Organisations’ obligations to manage data—and the costs of failure—are growing exponentially. Just look at some recent examples. A well-known retailer paid almost $70 million in settlements with banks, states, and class action suits stemming from a single data breach. In July 2019, a social media company received a $5 billion privacy fine by the United States (US) Federal Trade Commission, representing about 9% of its annual review - more than double the maximum percentage (4%) of annual revenue that can be imposed as a penalty under the European Union’s (EU) General Data Protection Regulation (“GDPR”).
Getting your data protection practices in order now has become more crucial than ever. Here are ten steps to creating defensible data privacy in your organisation:
1. Know Your Data
Data lives across all areas of all different departments: legal, IT, marketing, services, sales—everywhere. Often, data lives in places many of us aren’t even aware of, due to either tribal knowledge that has long since left the organisation or a lack of documentation and maintenance of important data sources. This emphasises the importance of engaging leaders across the organisation to help understand what is being and has been collected, with whom that data was shared, and where it currently resides.
Such an undertaking often requires a special project manager or a team to help enforce data hygiene rules among departments. This team or individual would engage with key stakeholders across the business to better understand their practices around data and create a streamlined process for handling that data. The most effective and efficient way to handle your data inventory would be to use a software platform that can handle end-to-end collection and analysis of that data.
Data mapping or inventory platforms can help automate many of the key efforts involved in maintaining your data by providing repeatable processes between teams. Better platforms allow you to profile your data to identify where it is being managed, and to retain it based on how it was collected—automatically connecting that data to the applicable privacy and security regulatory requirements. High-end platforms also provide interactive, configurable visualisations, allowing you to see the data in different ways.
2. Sync Your Data Privacy Activities and Objectives
Since all the questions surrounding compliance to data privacy regulations start with the organisation’s data map, it needs to be built the right way. This means organisations should use their tools and technology to stay flexible as these laws evolve, thus keeping the data inventory modern and functional.
Your data inventory should not be used in isolation. That is a big mistake. An effective data inventory should be actionable and should be used as the foundations to all your Legal GRC (Governance Risk and Compliance) objectives, since it identifies all the key elements and components of your organisation’s data.
Forward-thinking organisations can leverage their data inventory to fulfill wider data challenges. For example, the same people, processes and technology can be used to solve both data privacy and e-discovery objectives, since they both require identification, collection, preservation, processing, review, analysis and production of data. Recent data protection regulations have created a convergence between different data-related practices. Agile organisations can take advantage of the vast efficiencies and cost savings that single platform technologies that span multiple data disciplines can bring.
3. Operationalising Data Retention
Establishing an effective data retention policy is a key step in managing and protecting one of your organisation’s most valuable assets: your data. Recent fines for poor data retention practices, including a €14.5 million fine issued by the supervisory authority (“SA”) of Berlin to a German real estate company towards the end of 2019, have created further awareness of the need to take data retention seriously and to ensure organisations have the right data retention policies and practices in place.
The key to operationalising data retention is to leverage your organisation’s data inventory. As you already know what data your organisation has at a granular level, being able to apply retention standards to that data as and when it changes (i.e. business context) enables you to effectively initiate and manage data retention. It is extremely laborious, inefficient and time consuming to implement compliant data retention practices without using technology to assist.
4. Defensible Data Deletion
It is estimated that up to 85% of an organisation’s stored data is ROT - information which is redundant, obsolete and/or trivial – which creates a large amount of risk to potential cyber threats and exposure to privacy compliance in regulations like the GDPR, the California Consumer Privacy Act (CCPA) or the other 700+ privacy laws around the world.
When an organisation is involved in litigation or, worse yet, a regulatory agency’s investigation, all the organisation’s data is now subject to attorney review for responsive documents—an expensive proposition. Put simply, data you don’t have can’t be breached, and you don’t have to produce it during litigation.
Leveraging proven retention methods and enforcement models is the most effective way to defensibly dispose of unnecessary records and data, while meeting regulatory obligations to avoid unnecessary risks. Applying data minimisation principles in practice requires a three-phase approach: conducting a preliminary analysis, further data classification, and remediation of legacy data.
5. Third Party Diligence
A 2018 study by the Ponemon Institute found that about 60% of data breaches are caused by third parties. Effective risk management requires organisations to understand the specific types of data shared, processed, or managed by each third party. It can also include requiring your third parties to have certain security precautions in place at the time of contracting, in order to properly protect certain sensitive or regulated data.
Part of your data inventory should include an understanding of who those third parties are, and what organisational data of yours they have access to. Then you can start to determine the level of diligence required for each of your third parties, and therefore what risks they pose. There are major questions that are critical for every organisation to ask regarding their third-party vendors, including:
- Who are our vendors?
- Which ones touch our data?
- What specific data do they touch?
- What data is relevant to regulations?
- How are they protecting our data?
6. Responding to Data Subject Access Requests (DSARs)
A key feature of privacy regulations like the CCPA and GDPR is that they allow individuals to obtain answers regarding what personal information of theirs is stored by a given organisation. These requests, known as Data Subject Access Requests (DSARs), require an organisation with data on an individual to produce that information and allow for remediation (deletion, archiving, etc.). Given all the moving parts required—technology, manpower, and workflow processes, to name a few— fulfilling these requests can be very challenging.
Without an operational data inventory, it is practically impossible to comply with privacy laws because if you don’t know how to find the data, or know where it all lives in your organisation, you can’t remediate it. With a robust data inventory in place, organisations can establish a lean, effective, and efficient DSAR process consisting of the following key steps:
i. Organisations need to verify the data subject’s identity to ensure that each request is genuine, or they open themselves up to more trouble.
ii. In order to route the request to the correct department or individual, you must confirm what information is being requested.
iii. Gather the necessary personal information. This can be done quickly and efficiently by utilising a robust data inventory and having technology to identify and collect the appropriate data.
iv. Review the data to ensure that the organisation is returning the correctly requested information, as well as blocking privileged or company-sensitive information that may be part of the request. Review technology will allow the DSAR specialist to perform redactions or mark-ups on the documents without ever having to leave the platform.
v. Prove the request fulfilment is all-encompassing.
vi. Once the documents have been reviewed and exported, they should automatically be made available to the data subject via the organisation’s website or an online portal, and retrievable in an easy, secure way. If the data package has to be digitally sent to the subject, it should be encrypted or otherwise secured.
vii. After the DSAR has been fulfilled, close out the request and notify internal teams that the request has been completed for a complete audit trail.
7. Managing Privacy Consent
Consent management is the act or process of managing consents from your users and customers for processing their personal data. Legal agreements, privacy policies, and marketing are all types of consent. Additionally, when consent is given, organisations must enforce that the provided data is only used for processing purposes.
Cookie consent enables your website visitors with the ability to opt-in and out of the specific cookie categories (preferences, statistics and marketing), to consent and to withdraw their consent subsequently if they chose to.
A compliant consent management system includes the following:
- Asking for consent by clearly disclosing what the consent is being given to, and how the data will be used
- Refraining from all tracking, until full consent has been given
- Securely storing all consents as documentation that the consent has been obtained
- Giving your users access to the ability to withdraw their consent at any time
- Regularly renewing their consent (the ePrivacy Directive states every 12 months)
8. Incident and Breach Management
A data breach is a confirmed security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. With over 300 incident and breach notification laws, each with specific reporting and documentation requirements, businesses must efficiently manage the incident and breach lifecycle as their data increases and their systems become more complex.
Leveraging technology, organisations can fulfil challenging incident response and breach notification compliance quickly and efficiently. Global breach notification deadlines–sometimes as little as 24 hour–need to be met and organisations must be able to demonstrate defensible compliance to regulators and auditors.
9. Automate Employee Status Changes
Monitoring personnel changes can act as an early warning system to mitigate the risk of ESI (Electronically Stored Information) spoliation, such as termination or transfer, and leveraging technology, corrective actions can be automatically taken. Upon change detection, user-defined actions, such as automatically placing an employee on legal hold, or sending a questionnaire to a supervisor, prevent loss of ESI that is subject to a legal hold.
Detecting employee status changes can help organisations to proactively take steps to mitigate risk associated with the change in any data field stored in your HR information system. For example, when an employee leaves your organisation, tasks can be automatically issued to take a snapshot of the former-employees email box, backup their associated data, a system notification can be sent to alert Records Management of the change in employment status, and the employee can automatically be released from any active legal holds.
10. Future Proof Your Organisation with Legal GRC Technology
It’s not easy being in Privacy, Legal, or Compliance these days. Your organisation faces increased liability risks associated with non-compliance to new and existing privacy regulations, data breaches and cybersecurity attacks. You are tasked with demonstrating your governance and compliance efforts while also minimising legal risk, reducing costs, and improving productivity across your legal operations.
Business challenges, such as those discussed in the previous nine steps, span different organisational units, including Privacy, Compliance, Legal Ops, Security and IT. This requires a comprehensive approach to process orchestration. Cobbling together technology solutions aimed at addressing one part of this big picture won’t deliver the results you need.
To thrive in this new environment, you need a new class of enterprise software designed to seamlessly orchestrate the tasks and activities required to implement processes to address these business challenges, now and in the inevitably changing future. Simply put, you need Legal GRC technology.
Creating Defensible Data Privacy in Your Organisation
The regulatory landscape is changing at lightning speed. 64% of countries now have data protection or privacy legislation and with numerous new laws on the horizon, including a further 8% of countries with draft legislation, organisations should already be thinking about how they can leverage new technologies to ensure their practices get compliant and stay compliant in the turbulent future ahead.
By Stuart Davidson, European Marketing Director at Exterro