If you’re in the information governance space these days, in virtually any capacity, you’re hearing a lot about data privacy. And unless your organization is either far ahead of the curve—or so far behind that you don’t even know it’s a concern—there’s probably a lot of discussion about what you should do to bring your organization into privacy compliance.
Privacy is never a one-off
These are good discussions to have, but in having them, bear in mind that privacy compliance isn’t a single act, something that you do or implement and then think no more about it. Privacy is more of a philosophical position that you must adopt, which will then drive outcomes in a wide variety of processes, technologies and data repositories. Some are standard processes and documents, like records retention and retention schedules. But many others, like the need to provide disclosures, obtain permissions before collecting personal data and set retention periods, may be new to your organization, and may require you to develop unfamiliar processes and implement new or revised tools.
In tackling this daunting problem, it’s important to understand that privacy compliance isn’t by any means a uniform thing. The outcomes you’ll need to achieve are driven by laws, and what those laws require vary quite a bit. So, if you do business in Europe, you’re faced with a much different privacy landscape than if you operate only in the United States. But even in the U.S., the particular mix of states you do business in will have an assortment of privacy laws that vary by state. These days, it’s tempting to assume that, in the U.S., the California Consumer Privacy Act (CCPA) is the only game in town, but that would be a mistake. Many other states have privacy laws on the books, and many more are on the way. Not only is it a complex landscape, it’s a shifting one at that.
Even the European Union, with its General Data Privacy Regulation (GDPR)—which was supposed to provide a level playing field in E.U. countries—is a complex hodgepodge of rules and regulations that organizations have to navigate.
Data privacy principles
That said, there are some overarching principles to bear in mind that serve as a framework for virtually all privacy laws:
- If it can be connected to a particular human being, it’s personal information. Some privacy laws contain laundry lists of specific bits of information that are regarded as personal, but many, including the CCPA and GDPR, are far broader and more general—and the landscape keeps shifting. So it’s not a good idea to assume that this or that bit of personal information is of no concern to you.
- Less is more, and less is better. If you don’t need a bit of personal information, don’t collect it in the first place. If you needed it and are done with it, get rid of it. This notion of data minimization—reducing the amount of personal information in your possession—is a central tenet of all privacy laws. And by implication, it tells you that you need to have and enforce a records retention schedule, the vehicle by which you dispose of old information.
- When in doubt, disclose and ask. You don’t always need to disclose why you’re collecting personal information, and you don’t always need to ask for permission to do the collecting. But if permission is a requirement and you don’t comply, you could be making a very expensive mistake. It never hurts to disclose and ask. If nothing else it’s good PR, so unless you’re absolutely sure you don’t need to, ask.
- No one should see it unless they need it. Privacy is about keeping secrets, and it’s not so secret if everybody in your organization can read it. If they can access it now, that needs to stop.
Of course, actually implementing these simple principles is immensely complicated. In future posts, we’ll dig into the details of exactly where and how you tackle this challenge. Meanwhile, have a look around your organization and ask how well these principles are being implemented right now. If you see any gaps, you’ve got some obvious starting points for your new privacy initiative.
For more on applying data privacy principles to retention, check out this webcast recording:
Privacy and Retention in the 21st Century – Not Your Grandpa’s Retention Schedule