Written by Doug Austin, Editor of eDiscovery Today
Back in November, I wrote on this blog about Big Data being one of the challenges that is forcing technology to move more to the data sooner in the discovery process. One of the most notable fun facts that illustrate just how much bigger Big Data is getting is that our accumulated digital universe of data will grow from 0.1 zettabytes in 2005 (when the EDRM model was created) to around 163 zettabytes, or over 163 trillion gigabytes in 2025. That’s over 1,630 times as much data – in just twenty years!
But it’s not just the size of the data, it’s what you do with it. Today, there are numerous compliance requirements that organizations face that dictate not only how they handle their organizational data, but also that of their customers and individuals for whom they may store data within their ecosystem. If you have compliance responsibilities within your organization, you know that it’s a veritable “alphabet soup” of regulations to adhere to in today’s world. You probably know the first two, but do you know all the others?
The “Alphabet Soup” of Compliance in Organizations Today
- General Data Protection Regulation (GDPR): Enacted by the European Union to deepen and harmonize personal data protection regulations
- California Consumer Privacy Act (CCPA): Focuses on consumer privacy rights of California residents
- California Privacy Rights Act (CPRA): Clarifies that consumers can opt out of both the sale and sharing of their personal information to third parties and takes effect in January 2023
- Consumer Data Protection Act (CDPA): Virginia’s new data privacy law which also takes effect in January 2023
- Health Insurance Portability and Accountability Act (HIPAA): Mandates national standards to secure the privacy of personal health information
- Payment Card Industry Data Security Standards (PCI-DSS): Security standards developed by the major credit card companies to help protect sensitive cardholder data
- Sarbanes-Oxley Act (SOX): Designed to protect investors from fraudulent financial reporting by corporations
- Personal Information Protection and Electronic Documents Act (PIPEDA): Canadian federal privacy law for private-sector organizations
If you are subject to GDPR or CCPA, you also may need to respond to these:
- Data Subject Access Requests (DSARs): Means by which individuals request that the organization discloses what personal data it holds on them and how it uses or intends to use it
If you work with Federal agencies, you need to be aware of this one:
- Federal Information Security Management Act (FISMA): Requires federal agencies and those providing services on their behalf to develop, document, and implement security programs for information technology systems and store the data on U.S. soil
Additional Regulations by Type of Data
There’s even more “alphabet soup” when it comes to the type of data you need to protect, such as:
- Personally Identifiable Information (PII): This is for information that can be used to uniquely identify, contact, or locate a person. PII is a superset of other personal information types such as PHI, PCI and PFI (see below).
- Protected Health Information (PHI): Individually identifiable health information, regulated by HIPAA
- Payment Card Industry (PCI): Information related to credit, debit, or other payment cards, regulated by PCI-DSS.
- Personal Financial Information (PFI): Individual’s unique personal financial information including portfolio holdings, banking information, transaction data, etc.
You get the idea. With Big Data growing at the pace identified above, there are so many regulations to comply with and so many types of data to track compliance for that organizations today must leverage technology to effectively keep up with the “alphabet soup” of data compliance.
Two Letters to Keep Up with Your Organization’s “Alphabet Soup”
So, what two letters will help your organization keep up with the compliance requirements associated with all those other letters? AI. That’s right, today’s organizations can no longer rely on just policies and procedures to keep up – they must leverage technology and that includes artificial intelligence to identify sensitive data within their organization.
AI-based automatic classification algorithms can be trained to identify key sensitive information (including personal information) allowing for automated identification (and even remediation of sensitive information when necessary) to streamline an organization’s requirements to keep up with the “alphabet soup” of compliance today.
Note: the Digital Government Institute (DGI) eDiscovery, Records & Information Management Virtual Conference is tomorrow, March 25, and IPRO is a sponsor and participant at the conference. Brandon Balsley, Product Marketing Manager at IPRO will be leading the session Top Challenges for FOIA Professionals Today at 9:15am ET. Complete agenda for the conference is here and the link to register is here. Come check it out!
For more educational topics from me related to eDiscovery, cybersecurity and data privacy, feel free to follow my blog, eDiscovery Today!