By Legal Futures’ Associate exterro
As high-profile cases and ever-increasing regulations highlight, we are entering a new age of dealing with data that is causing organisations to rethink everything – from how they collect data to storage, retention, access, disposal, and more.
The General Data Protection Regulation (GDPR) set the stage for a new era of data protection and privacy compliance and effectively sparked a regulatory movement, beginning with the hasty passage of the California Consumer Privacy Act (CCPA) in the United States. Shortly thereafter, several other states introduced their own “CCPA Copycat” laws, and more are on the way.
Failure to comply with this increasingly complex terrain of privacy regulations could result in litigation that is damaging, both reputationally and financially. Companies must develop a defensible approach to data privacy regulations and ensure that their e-disclosure and information governance programs are up to par.
Organisations’ obligations to manage data—and the costs of failure—are growing exponentially. Just look at recent examples from data breaches. A well-known retailer paid almost $70 million in settlements with banks, states, and class action suits stemming from a single data breach. In July 2019, a social media company received a $5 billion privacy fine, representing about 9% of their annual review – more than double the maximum percentage (4%) of annual revenue that can be imposed as a penalty under the EU’s GDPR.
Both e-disclosure and data privacy, along with an ever-evolving myriad of data-related practices, require an accurate and comprehensive data inventory to ensure defensible compliance. The ability to identify and preserve data, and the ability to review, redact, and produce relevant data under tight timelines, are now critical components of compliance.
Organisations must be able to quickly and accurately:
- understand the data they control,
- define precisely where it exists inside IT infrastructure, and
- secure, access, retrieve, and manage it in accordance with both regulations and business needs.
Companies that don’t have a handle on their data practices face a costly e-disclosure nightmare and potential oversight when responding to Data Subject Access Requests (DSARs) that could spark costly litigation.
Start from the beginning: the need for an effective data inventory
Effective e-disclosure and privacy compliance begins with developing a sustainable and robust data inventory that identifies what information an organisation holds, where it’s stored, how it’s generated and used within the company, retention requirements, and more.
A data inventory informs data privacy compliance and how data can be used in the e-disclosure process. Understanding what data is protected not only limits exposure to a potential breach of sensitive information, but also limits the time and resources spent early in the disclosure process, including managing subject access requests from residents exercising their data privacy rights.
Information must be provided without delay and at the latest within one month of receiving a request. There are three foundational distinct capabilities that legal teams must have in place to be prepared to respond compliantly and defensibly to DSARs.
- Know your data
The first step to effective and defensible compliance begins with a comprehensive, sustainable data inventory. You have to know where your data exists in order to protect it, produce it, and ultimately delete it. As a privacy professional or legal executive, you simply can’t meet your obligations effectively without a robust data inventory.
- Process Orchestration
Different types of subject access requests require different workflows and verification processes. Requests from job candidates or past employees must trigger a different role-based workflow than requests submitted by customers or subscribers. Legal teams need a well-orchestrated process that is configurable based on the data subject and type of request.
- Request Fulfilment
Organisations have little time to respond to and fulfil verifiable data access requests. You need a secure process for authorised personnel to quickly find relevant information stored across your IT infrastructure, review information to ensure documents are appropriate to the request, redact information as necessary, and produce the information.
Effectively responding to DSARs as required by regulations such as GDPR or the CCPA is challenging. With new exciting advancements in Legal GRC technology, legal teams can now orchestrate the entire process beyond just workflow automation, including the capabilities to retrieve, review and deliver requested information to the requester, all in a single software solution.
Data protection regulations are evolving and will continue to do so as the demand from consumers grows for protection of their personal data. Similarly, an organisations’ duties will continue to expand and adapt as they respond to these regulatory changes. Keeping pace will be difficult unless you tackle it from the ground up and establish an infrastructure that can effectively understand, access, manage, and control your data in a manner that is defensibly compliant across organisational practices such as data privacy and e-disclosure.