Busy Intersection – Records Management’s Intersection with Data Privacy Management

 

[glossary_exclude]With the tsunamic rise in electronic information doubling at regular intervals, complexity in information management has resulted in newly created or redefined roles tasked with creating order out of chaos. Information professionals attempt to control their domains in roles described as content management, knowledge management, eDiscovery, data management, data security, records management, privacy management, and Information Governance. Due to an increased focus on privacy rights in the EU, as well as in individual U.S. states, potential enforcement actions had an alarming impact on all of these roles, often causing intra-organizational conflict as enforced silos inhibit compliance with expanding and complex privacy laws.

Other than prohibitively expensive eDiscovery disasters or unexpected regulatory audits leading to fines, in the past, there has been no real accountability in the U.S. as to how an organization maintains, organizes, creates, and/or disposes of its information. However, data breaches of private information, as well as the hacking of business and trade secrets, have become commonplace. Corporations have scrambled to determine the what, where, when, and ownership of information that has been compromised, often racing against the clock to notify law enforcement and impacted individuals in time to avoid financial damages. C-level executives have lost their jobs over their company’s mishandling of breaches. A court allowed a class action by credit card holders against Neiman Marcus, and the FTC acted against Wyndham Resorts for failure to protect the data of its customers. The potential for fines imposed by the FTC or state attorney generals based on state data-breach laws, damages in private law suits, or the untimely loss of highly placed executives increases the likely costs of a future breach. In addition, as reflected in the Neiman Marcus case, damage to a company’s reputation due to the scrutiny of its glaringly inadequate Information Governance serves to motivate others to remedy inadequate IG frameworks.

Meanwhile, the EU has the right to fine U.S. organizations collecting data on EU residents up to 20 million Euros, or 4% of global sales, for the mishandling of personal data pursuant to the General Data Protection Regulation (the “GDPR”), which became effective on May 25th, 2018.

While it has always been my view that records management is the core of information management, since it is the gatekeeper to all information of ongoing value to the organization (a record is defined as information that has business value or meets regulatory or litigation requirements), it is even more obvious in privacy management now that private data being maintained is required to be held for a specified time in a specified manner. Personal data must be capable of easy access and any data maintained on a protected individual must be accurate. In addition, when private data no longer has business value, the risk of maintaining it becomes prohibitive and it must be deleted in a manner that ensures continued privacy protection.

As records managers assess their own domains, they realize that many of the obligations created by new privacy laws can only be met if they understand the new laws’ effects on how the they manage personal data pursuant to laws that impact their organization. I erroneously assumed that privacy managers/attorneys/directors would expand their roles by learning the RIM world and addressing the changes required by privacy laws, but I repeatedly hear that, instead, they refer the details of maintaining privacy-related records to their records staff. While I applaud the respect shown by their willingness to delegate the legal duties of access, scheduling, deletion, and reliability of personal data, it creates new dynamics and an increased level of responsibility within the RIM framework that might not be thoroughly understood by the organization.

Since the GDPR has taken effect, many corporate attorneys have instructed the RIM staff to reassess records retention schedules based on the GDPR. Overworked professionals from all domains have developed plans to meet compliance requirements, often attempting to make the law fit into how they have always handled their duties in the past. As an example, I have seen the RIM “big bucket” approach utilized to create records retention schedules for global records containing personal data of EU residents in a manner that could lead to fines in the millions. When an EU country requires employment records’ retention of thirty years, while another country requires disposal of the same record types three months after termination of employment, a default to a thirty-year schedule for all EU employment-related data is simply an unsound practice. Likewise, deletion of all EU employment data three months after employment termination would leave an organization open to an inability to meet the legal obligations of other jurisdictions, and to the inability to defend the organization in the event of litigation. In this instance, each country needs to be addressed individually. If there is a legitimate basis for maintaining personal data (e.g., potential litigation relating to employment), the data can be maintained under GDPR solely for that purpose, even if there is a privacy-related requirement of a shorter retention period for that specific data.

In these “conflict of laws” situations, the data maintained for the interim retention period based on legitimate business interests requires heightened security as well as restricted access.

Retention schedules relating to records containing personal data have their own rules, often involving a conflict of laws, that require a new data-scheduling framework within the RIM environment.

In the RIM domain, managing data that contains personal data is an example where less is more. With less information, it is easier and faster to retrieve relevant information (in this case, personal data), costs less to maintain, and limits liability to those whose information is deleted as soon as it no longer has business value. Until recently, the decision to “keep it all” was based on an assessment of return on investment that considered the risks worth taking compared to the cost of ensuring compliance through the creation of a long-term Information Governance (IG) roadmap. The lack of calculated routine disposition was defended as a strategic decision to maintain data for marketing or business planning using increasingly sophisticated analytical software.

However, attempting to meet GDPR requirements while maintaining large data pools or warehouses of information that have not been identified, much less classified (the unknown unknown), creates an extremely difficult environment for compliance. For companies that do business with European residents, enforcing defensible disposition has become a critical mission. While scheduling records disposition has become more complex under GDPR, meeting a defensibility standard relating to disposition has become easier.[/glossary_exclude]

 

recent posts

About the Author: Teresa Schoch

Teresa Schoch is a Privacy Attorney at Axiom. She has a diverse background in Law, Privacy, Security, Electronic Records Management, Information Management, Content Management, Corporate Risk Management, Regulatory Compliance, Search Methodology, Strategic Planning, Ethics, Change Management and Information Risk Management. She may be reached at [email protected].