violetkaipa - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

RIM likely to lead strategy as privacy compliance becomes a priority

Records and information management professionals should expect to play a big role as businesses increasingly make privacy compliance a priority.

Privacy has become a top business priority for organizations all over the globe as new and expanding compliance regulations push for improved consumer data protection. The privacy compliance focus makes records and information management (RIM) professionals the prime candidates to lead accompanying change management requirements, said John Isaza, who leads the Information Governance & Records Management practice at law firm Rimon PC.

While in San Diego at the ARMA 2014 International Conference in October, Isaza led a session on how RIM plays a huge role in reducing privacy compliance risk. In this interview conducted at the conference, he discusses why privacy compliance has become a top business concern, and how the trend impacts RIM processes.

What are the key steps to developing a RIM privacy compliance program?

John Isaza: From a 30,000-foot level, one of the key components to have in place is a set governance structure for your privacy compliance program. Second is follow-up with communication of that program and the training for it. That would involve change management, not only within your organization, but change management as it pertains to your outside vendors and contractors, as well as change management as it pertains to your actual clients. This is something that not only affects your organization internally but it also impacts your clients.

Third is ongoing process improvement. It's not going to be perfect when you roll it out. You're going to have to keep updating it as the laws change, as requirements change. In the last couple of years alone, there have been regulatory changes, so there is definitely ongoing process improvement. Those are the big-picture items around having a compliant privacy program.

What role does RIM play in assuring privacy compliance?

Isaza: That's a question that's up for debate right now. I personally think that records and information management is ideally positioned to play a key role in managing the privacy program. They are positioned so well because they have knowledge not just of the legal requirements, but also exactly what the records are, where the data lies, what the concerns are.

It's the old saying 'IT owns the tools, RIM owns the rules.' By owning those rules, it's really an opportunity for RIM programs to be empowered, get a higher profile and break through the glass ceiling.

Can development of a data privacy program also benefit regulatory compliance? Why or why not?

Isaza: Absolutely. In the old days, say 15 years ago, it was all about retention requirements. Now we've got to go beyond retention requirements into other information governance requirements that include privacy. Privacy is the No.1 concern for our clients, because privacy is an issue both domestically and internationally.

If you are doing business outside of the United States, there are restrictions on whether or not the data can leave the country, what kind of data can leave the country, what country the data can be shared with. This is all part of privacy compliance, and part of what that governance program needs to keep an eye on. There are thousands of regulations from all over the globe that regulate privacy, so a privacy program keeps you compliant. The sanctions are very serious if there is a breach: It could be millions of dollars in sanctions for one privacy breach. If you are a small software company trying to get started, it could break the bank for you. If you are huge organization with multiple violations, the sanctions could add up into the multimillions very quickly.

Who should 'own' the data privacy responsibility at an organization?

Isaza: Organizations have chief privacy officers now, and somebody at the C-level needs to own it. They need to create a position for it at the C-level. I don't think that it is necessarily something that should be owned by the CIO, I think the CIO has enough on his or her plate. But I think someone from the C-suite should be designated for it, or somebody can be taken from RIM and be made responsible for it.

But RIM [personnel need] to be careful what they wish for. Along with a raise will come all that additional responsibility -- and liability -- for owning data privacy compliance. Bottom line, I think we need to create a position for it if the organization doesn't already have a chief privacy officer in place.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

With compliance regs on the horizon, mobile privacy policy a must

Study: Data protection rules create legal obstacles

This was last published in December 2014

Dig Deeper on Business records management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has your organization changed records and information management processes to adapt to privacy compliance regulations?
Cancel
Just as the apps and technology adapts, changes and evolves, the malware and cyber-attacks evolve and change as well. Because of this, especially in light of the recent Sony Hacks, my business has adopted a new set of information management policies and processes that help to give secured privacy, but also act proactively against unwanted hacks and malware attacks. Any data stored in our cloud service has multi-tiered security access as a preventive measure.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close