Privacy & Security Stakeholders and the Information Governance Reference Model (IGRM)
Written by Doug Austin, Editor of eDiscovery Today
Last month, I introduced a new blog series on the Ipro blog called Considering the 5 Stakeholder Groups of the Information Governance Reference Model (IGRM) and I set the stage for the series by discussing the IGRM model in general, the complexity of information to be managed by organizations today and identified the five stakeholder groups. The past three weeks, I’ve reviewed Legal stakeholders, Records and information management (RIM) stakeholders and Information Technology (IT) stakeholders. This week, I continue the series by focusing on the Privacy and Security stakeholders.
Today’s Landscape for Privacy & Security Stakeholders
As I mentioned in the introduction post, EDRM announced the release of version 3.0 of the IGRM in 2012 (almost eight years ago to the day), which is the version still in use today. In that version, EDRM – in cooperation with ARMA International and the CGOC (Compliance, Governance and Oversight Council) – included privacy and security as primary functions and stakeholders in the effective governance of information.
The importance of privacy & security in organizations has “shifted into hyper drive” in recent years. Let’s take a look at recent developments for both.
Privacy: In recent years, several data privacy laws have been enacted to protect the data rights of individuals. The two most recognizable data privacy laws are:
- GDPR: The European Economic Area (EEA), which is actually larger than the European Union (EU) implemented the General Data Protection Regulation (GDPR) in May 2018 to protect data privacy rights of European individuals;
- CCPA: California implemented the California Consumer Privacy Act (CCPA) in January 2020 to do the same for California residents (enforcement of CCPA began on July 1, 2020.
In addition, several other countries and states have also either enacted or strengthened data privacy laws. According to the International Association of Privacy Professionals (IAPP), multiple states have proposed similar legislation to the CCPA to protect consumers in their states, with at least two more having signed new privacy laws and several others in progress on data privacy laws.
As for countries around the world, here’s a link to privacy laws in different countries and how to comply with them.
Security: While data privacy requirements are increasing significantly, cybersecurity threats are growing. Here are a few recent cybersecurity stats to give you a sense of just how big the challenge is today to protect individual and organization data:
- Worldwide spending on cybersecurity is forecast to reach $133.7 billion in 2022;
- Over 60% of businesses experienced phishing and social engineering attacks in 2019;
- Data breaches exposed over 4 billion records in the first six months of 2019;
- The average cost of a data breach is $3.86 million and the average time to identify and contain a breach is 280 days;
- The total number of global ransomware reports over increased by over 715 percent Year-over-Year (YoY) from the first six months of 2019 to the first six months of 2020.
Do I have your attention yet? Needless to say, while the stakes of protecting data is much higher (given increased scrutiny through data privacy laws), the challenge of protecting that data is only getting tougher, especially given all of the increased remote work during the pandemic.
Privacy & Security’s Relation to Other Stakeholder Groups
A white paper issued by EDRM regarding the release of IGRM v3.0 notes the following regarding the addition of privacy & security stakeholders:
“Privacy & Security stakeholders are responsible for identifying and managing risks associated with personal and/or confidential information. The risks may be legal/regulatory in nature, driven by brand/reputational considerations, or both. With respect to privacy and personal information, companies must be cognizant of laws and ‘best practices’ governing transparency and classification at the point of creation, must understand how the data may be collected, used/processed, and where the data may flow (i.e., cross-border data transfers). Confidential information – be it personal or business proprietary – must be appropriately protected as an asset. Implementation of standards to ensure reasonable and appropriate security protocols – technical, physical, and administrative – is critical for proper information risk management. Enhanced security protocols may be warranted or required for sensitive data (e.g., protected health information, data that could facilitate identity theft, discrimination, or harm, trade secrets, proprietary information, etc.).”
One of the common trends in organizations today to establish responsibility for protecting data within an organization is to appoint a Data Protection Officer (DPO). GDPR established responsibilities for organizations to hire or appoint a DPO, with doing so being required if an organization meets one of these three criteria:
- Public authority: The processing of personal data is done by a public body or public authorities, with exemptions granted to courts and other independent judicial authorities.
- Large scale, regular monitoring: The processing of personal data is the core activity of an organization who regularly and systematically observes its “data subjects” (which, under the GDPR, means citizens or residents of the EU) on a large scale.
- Large-scale special data categories: The processing of specific “special” data categories (as defined by the GDPR) is part of an organization’s core activity and is done on a large scale.
Even if your organization doesn’t meet one of the three criteria above, it’s still a good idea to hire or appoint a DPO to establish someone within the organization who takes the lead on the organization’s data privacy responsibilities. That person can work with other stakeholder groups to ensure other organization goals are being met while protecting that data.
Privacy & Security Stakeholder Recommendations for Better Information Governance
Here are some recommendations for Privacy & Security stakeholders to help an organization improve its overall Information Governance program:
- Promote Organizational Data Mapping Activities: Understanding where data is within an organization is the first step to protecting that data. Privacy & Security stakeholders must actively promote data mapping activities and support RIM stakeholders to keep the organizational data map evergreen so that the organization’s exposure is understood and can be effectively addressed.
- Stay Current with Data Privacy Trends: Data privacy laws are continuing to change and so are the responsibilities of organizations to stay abreast of changing laws. This includes monitoring sites like the IAPP site for updates to data privacy laws, attending webinars to learn more about rapidly changing trends and setting aside 5-15 minutes a day to read about data privacy trends and updates (this blog and eDiscovery Today are great places where you can do that).
Next week, we’ll conclude the series with the goals and considerations for Business Unit stakeholders within an organization. See you then!
For more educational topics from Doug Austin related to eDiscovery, cybersecurity and data privacy, follow, eDiscovery Today! And as part of the continued educational partnership between Ipro and eDiscovery Today, he’ll be here in the Ipro Newsroom next week with more educational content!