Now that the California Consumer Privacy Act (CCPA) is in effect — and as some businesses scramble to comply with the new law’s requirements — the benefits of information lifecycle management have become more clear. Information lifecycle management is, after all, a way to superimpose some rational organization on a sometimes uncertain process.
Those actively engaged in the data privacy field might marvel at some questions about data privacy compliance being raised right now at conferences, on listservs and in professional advice columns. Some organizations obligated to comply with the CCPA are still struggling to determine the precise applicability of the California law to their organizations. Others are grappling with the data privacy requirements, like how to determine where data is and what to do with it, in a seemingly endless repetition of meetings with legal and compliance teams.
Layers of Data Privacy Concerns
One cannot help but wonder how data privacy compliance became so complicated. Part of the challenge can be chalked up to varied jurisdictional requirements, as federal, state and international laws sometimes overlap. Another complication is that, historically, data privacy considerations were an after-the-fact add-on to products and services that had already been developed and being offered to consumers, rather than as part of the initial design process. Plus, no one needs a reminder that compliance with the CCPA and other laws isn’t exactly an inexpensive endeavor.
Fortunately, information lifecycle management can help.
How Strong Information Lifecycle Management Helps
As with products, an organization’s information has its own lifecycle — from the planning stage through creation, use, storage and, ultimately, disposal. Various departments or groups in an organization have a role regarding this information at different points within its lifecycle. Sometimes, roles and responsibilities overlap, as information is shepherded from one stage to the next.
The benefit of information lifecycle management is that the process can help entities manage roles, responsibilities and obligations throughout the existence of any particular bit of data. Data privacy policies and procedures likely need to be updated and meshed with other pertinent policies. Because this merged data will need to be mapped and classified, an organization should develop a system to handle the varied requirements applicable to different types of information.
Naturally, some information lifecycle management consultants have more expertise than others. Given the number of stakeholders involved with an organization’s information, the still-changing requirements concerning data privacy and the risk associated with inadequate data protection, it is important to select an information governance advisory service with experience in this field.
The Challenge in Managing Personal Data
Part of the risk associated with data privacy practices stems from the lack of a universal definition of “personal data.” Laws addressing this topic have not defined personal information in the same way, and some laws provide greater protections for more sensitive information, data associated with children and other subsets of personally identifiable information.
Different legal requirements may apply to the data at different points in its existence. Laws also apply to more than just digital information, like physical records and even notes written on paper. It’s also likely that an entity may not have tracked the generation, collection and use of personal information all that carefully.
Data privacy remains an emerging area of the law, and impacted organizations have had to adapt to new requirements, sometimes within a tight time frame. To that end, an organization needs to fit the personal data it has collected, used, stored and marked for disposal within this evolving legal and regulatory framework.
Organizations need to proactively define personal data for themselves, identify where that data is located, and then manage personal data appropriately. Entities should develop a data flow map, so they know where their personal data is and how it moves or remains within the organization. Data mapping is also helpful in identifying the source of any breached data should a mishap occur. Using a content classification service can help organize this information and identify the requirements applicable to its various elements.