Navigating the Impact of Data Privacy Laws on Information Management

Data privacy laws are becoming increasingly prevalent and disruptive for businesses across many industries. Corporate leaders such as Chief Privacy Officers, Chief Information Security Officers, Chief Information Officers, General Counsels, Chief Technology Officers, and Chief Compliance Officers will all face new job descriptions and responsibilities. However, information managers will bear the brunt of new process changes.

As more digital information is collected, stored, shared, used, processed, and sold by various businesses, the need to fully embrace the new data privacy environment will become a corporate imperative. Because individual states are quickly adopting new (and differing) data privacy laws, corporations across the globe will notice increased legal action by state Attorney Generals and state privacy boards, not to mention individual data subjects via the private right of action.

Since the passage of the European Union’s GDPR and California’s CCPA/CPRA, governments at all levels have become much more focused on citizen data privacy and security. These new privacy laws were created to protect the rights and interests of individuals (data subjects) regarding their personal and sensitive data, such as electronic health records (EHR) and other personally identifiable information (PII) — including biometric identifiers and online behavior.

However, corporations have been slow to realize that data privacy laws also pose significant challenges (and risks) for managing and securing PII. The new data risk landscape means that information managers must scramble to come up to speed on data privacy quickly.

The EU's GDPR has paved the way

One of the main impacts of data privacy laws on the information management profession is the need to comply with a wide range and sometimes conflicting regulations and legal responsibilities across industries and jurisdictions. For example, GDPR is one of the world's most comprehensive and stringent data privacy and protection frameworks. It also impacts more than just European Union companies. All companies that collect or process the PII of EU residents, regardless of where the organization is located, must abide by the GDPR requirements. This means that US organizations collecting EU PII are also subject to the GDPR rules and fines.

The European Union takes citizen data privacy extremely seriously. In fact, through the GDPR the EU has stated that data privacy is now considered a human right. The GDPR grants citizens various fundamental rights over their data, such as the right to:

• Access and review their data
• Rectify mistakes
• Delete PII held by the organization if there are no regulatory or legal holds on the data (also called the right to be forgotten)
• Restrict the transfer of their PII
• Limit the use of AI on their data
• Restrict the sale of their PII
• Object to the processing of their PII

It also imposes obligations on data controllers and processors, such as:

• Obtaining consent on using their PII
• Conducting data privacy impact assessments
• Providing for straightforward data subject access requests
• Implementing “reasonable” security measures
• Reporting breaches
• Appointing data protection officers

Failure to comply with the GDPR can result in fines of up to 20 million euros or 4% of global annual turnover, whichever is higher.

All these rights and obligations will also affect how information is managed, stored and protected.

The US feds are lagging, but states are catching up

Conversely, the United States does not yet have a federal data privacy law that covers all US citizens, companies, sectors, and activities. Instead, it has a patchwork of federal and state laws regulating specific data types or industries, such as the Health Insurance Portability and Accountability Act (HIPAA), the Children's Online Privacy Protection Act (COPPA), and the New York SHIELD Act. On a positive note, the US House of Representatives has been pushing for a US-wide data privacy bill called the American Data Privacy and Protection Act (ADPPA).

Many industry pundits believed the ADPPA had the best chance of making it into law; however, that still remains in question. The ADPPA was reported out of the House Energy and Commerce Committee on an unheard-of positive 53-2 vote in July 2022. However, the ADPPA has not yet been brought to the House floor for a total vote. If passed in the House, the next step would be to move the ADPPA to the US Senate for a vote. The bottom line is that businesses are pushing for the ADPPA to eventually pass with a preemption provision that would override all the state laws so that companies only have one US data privacy law to follow instead of potentially 50 state laws.

State data privacy laws are on the rise

Information management professionals are now on the front line

Because of this growing network of differing federal and state data privacy laws, information management professionals will need to be aware of the differing data privacy law requirements that apply to their organization's activities and operations so they can ensure their procedures, technology, and training activities address and comply with the legal requirements accordingly.

This reparation could involve:

• Conducting PII audits
• Assisting IT and legal with data searches
• Adapting to new role-based access controls and zero-trust architectures
• Assisting with building enterprise data maps and data flows
• Updating policies and procedures
• Implementing technical and organizational safeguards
• Obtaining ongoing legal advice
• Training staff on the new and changing privacy laws

Another impact the new data privacy laws will have on information managers is balancing the protection of PII with utilizing that data for various business purposes. Data is a valuable asset that can provide insights, innovation, efficiency, and competitive advantage for organizations, but it can also be a huge liability.

Many data privacy laws require that the collection and use of PII be minimized to what is necessary and relevant for the original stated purpose. For example, companies should not ask for too much of a client’s PII so they can subscribe to the company newsletter. This would be considered an overreach by many governments. Furthermore, data privacy laws grant individuals the right to object to processing their personal data for direct marketing. Therefore, information management professionals must ensure that they have an explicit and lawful basis for collecting, storing and processing PII.

Additionally, information management professionals must adopt a data minimization approach, which means collecting only necessary PII, using it only for what is intended based on the consent received, and deleting it when it is no longer required. A third impact of data privacy laws on information management is the need to ensure the security and integrity of personal data throughout its lifecycle. Data privacy laws require that personal data be protected from unauthorized or unlawful access, use, disclosure, alteration, or destruction. Most state data privacy laws use the same terminology for data security requirements – data collectors and processors must “maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”

Using the term “reasonable” in the data security provisions of the state data privacy laws leaves a lot of room for interpretation and should be tightened up in future amendments.

Data security provisions will become more prescriptive

The data security requirements apply not only to storage devices and systems but also to transmission channels and networks. For example, the GDPR requires that appropriate technical and organizational measures be taken to ensure a level of security appropriate to the risk posed by the processing. It also requires that any personal data breach be reported to the relevant authorities and affected individuals immediately.

Due to these non-prescriptive data security requirements, information management professionals must implement robust security policies and practices to always safeguard personal data.

This may involve:

• Encrypting data
• Using strong passwords
• Limiting access rights
• Utilizing role-based access controls
• Multi-factor authorization access
• Monitoring activity logs
• Conducting regular backups

Additionally, information management professionals, along with corporate legal and the CISO, need to establish a breach response plan that outlines the steps to take in the event of a data breach, such as notifying the various governmental authorities, informing the individuals, isolating the affected systems, and investigating the cause and extent of the breach.

Data privacy laws will significantly impact the information management professional and require careful attention and change. Information management professionals must comply with different and sometimes conflicting regulations across jurisdictions, balance the protection of PII with the utilization of data for various purposes, and ensure the security and integrity of PII throughout its lifecycle.

Compliance will avoid legal risks and penalties and enhance their reputation and trustworthiness as responsible and ethical data stewards.

Data privacy laws are uncovering a new inflection point

DSAR reporting requirements are absolute

Let's look at an example of the dangers of the data privacy laws' right to deletion and how most companies manage their information.

Suppose your organization receives a data subject access request (DSAR) asking your company to catalog and report on the PII you have collected on the data subject and how it has been used in the past. In this case, most organizations will search their enterprise systems, and if they find the requested PII, they can report on how it was used in the past, whether it has been sold to others and when.

In many cases, a PII deletion request will quickly follow. Those same organizations will again search the enterprise systems and delete all instances of that particular PII. They will then report to the data subject that all copies of their PII have been deleted. However, how would the IT department know for sure that all copies of PII have been deleted? What about employee laptops, workstations, smartphones, personal cloud accounts and removable media? Data subject PII could have transferred between sales or marketing employees working on customer lists for email campaigns, newsletters or call lists for sales.

Because of the new data privacy laws and accompanying data subject rights, organizations must start collecting and indexing ALL data created or received within the corporation. This means that data on laptops/workstations, etc., must also be captured, synced, and indexed so that when the organization responds to a PII deletion request, they can find all of it. This includes the data that has been ignored by information management/records management and left to the individual employees to deal with because it was not subject to regulatory retention requirements in the past.

If a company’s response to a PII deletion request is incomplete, and they don’t search employee devices and cloud accounts, they could potentially be non-compliant and risk receiving huge penalties and fines, not to mention terrible PR in the marketplace. To counter new data privacy law liabilities, companies will need to adopt new technology capabilities and employee processes that will enable them to access, index, and view all digital data in the organization — not just the 5% to 10% of data they have previously considered regulated records.

For information management professionals, this means they will be looking at managing far more electronically stored information than they have in the past.

This new information management requirement will also be a sensitive corporate culture issue for many employees. Most information workers consider the data they store on their company devices as “theirs” and under their control and management. Turning over control of that data will be challenging for employees, and IT should consider how they will convince the employee base to go along – willingly.

Change leads to more change

The global push toward data privacy as a human right affects every organization, regardless of industry. Information managers will become increasingly involved in setting information management policies and procedures and becoming an influencer for new technology adoption. Information managers would be well advised to become more engaged in transitioning to the coming inflection point.

FEATURED BLOG

The Evolving Data Privacy Landscape:

Trends in Data Privacy Laws

READ NOW

Share this post!

• Author
• Recent Posts

Bill Tolson

President at Tolson Communications LLC

Bill Tolson is President of Tolson Communications LLC, an advisory and consulting firm. He has 25-plus years in the archiving, information governance, data privacy, data security, and eDiscovery industries. Bill has held executive leadership positions in a wide range of high technology organizations, from consulting firms and technology startups to multinationals. Companies include Contoural, Hewlett Packard, StorageTek, Iomega, Hitachi Data Systems, Recommind, Actiance and Archive360 where he was the Vice President of Global Compliance and eDiscovery for seven years.

Bill is a frequent speaker at legal and information governance industry events and has authored four eBooks including Email Archiving for Dummies, Cloud Archiving for Dummies, The Bartenders Guide to eDiscovery and the Know IT All's Guide to eDiscovery. Bill has also authored 60 plus industry articles and hundreds of blogs as well as hosting 37 podcasts with industry pundits, subject matter experts, state legislators, and attorneys.

Latest posts by Bill Tolson (see all)

• Managing AI to Ensure Compliance with Data Privacy Laws - April 3, 2024
• Taming the Data Flood: How Data Consolidation Empowers Businesses - February 12, 2024
• What’s the State of Canada’s Data Privacy Bill C-27? - December 18, 2023

Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.