As the laws governing data become more complex, the placement of labels on data helps to achieve compliance and desired legal outcomes. A label is any kind of legal statement of rules or ownership associated with data.
Analogy to Signs on Land Help Us to Understand Data Labels
A label on data can be like a No Trespassing sign on land. It is a statement that informs observers of a legal claim. Just because someone puts a label – or a No Trespassing sign – on something does not mean the label or sign is correct or enforceable. Anyone can put a No Trespassing sign on land, even if they have no rights to the land.
However, the law often assigns weight or credence to signs or labels. Law often says that if it appears the landowner put a No Trespassing sign on their land, then the sign is presumed to be enforceable. Accordingly, law motivates those who control property, such as land or data, to put signs or labels on that property.
There is Virtually No Limit on What You Might Claim Legally on a Label
So parties who control data like sensitive personally identifiable information can achieve legal benefits by applying labels to the data. The labels might assert any number of legal claims, such as the following:
- No Trespassing
- Top Secret
- Property of ABC Corp.
- Subject to the laws of Canada, but not the laws of any other country
- Governed by Privacy Policy #1234
- Use this data only in accordance with Data Management Contract dated January 1, 2018. between ABC Corp. and Acme, Inc.
- This data is to be used only for investigation of claims made March 30, 2018, by whistleblower through the official corporate hotline.
- This data is to be managed only in accordance with the European Union’s General Data Protection Regulation.
- This data was originally collected July 6, 2017 and is scheduled for retention until July 6, 2020, unless management selects a longer retention period.
- Notice to law enforcement or other government agents: This data is protected by the privacy laws of Canada.
- Confidential: This data constitutes attorney-client privileged communication and attorney work product created in preparation for dispute.
Labels like the foregoing can, for example, reduce ambiguity about which country’s laws apply to data or questions about whether an employee was on notice that they should not access or destroy a certain unit of data.
Applying Labels to Data Can Be Hard Work
For a large organization, it can be challenging to put the right labels on all of its data. It can be challenging to locate the data. It can be challenging to change labels as needs change, on account of, say, changing laws or updated privacy policies.
In this regard, IPRO can help. It can search for particular kinds of data across many different silos within an organization. When it locates desired units of data, it can automatically apply data “tags,” which in effect are information labels that can have legal impact. The tags can be changed from time to time, with relative ease.
The process of searching for data, applying tags, changing tags and so on can all be documented with audit trails. These audit trails can constitute impactful evidence that the holder of data is endeavouring to do what is right with it. The evidence might be used to persuade a court, a corporate trading partner or a regulatory authority (such as a data protection authority in a foreign country) that the data holder has a good track record of compliance in an environment where perfect compliance is impractical.
The Legal Power of Labels Is Under-Appreciated
Tags, signs and labels will not resolve all of your legal data compliance risks. But they are a powerful, often under-appreciated tool for helping to demonstrate that your organization is diligently working to meet the expectations of law or to notify parties like employees or law enforcement about how data should be handled.
Benjamin Wright is a practicing attorney based in Dallas, Texas, and an instructor at the SANS Institute teaching a 5-day course titled “Law of Data Security and Investigations.” http://benjaminwright.us
