When viewed from a global perspective, data management law is confusing. Different forces tug organizations in different directions. As a consequence, organizations have to invest more effort in locating their data, evaluating it, setting policies for it, and documenting that they have followed this process. The requirement to make this investment is growing from year to year.
Privacy Calls for Keeping and Accessing Less Data
On the one hand, privacy laws like HIPAA, GLBA, GDPR and the cybersecurity regulations issued by New York’s Department of Financial Services demand that data be kept to a minimum, be compartmentalized so unauthorized people cannot view it and be used only for authorized purposes. These laws further expect organizations to perform and document risk assessments, so the data that bears higher risk is protected with greater security and procedural controls.
Other Laws and Social Expectations Call for Keeping and Accessing More Data
On the other hand, a thicket of different laws expect organizations to keep more data, for longer periods, in pursuit of other social goals. Anti-money-laundering and know-your-customer laws, for example, expect financial institutions to collect, store and assess a great deal of personal information to make sure criminals are not trying to hide assets or execute transactions. Many laws, such as those punishing bribes or sexual harassment, expect organizations to keep records showing they conducted internal investigations when allegations of wrong-doing arose.
So-called “red flag rules” in the US expect many organizations like banks and utilities to sift through customer data looking for patterns that suggest criminals are trying to commit identity theft. And consumer protection laws expect organizations to keep vast records to prove that the organizations provided what they promised to customers, can notify customers of product recalls or other critical information and did not destroy information needed for a lawsuit or regulatory investigation.
At the same time, advances in technology lead consumers to expect that organizations will provide service that is responsive and customized for the individual customer. A customer, for example, expects that a bicycle-sharing app remember that the customer likes to find a bicycle near the grocery store on Tuesday afternoons. If the customer’s expectation is not met, then the customer will take their business elsewhere.
The Need to Balance Competing Interests
Given these many, evolving and inconsistent laws and expectations, organizations need to balance competing interests. Broadly speaking, when organizations responsibly balance interests, data law is more tolerant of them, more likely to recognize they did the right thing.
To that end, an impactful step an organization can take is to articulate in policies and documentation what the organization is trying to do with data and what measures the organization is taking to achieve desired results.
An organization behaves more responsibly under the law if it is “proportionate” in the steps it takes to find data, control it, destroy it or whatever is appropriate. To be “proportionate” means to evaluate the costs, time, effort and risks and then make a rational decision on how far to go with any given step.
Proportionate Data Management
To help an organization demonstrate it is taking the right, proportionate step, IPRO’s technology can be instrumental. It can help to locate data across different silos in the organization, and create labels or audit trails to memorialize how the organization assessed the data, balanced competing interests and settled on responsible, proportionate outcomes.
Benjamin Wright is a practicing attorney based in Dallas, Texas, and an instructor at the SANS Institute teaching a 5-day course titled “Law of Data Security and Investigations.” http://benjaminwright.us
