally Identifiable Information (PII) is the most sensitive data type that organizations handle. A breach of data or records containing PII can be hugely damaging to the reputation of a business, and often results in litigation or fines. It is essential that all records containing PII be thoroughly encrypted.
As stated above, maintaining a clear record of all personnel with access to those records is also necessary to establish a proper accountability framework. A full evaluation of your information governance system should be conducted regularly to ensure that there are no areas of vulnerability that could expose PII.
Data privacy has always been a concern for those in the records and information management space. However, increased public scrutiny and the growing interconnectedness of systems now means that small lapses can have far-reaching implications. Technologies are constantly changing, meaning that new risks and vulnerabilities are being exposed. The regulatory landscape is evolving.
It is vital that records and information management professionals adopt a proactive approach to understanding data privacy regulations and risk, as well as an ongoing evaluation process for their own systems. The key to staying ahead of the curve on data privacy is to have strong information governance procedures and systems in place. This foundation will make it easier to identify and correct areas of risk, and audit when things go wrong. Without those, ensuring the data that you manage is secure will always be an uphill battle.