Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.
To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.
Minimize Regulatory Exposure from Consumer Data Privacy Legislation with Technology and Best Practices
By Tara Emory and Michael Kearney*
With growing numbers of individual U.S. states introducing and passing their own privacy laws, new (and amorphous) pending U.S. federal legislation, GDPR, and a complex array of other international laws on privacy, many enterprises justifiably lack confidence in their preparedness to comply with the various privacy regulations. While an abundance of technology solutions providers claim their tools can automate or facilitate privacy compliance, evaluating these solutions can be confusing. Different “privacy compliance” solutions may contain completely different features and work in quite different ways.
Privacy compliance is a multifaceted process, and most available solutions do not cover all of them. To determine what technologies might be a good fit, organizations must determine which aspects of privacy compliance they need to prioritize, and then seek solutions to address those needs. Depending on the organization and applicable regulations, needed capabilities may include searching large stores of data in different ways, documenting and preserving information about systems, modifying or deleting personally identifiable information (PII), and more. Some solutions may involve artificial intelligence (AI) and other scripts, while others might involve less sophisticated technology, or might even be manual.
Pending and Existing Laws Are Driving the Need for Better Data Management Practices
Today’s organizations must comply with a mishmash of U.S. state and international privacy regulations, a situation that continues to evolve. For example, the pending American Data Privacy and Protection Act (ADPPA) presents the first comprehensive federal data privacy and security bill introduced in the U.S. with bipartisan and bicameral support. The reach of the language of the proposed ADPPA is broad and generally follows the trend of comprehensive privacy laws enacted over the past several years.
Depending on jurisdictional requirements and the types of data an organization holds and accesses, different entities will be required to comply with different privacy requirements. All of them, however, must understand the types of data they collect, how those are used, and how long they are retained. They must develop strategies to efficiently identify, collect, review, and disclose information related to individual consumers, as the laws provide certain rights to data subjects, including the ability to know, modify, and delete related data.
Some regulations require that certain entities follow data minimization principles and may provide increased protection for data related to young consumers, biometrics, and geolocation. Other regulations govern how entities across industries manage personally identifiable information or information that’s reasonably linkable to an individual. Data brokers, in particular, are in the crosshairs of regulators, and many of these organizations should begin planning to conduct algorithm impact assessments that describe their efforts to mitigate potential harm resulting from algorithm bias.
Each of these requirements highlights how important it is that organizations understand their data environment. Employees tasked with privacy compliance must work together with others engaged in separate data regulatory and legal disciplines. Along with the obvious need to work with security, new regulations highlight the need for effective information governance practices. For example, entities should retain only information that supports a business objective or is needed to meet a legal requirement. By getting rid of information when it no longer serves a business or legal purpose, they will be able to slow the tide of data that they must analyze when working to remain in compliance with privacy obligations.
Even with stellar information management practices, most organizations will be left with relative mountains of data that they must track to provide adequate consumer privacy safeguards, as well as provide information to individuals when receiving access requests. Except for smaller organizations that do not store much consumer personal information, most entities will need to turn to technology to remain in privacy compliance.
Assessing Potential Technology Investments to Address Privacy Compliance
With the patchwork of state and international requirements hovering in the background and new regulations potentially looming on the horizon, many organizations will need to acquire technologies and services to comply with the mandates stipulated by regulatory bodies. Organizations looking to build or bolster their privacy compliance programs using technology will face a dizzying array of options that address a variety of needs created by increased regulation.
PII compliance entails multiple strategies and goals, and individual standalone solutions address some considerations better than others. Therefore, organizations developing a more robust compliance program need to start by creating a plan to prioritize their PII goals and building a technology investment roadmap to support their objectives. Once their PII priorities are established and ranked, they will be in a much better position to select the right tools for their immediate needs while planning for future investments.
Here is an overview of core capabilities in privacy compliance tools:
Documentation. Certain tools offer documentation capabilities for various types of PII stored within an organization’s systems. In some instances, however, these tools rely on manual data entry. If your PII governance tools require manual updates, you must be cognizant of the impact on workflow volume for your staff, ongoing data maintenance protocols, and the potential for error. Otherwise, privacy programs that rely on these technologies will soon contain outdated data and risk non-compliance.
Identification. Other tools assist with the identification of PII throughout the various systems in your information technology environment. Before investing in this type of solution, you need a solid understanding of your organization’s data map. This initial due diligence—along with necessary ongoing updates—will help ensure that your organization addresses the necessary systems (and underlying data) required to remain in compliance. Organizations that fail to plan may later find that several systems have not been analyzed for privacy compliance.
When selecting PII identification software you should also understand whether the tools search for content using a structural or contextual approach. Whereas a structural approach will capture data that’s presented in a specified format, contextual tools can evaluate data that requires surrounding data to determine whether it represents PII. Machine learning (“ML”) algorithms driving the contextual tools may be able to detect a higher number of false positives than a structural approach that relies on simple regular expressions.
Classification. Certain types of data (including data attributable to minors) are afforded heightened privacy protections by regulators. Although organizations should explore simpler solutions for classifying certain types of data (reviewing table headers, writing scripts, using structured queries), those with significant data sets with which they are encountering increasing headaches may also want to explore the data classification capabilities of certain ML tools. When exploring these options, you should remember to determine the amount of up-front work required to get these tools functioning properly.
Access Requests. The heightened regulations around data subject access requests (DSARs) — formal requests made by a consumer to an organization asking for details about how their data is being collected, used, stored, and shared — require careful consideration. While there are tools that are purpose-built to assist with reviewing potentially responsive documentation related to DSARS, many organizations use technologies that were originally developed for eDiscovery purposes. Both types of tools can provide the capabilities needed to respond in a timely and accurate fashion, but the effort must be supported by appropriate workflows for successful outcomes.
Applying Best Practices for Information Governance
Technology can serve as a tremendous aid for entities trying to comply with mandates from privacy regulation. The technologies they choose are only as good as the processes and workflows that are implemented around them. There are a lot of solutions that may serve the needs of your company but working them into the structure of your organization is vital to your ultimate success. These considerations should be addressed at the procurement, implementation, and refinement phases of any organization’s compliance program.
Once appropriate structures are in place, you need to get and keep your people on board with following the appropriate policies and procedures, which requires training and cross-functional knowledge to the degree that they’re able to be effective data stewards. For example, a team member who receives a DSAR must understand the response process from start to finish to be able to perform their duties effectively — and they need the right technologies to get the job done.
No organization will achieve 100% compliance with policies and procedures; it’s human nature to fall back into old habits even when your people are fully trained. While you shouldn’t be looking to trap employees in non-compliant activities, you should have mechanisms in place to measure compliance and implement corrective measures when problems surface. Establishing consequences out of the gate and conducting periodic compliance audits will keep your people on track and following up promptly when there’s a problem creates a closed-loop process.
Finally, define the metrics you will apply to demonstrate success with your information governance program. They should align with both your organizational goals and the nature of your data ecosystem. Even after implementing the appropriate technology and processes, your organization will need to continue to refine its internal compliance program.
And at the end of the day, fitting technology to privacy mandates is a complex problem, and you should consider the data to be managed, organizational needs, and specific compliance requirements. By starting with these considerations, you will have a great start to ensuring that your organization can comply with the new privacy regulations that come your way.
* About the Authors
Tara Emory is a recognized leader in advising organizations and law firms on eDiscovery processes and information governance programs, including managing the development of search methodologies, data preservation and collection approaches, discovery protocols, data management and compliance programs, and records management technology solutions. Tara brings extensive experience in developing targeted and innovative solutions for a wide range of data problems to her role as Senior Vice President of Strategic Operations and Consulting at Redgrave Data. Prior to joining Redgrave Data, Tara served in multiple leadership roles at Innovative Driven, most recently as the Vice President, PRESA (Premiere Expert Solutions Advisory) Group & Associate General Counsel. Earlier in her career, she practiced as an associate attorney at various AmLaw 100 firms, including Skadden, Arps, Slate, Meagher & Flom LLP, Cadwalader, Wickersham & Taft LLP, and Clifford Chance US LLP. Since 2019, Tara has been recognized by the Chambers Litigation Support Guide as a nationally ranked expert in “eDiscovery – USA – Nationwide.” Tara received her J.D. and her LL.M. (International and Comparative Law) from Duke University School of Law and her B.A. from Pennsylvania State University. She holds a Project Management Professional Institute Certificate (PMP). Tara is admitted to practice in New York, the District of Columbia, and Virginia.
Michael is a leader in developing technical solutions and processes to address complex issues related to electronically stored information. He brings a multi-faceted background in technology, law, and consulting to his role as Head Solutions Architect at Redgrave Strategic Data Solutions LLC (“Redgrave Data”). Prior to joining Redgrave Data, Michael served as a Legal Technology Solutions Architect at Hogan Lovells, where he advised clients on matters related to information management and developed data-driven custom solutions to assist case teams with the analysis of complex data sets. His career trajectory began at Wells Fargo, managing a team in the information security risk department, followed by attending law school and practicing law as an attorney at Redgrave LLP. Michael received his B.A. from Washington and Lee University and his J.D. from William & Mary Law School.
The post Indecent Exposure? Considering Data Privacy Legislation, Technology, and Best Practices appeared first on ComplexDiscovery.