Thu. Mar 28th, 2024

Content Assessment: Indecent Exposure? Considering Data Privacy Legislation, Technology, and Best Practices

Information - 91%
Insight - 92%
Relevance - 90%
Objectivity - 89%
Authority - 92%

91%

Excellent

A short percentage-based assessment of the qualitative benefit of the recent article by Tara Emory and Michael Kearney of Redgrave on data privacy technologies and best practices.

Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.

To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.


Article

Minimize Regulatory Exposure from Consumer Data Privacy Legislation with Technology and Best Practices

By Tara Emory and Michael Kearney*

With growing numbers of individual U.S. states introducing and passing their own privacy laws, new (and amorphous) pending U.S. federal legislation, GDPR, and a complex array of other international laws on privacy, many enterprises justifiably lack confidence in their preparedness to comply with the various privacy regulations. While an abundance of technology solutions providers claim their tools can automate or facilitate privacy compliance, evaluating these solutions can be confusing. Different “privacy compliance” solutions may contain completely different features and work in quite different ways.

Privacy compliance is a multifaceted process, and most available solutions do not cover all of them. To determine what technologies might be a good fit, organizations must determine which aspects of privacy compliance they need to prioritize, and then seek solutions to address those needs. Depending on the organization and applicable regulations, needed capabilities may include searching large stores of data in different ways, documenting and preserving information about systems, modifying or deleting personally identifiable information (PII), and more. Some solutions may involve artificial intelligence (AI) and other scripts, while others might involve less sophisticated technology, or might even be manual.

Pending and Existing Laws Are Driving the Need for Better Data Management Practices

Today’s organizations must comply with a mishmash of U.S. state and international privacy regulations, a situation that continues to evolve. For example, the pending American Data Privacy and Protection Act (ADPPA) presents the first comprehensive federal data privacy and security bill introduced in the U.S. with bipartisan and bicameral support. The reach of the language of the proposed ADPPA is broad and generally follows the trend of comprehensive privacy laws enacted over the past several years.

Depending on jurisdictional requirements and the types of data an organization holds and accesses, different entities will be required to comply with different privacy requirements. All of them, however, must understand the types of data they collect, how those are used, and how long they are retained. They must develop strategies to efficiently identify, collect, review, and disclose information related to individual consumers, as the laws provide certain rights to data subjects, including the ability to know, modify, and delete related data.

Some regulations require that certain entities follow data minimization principles and may provide increased protection for data related to young consumers, biometrics, and geolocation.  Other regulations govern how entities across industries manage personally identifiable information or information that’s reasonably linkable to an individual. Data brokers, in particular, are in the crosshairs of regulators, and many of these organizations should begin planning to conduct algorithm impact assessments that describe their efforts to mitigate potential harm resulting from algorithm bias.

Each of these requirements highlights how important it is that organizations understand their data environment. Employees tasked with privacy compliance must work together with others engaged in separate data regulatory and legal disciplines. Along with the obvious need to work with security, new regulations highlight the need for effective information governance practices. For example, entities should retain only information that supports a business objective or is needed to meet a legal requirement. By getting rid of information when it no longer serves a business or legal purpose, they will be able to slow the tide of data that they must analyze when working to remain in compliance with privacy obligations.

Even with stellar information management practices, most organizations will be left with relative mountains of data that they must track to provide adequate consumer privacy safeguards, as well as provide information to individuals when receiving access requests. Except for smaller organizations that do not store much consumer personal information, most entities will need to turn to technology to remain in privacy compliance.

Assessing Potential Technology Investments to Address Privacy Compliance

 With the patchwork of state and international requirements hovering in the background and new regulations potentially looming on the horizon, many organizations will need to acquire technologies and services to comply with the mandates stipulated by regulatory bodies. Organizations looking to build or bolster their privacy compliance programs using technology will face a dizzying array of options that address a variety of needs created by increased regulation.

PII compliance entails multiple strategies and goals, and individual standalone solutions address some considerations better than others. Therefore, organizations developing a more robust compliance program need to start by creating a plan to prioritize their PII goals and building a technology investment roadmap to support their objectives. Once their PII priorities are established and ranked, they will be in a much better position to select the right tools for their immediate needs while planning for future investments.

Here is an overview of core capabilities in privacy compliance tools:

Documentation. Certain tools offer documentation capabilities for various types of PII stored within an organization’s systems. In some instances, however, these tools rely on manual data entry. If your PII governance tools require manual updates, you must be cognizant of the impact on workflow volume for your staff, ongoing data maintenance protocols, and the potential for error. Otherwise, privacy programs that rely on these technologies will soon contain outdated data and risk non-compliance.

Identification. Other tools assist with the identification of PII throughout the various systems in your information technology environment. Before investing in this type of solution, you need a solid understanding of your organization’s data map. This initial due diligence—along with necessary ongoing updates—will help ensure that your organization addresses the necessary systems (and underlying data) required to remain in compliance. Organizations that fail to plan may later find that several systems have not been analyzed for privacy compliance.

When selecting PII identification software you should also understand whether the tools search for content using a structural or contextual approach. Whereas a structural approach will capture data that’s presented in a specified format, contextual tools can evaluate data that requires surrounding data to determine whether it represents PII. Machine learning (“ML”) algorithms driving the contextual tools may be able to detect a higher number of false positives than a structural approach that relies on simple regular expressions.

Classification. Certain types of data (including data attributable to minors) are afforded heightened privacy protections by regulators. Although organizations should explore simpler solutions for classifying certain types of data (reviewing table headers, writing scripts, using structured queries), those with significant data sets with which they are encountering increasing headaches may also want to explore the data classification capabilities of certain ML tools. When exploring these options, you should remember to determine the amount of up-front work required to get these tools functioning properly.

Access Requests. The heightened regulations around data subject access requests (DSARs) — formal requests made by a consumer to an organization asking for details about how their data is being collected, used, stored, and shared — require careful consideration. While there are tools that are purpose-built to assist with reviewing potentially responsive documentation related to DSARS, many organizations use technologies that were originally developed for eDiscovery purposes. Both types of tools can provide the capabilities needed to respond in a timely and accurate fashion, but the effort must be supported by appropriate workflows for successful outcomes.

Applying Best Practices for Information Governance

Technology can serve as a tremendous aid for entities trying to comply with mandates from privacy regulation. The technologies they choose are only as good as the processes and workflows that are implemented around them. There are a lot of solutions that may serve the needs of your company but working them into the structure of your organization is vital to your ultimate success. These considerations should be addressed at the procurement, implementation, and refinement phases of any organization’s compliance program.

Once appropriate structures are in place, you need to get and keep your people on board with following the appropriate policies and procedures, which requires training and cross-functional knowledge to the degree that they’re able to be effective data stewards. For example, a team member who receives a DSAR must understand the response process from start to finish to be able to perform their duties effectively — and they need the right technologies to get the job done.

No organization will achieve 100% compliance with policies and procedures; it’s human nature to fall back into old habits even when your people are fully trained. While you shouldn’t be looking to trap employees in non-compliant activities, you should have mechanisms in place to measure compliance and implement corrective measures when problems surface. Establishing consequences out of the gate and conducting periodic compliance audits will keep your people on track and following up promptly when there’s a problem creates a closed-loop process.

Finally, define the metrics you will apply to demonstrate success with your information governance program. They should align with both your organizational goals and the nature of your data ecosystem. Even after implementing the appropriate technology and processes, your organization will need to continue to refine its internal compliance program.

And at the end of the day, fitting technology to privacy mandates is a complex problem, and you should consider the data to be managed, organizational needs, and specific compliance requirements. By starting with these considerations, you will have a great start to ensuring that your organization can comply with the new privacy regulations that come your way.

* About the Authors

  • Tara Emory

Tara Emory is a recognized leader in advising organizations and law firms on eDiscovery processes and information governance programs, including managing the development of search methodologies, data preservation and collection approaches, discovery protocols, data management and compliance programs, and records management technology solutions. Tara brings extensive experience in developing targeted and innovative solutions for a wide range of data problems to her role as Senior Vice President of Strategic Operations and Consulting at Redgrave Data. Prior to joining Redgrave Data, Tara served in multiple leadership roles at Innovative Driven, most recently as the Vice President, PRESA (Premiere Expert Solutions Advisory) Group & Associate General Counsel. Earlier in her career, she practiced as an associate attorney at various AmLaw 100 firms, including Skadden, Arps, Slate, Meagher & Flom LLP, Cadwalader, Wickersham & Taft LLP, and Clifford Chance US LLP. Since 2019, Tara has been recognized by the Chambers Litigation Support Guide as a nationally ranked expert in “eDiscovery – USA – Nationwide.” Tara received her J.D. and her LL.M. (International and Comparative Law) from Duke University School of Law and her B.A. from Pennsylvania State University. She holds a Project Management Professional Institute Certificate (PMP). Tara is admitted to practice in New York, the District of Columbia, and Virginia.

  • Michael Kearney

Michael is a leader in developing technical solutions and processes to address complex issues related to electronically stored information. He brings a multi-faceted background in technology, law, and consulting to his role as Head Solutions Architect at Redgrave Strategic Data Solutions LLC (“Redgrave Data”). Prior to joining Redgrave Data, Michael served as a Legal Technology Solutions Architect at Hogan Lovells, where he advised clients on matters related to information management and developed data-driven custom solutions to assist case teams with the analysis of complex data sets. His career trajectory began at Wells Fargo, managing a team in the information security risk department, followed by attending law school and practicing law as an attorney at Redgrave LLP. Michael received his B.A. from Washington and Lee University and his J.D. from William & Mary Law School.


Additional Reading

Source: ComplexDiscovery

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Midjourney, and DALL-E, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).

ComplexDiscovery also provides a ChatGPT-powered AI article assistant for its users. This feature leverages LLM capabilities to generate relevant and valuable insights related to specific page and post content published on ComplexDiscovery.com. By offering this AI-driven service, ComplexDiscovery OÜ aims to create a more interactive and engaging experience for its users, while highlighting the importance of responsible and ethical use of GAI and LLM technologies.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is a highly recognized digital publication focused on providing detailed insights into the fields of cybersecurity, information governance, and eDiscovery. Based in Estonia, a hub for digital innovation, ComplexDiscovery OÜ upholds rigorous standards in journalistic integrity, delivering nuanced analyses of global trends, technology advancements, and the eDiscovery sector. The publication expertly connects intricate legal technology issues with the broader narrative of international business and current events, offering its readership invaluable insights for informed decision-making.

For the latest in law, technology, and business, visit ComplexDiscovery.com.