Navigating the Privacy Maze: What Organizations Need to Know About Data Governance

While the United States doesn’t have a national data privacy law yet, 12 states have passed data privacy legislation. On a global level, the E.U.’s General Data Protection Regulation (GDPR) regulates privacy in the E.U. as well as in the European economic area and has been in effect since 2018.

Legislation governing the use of data isn’t just stopping at privacy, though. “Countries around the world are enacting rules and regulations to regulate different parts of the digital economy, all of which impact how organizations are able to use their data,” said Fahad Diwan, Director of Product Management at Exterro, in a recent webinar co-hosted with Today’s General Counsel.

These rules and regulations come with compliance obligations for organizations, and non-compliance costs are significant. The GDPR can fine a company up to 4% of a company’s prior year’s revenue. California’s privacy laws can fine companies up to $7,500 per violation. 

Many privacy laws are centered on the principle of data minimization and require that companies delete data after it no longer needs to be retained. 

There are four significant risks related to over-retaining data:

1. It increases your privacy risk.
2. Having too much data increases your litigation risk; the more data you have, the more you’ll have to disclose in litigation. 
3. Too much data increases your attack surface and your risk for data breaches. 
4. Many organizations are not enforcing their retention schedules.

Perhaps counterintuitively, having an unenforced retention schedule is a potential source of greater liability than not having one at all.

Operationalization Challenges

In trying to comply with these rules and regulations, organizations face certain challenges. But by knowing the who, what, when, where, and why of your data and data records, you can lay the foundation for compliance. “A data inventory is an effective way to answer all of these questions,” Diwan said. “It is a centralized repository in which you list what data and records you have, who has access to it, where they’re located, and why you have them in the first place.”

Many organizations approach the building of this data inventory manually. Getting information from different units within an organization requires a lot of time and effort. Once this inventory is complete, it may not only be inaccurate and incomplete, but it will also be out-of-date. 

Data Discovery

Fortunately, technology incorporating AI and large language models can be used to figure out what kind of information you have and where it is. A data discovery product is a way to deploy this technology and provide a quick overview of the kind of information you have across your data sources, including SaaS applications. 

The first step is knowing what you have. Only then can you tell what data you want to retain and what you want to delete. The data discovery tool will scan your data sources, collect data, and apply advanced analytics to identify, track, and classify sensitive data. 

This tool can implement your business policies, perform your risk assessment, and provide ongoing status reports. It will also operationalize your data minimization and record retention initiatives and flag sensitive data as well as files and records that have aged out. Getting rid of data you no longer need is a critical part of the process.

“Cultural change is happening,” said Ashish Shrowty, Chief Product Officer and Co-founder at Dive Bell. “Those enlightened organizations that are driving the change are realizing amazing value and reduction in risk in terms of what they’re doing with data minimization initiatives.”

Key takeaways from the discussion:

• Regularly update your knowledge of privacy and data protection laws.
• Find a framework such as the National Institute of Standards Technology (NIST) or the International Standards Organization (ISO) and incorporate it into your workflow. 
• Establish a data inventory to lay the foundation for compliance. 
• Develop and maintain well-documented policies and procedures to demonstrate compliance. 
• Perform risk assessments and document your decisions. 
• Clearly define data retention and disposal practices in your documentation.
• Utilize data discovery technology to streamline classification and management, and implement your business policies.
• Operationalize your data minimization and record retention initiatives.

Register and listen to a recording of the webinar here.