How to comply with global privacy requirements
Organisations that have customers or operations across more than one country face a spate of new and proposed privacy and data protection laws. Traditional archiving approaches often fall short of meeting the patchwork of requirements that organisations must adhere to, with this driving many to re-examine how they manage information.
Business leaders should look to implement a general privacy program that is designed to meet new requirements without the need to significantly redesign the program each time a new law emerges, according to Micro Focus.
Brandon Voight, Director of Sales, Information Management, Micro Focus ANZ, said, “While tempting, it would be a mistake for business leaders to create a privacy policy but defer implementing it until additional regulatory clarity on new and proposed privacy and data protection laws is shared. By creating a policy, business leaders are making a commitment about how their organisation will handle personal information.
“Failing to implement a policy or follow data protection guidelines once adopted may be viewed by courts, regulators, customers, employees, and other stakeholders as bad faith to their commitment at best or as a deliberate effort to subvert the new requirements at worst. Business leaders may also face significant fines or other regulatory action if they fail to ensure and demonstrate compliance.”
Despite facing uncertain and unclear requirements, the challenge of implementing a privacy program or data protection guidelines can be addressed by meeting key requirements for managing personal information. These requirements are shared by almost all global and local privacy laws as well as data protection obligations.
By implementing basic capabilities for identifying, securing, managing, and selectively deleting personal information that meet these requirements, organisations will be able to meet most, and in some cases all, of the existing privacy rules. Rather than implement compliance for privacy and data protection laws on a piecemeal basis, organisations can address additional variations of any given privacy law, typically with limited effort.
Micro Focus has identified five key privacy information management capabilities:
1. Personal information identification - All privacy regulations require organisations to identify what personal information is created, received, and shared with others. This includes tracking the workflow of personal information through and across various applications, as well as determining where personal information is stored. Many regulations will also require organisations to track and report with whom privacy information is shared, so creating and keeping personal information inventory up to date is essential. By using a broader definition of personal information, organisations are also protected if the current regulations that define personal information increase the scope of their definition in the future.
Organisations must also pay special attention to structured data contained in databases as all the structured data repositories that contain personal information need to be identified, including older, legacy databases that may no longer be active. Organisations also need to examine the data flows between structured systems, both within the company as well as to third parties.
2. Securing personal information - Once identified, personal information must be secured against potential breach or inadvertent disclosure. The greatest risk of a breach incident is typically not the large, centralised databases containing customer information but, rather, personal information on the fringes. This can include extracts from databases on file shares and laptops with files containing customer lists. Many breaches also occur from locations that were not believed to hold personal information, so it’s important for employees to complete a thorough personal information inventory to uncover unprotected personal information.
3. Scalable, efficient access requests - Almost all new and emerging privacy laws have some type of subject access request requirements. This lets consumers find out what personal information a company possesses and who else it has been shared with. While the timeline for responding to access requests varies, they typically must be responded to within 30 to 45 days. Furthermore, the response must address personal information across all locations, not just larger customer service applications. Any organisation that receives more than a handful of these requests per week needs to be efficient with scalable processes for conducting these searches.
4. Scalable processes for producing personal information - Many laws give data subjects the right to ask an organisation to produce copies of their personal information. To comply, organisations must be able to collect and produce information from a variety of sources and then consolidate this information into a single package.
5. Compliant processes for deleting personal information - Consumers and other data subjects have the right to have their personal information deleted, or in some cases de-identified. To comply, organisations shouldn’t delete or erase records that are being maintained according to compliance regulations or data under legal hold. The organisation also needs to be careful that they don’t inadvertently lose referential integrity with a database system during the process of deletion, encryption, or de-identification.
Brandon Voight said, “Customers share their personal information trusting that organisations will be effective custodians of this information. Organisations that cannot properly protect personal information will lose the trust of their customers while privacy capabilities implemented today will let companies run a better overall business tomorrow.
“Any strategy for complying with privacy needs to incorporate the right technology. Companies need systematic and preferably automated processes for tracking, managing, and securing all of their personal information, and to continue that tracking for the life of the data.”