Recent data privacy regulations like the CPRA in California, the CPA in Colorado, and the CDPA in Virginia will dramatically change how we acquire, store, manage and dispose of information in our organizations. In most major companies, corporate teams from Legal, Compliance, Risk Management, IT and a slew of other business functions are hurriedly working to interpret these privacy laws and implement compliant solutions. And because data minimization is a foundational part of nearly all privacy regulations, Records and Information Management (RIM) will be an important player on teams working to achieve privacy compliance.
Most companies have established a RIM function that, for decades, has been responsible for the management of corporate information. In larger organizations, RIM governing bodies have created comprehensive policies, developed reliable processes, and deployed innovative technologies to help ensure that high-value records are consistently managed across a standardized information lifecycle model.
Unfortunately for records managers everywhere—and regardless of the level of maturity of your company’s RIM program—traditional RIM best practices won’t help your colleagues on the Data Privacy team with their urgent preparations for these new privacy regulations. To understand why, it’s important to know the differences between the disciplines of RIM and Privacy, starting with how these two disciplines developed over time.
The discipline of data privacy has been rapidly evolving over the last ten years. Starting in the EU in the early part of the 2010s, the General Data Protection Regulation (GDPR) introduced the concept of managing information to support consumer and employee data rights. This concept is now more widely recognized globally, including in the U.S., led by California, Colorado, and Virginia.
In stark contrast, Records and Information Management (RIM) has remained essentially unchanged since its slow and lackluster inception in the 1990s. Even today’s RIM efforts remain focused on managing information records stored in paper and electronic formats and in physical or electronic repositories, with little attention paid to structured data in transactional systems.
When an organization does RIM well, it can help protect them from great financial and reputational harm. The same is true for privacy—but that’s where the similarity ends. From the objectives of each, to the types of information, and systems involved, there are key differences between these vital corporate compliance functions.
Records and Information Management | Data Privacy | |
---|---|---|
Objective | Preserve information for as long as it is valuable to the business. Typically means years, decades, or even forever. | Restrict the storage of personal information to a period of time based on the purpose for which it was collected. Typically means weeks, months, or years. |
Information Format | Unstructured information, including paper and electronic documents, digital media, email messages | Structured and unstructured personal information of any type |
Storage Location | Unstructured content repositories including shared network drives, cloud storage and collaboration services such as Microsoft 365 SharePoint, Teams, OneDrive, Outlook folders, and more | Same storage location as for RIM, plus all structured data systems, e.g., line of business, transactional systems |
Discoverability | Difficult to find | Easier to find |
Disposition | Difficult because the information affected by privacy law is typically stored in electronic files and documents that may have multiple copies in disparate locations, multiple versions, in multiple repositories where the owner may not be known | Less difficult because the information affected by new privacy laws (CPRA, GDPR, etc.) are more likely to live in fewer, more strictly managed data applications, which tend to have more purpose-built tools for querying and managing structured information |
How Data Privacy Laws Impact your Records and Information Program
Existing and emerging privacy regulations should be a wakeup call for organizations with firmly cemented RIM functions, as the remainder of the United States and the world implement expanded restrictions on the management of personal data.
Companies will need to transition from a records retention policy and schedule that is solely focused on document types, record series, and departments to one that is focused on types of personal information, taking into account the purpose for processing.
It is likely that privacy-related regulatory enforcement and litigation will cut across formats and repositories to reach data in structured systems as well as documents in repositories under the control of the RIM team. Personal information in play could reside in a business application, within documents on a shared network drive, or even on paper at an offsite storage location and all will be equal in their risk for regulatory enforcement.
Forward-thinking RIM professionals must prepare themselves to expand from their current vision of “documents as records” to consider all personal information to be within scope and subject to the information lifecycle. In the same way that a personnel record may be assigned a retention period of “Separation Date + 7 years” in the retention schedule, the data collected about a customer’s actions during an online shopping session must also have a defined retention period — albeit likely a much shorter amount of time.
Making this shift will likely be a challenge for RIM functions—not only conceptually (because it fundamentally alters their focus), but also operationally. After all, many organizations have spent two decades or more doing RIM the pre-privacy way and changing those well-worn habits will be difficult and require tremendous change management. But unless they do, compliance with the ever-increasing set of U.S. and global privacy regulations will be difficult, if not impossible.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.