If you’re in the information governance space these days, in virtually any capacity, you’re hearing a lot about data privacy. And unless your organization is either far ahead of the curve—or so far behind that you don’t even know it’s a concern—there’s probably a lot of discussion about what you should do to bring your organization into privacy compliance.
These are good discussions to have, but in having them, bear in mind that privacy compliance isn’t a single act, something that you do or implement and then think no more about it. Privacy is more of a philosophical position that you must adopt, which will then drive outcomes in a wide variety of processes, technologies and data repositories. Some are standard processes and documents, like records retention and retention schedules. But many others, like the need to provide disclosures, obtain permissions before collecting personal data and set retention periods, may be new to your organization, and may require you to develop unfamiliar processes and implement new or revised tools.
In tackling this daunting problem, it’s important to understand that privacy compliance isn’t by any means a uniform thing. The outcomes you’ll need to achieve are driven by laws, and what those laws require vary quite a bit. So, if you do business in Europe, you’re faced with a much different privacy landscape than if you operate only in the United States. But even in the U.S., the particular mix of states you do business in will have an assortment of privacy laws that vary by state. These days, it’s tempting to assume that, in the U.S., the California Consumer Privacy Act (CCPA) is the only game in town, but that would be a mistake. Many other states have privacy laws on the books, and many more are on the way. Not only is it a complex landscape, it’s a shifting one at that.
Even the European Union, with its General Data Privacy Regulation (GDPR)—which was supposed to provide a level playing field in E.U. countries—is a complex hodgepodge of rules and regulations that organizations have to navigate.
That said, there are some overarching principles to bear in mind that serve as a framework for virtually all privacy laws:
Of course, actually implementing these simple principles is immensely complicated. In future posts, we’ll dig into the details of exactly where and how you tackle this challenge. Meanwhile, have a look around your organization and ask how well these principles are being implemented right now. If you see any gaps, you’ve got some obvious starting points for your new privacy initiative.
For more on applying data privacy principles to retention, check out this webcast recording:
Privacy and Retention in the 21st Century – Not Your Grandpa’s Retention Schedule