Data security or data privacy? Challenges regulating-personal data.
Data is a company’s greatest asset, but it can also be an Achilles’ heel when regulatory compliance isn’t met.
Though policies for data security are rising due to the increased prevalence of cybercrime, laws dictating how companies can control user data are less regulated. Policies surrounding data privacy have traditionally been under-prioritized, with many legal firms not understanding the distinctions between data security and data privacy. Matters are compounded further when regional variances in data policy come into play.
Defining Data
How data is handled depends on how it is defined—law denotes a distinction between what is considered “sensitive” data and “personal” data.
Personal data is defined as any information that can identify an individual directly or indirectly. Sensitive information is a subset of personal data, defined as information that can only be taken and collected locally if mandated by law. Personal data is more tightly regulated and the focus of most privacy legislature.
Privacy Regulations
Keeping compliant with personal data privacy regulations becomes a significant challenge when international business enters the picture. Legal requirements protect personal data from being collected, used, processed, shared, or transferred in specific global and regional jurisdictions.
“…If you run legal operations of a company in the U.S., it does not mean you have the right to access data in a foreign jurisdiction.” Said Sheila Fitzpatrick, data privacy expert working with the US government and council of the European Union.
The problem stems from the complexity of data management in each region—local jurisdictions have their own laws that must be adhered to, no matter where the business is conducted. According to Fitzpatrick, transparency is key:
“You need to collect data that you absolutely have to have to run the business … you need to understand what you are using that data for. You need to be very clear about why you are collecting that data and what you plan to do with that data. There is no implied consent.”
Data privacy is subject to several other unique regulations too, chief among them the “Right to be Forgotten” mandate. Part of this legislation denotes how companies have an eventual legal obligation to delete user data unless it has a legal hold protecting it.
Although data security is well-established, data privacy is still undervalued in the legal world. The increasing globalization of e-discovery and the legal world will require more regulations concerning cross-border e-discovery, data ownership, and how to ensure both information security and data privacy for all users.
*****
Written by Dean Van Dyke, Vice President, Business Process Optimization
Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.