violetkaipa - Fotolia
Privacy has become a top business priority for organizations all over the globe as new and expanding compliance regulations push for improved consumer data protection. The privacy compliance focus makes records and information management (RIM) professionals the prime candidates to lead accompanying change management requirements, said John Isaza, who leads the Information Governance & Records Management practice at law firm Rimon PC.
While in San Diego at the ARMA 2014 International Conference in October, Isaza led a session on how RIM plays a huge role in reducing privacy compliance risk. In this interview conducted at the conference, he discusses why privacy compliance has become a top business concern, and how the trend impacts RIM processes.
What are the key steps to developing a RIM privacy compliance program?
John Isaza: From a 30,000-foot level, one of the key components to have in place is a set governance structure for your privacy compliance program. Second is follow-up with communication of that program and the training for it. That would involve change management, not only within your organization, but change management as it pertains to your outside vendors and contractors, as well as change management as it pertains to your actual clients. This is something that not only affects your organization internally but it also impacts your clients.
Third is ongoing process improvement. It's not going to be perfect when you roll it out. You're going to have to keep updating it as the laws change, as requirements change. In the last couple of years alone, there have been regulatory changes, so there is definitely ongoing process improvement. Those are the big-picture items around having a compliant privacy program.
What role does RIM play in assuring privacy compliance?
Isaza: That's a question that's up for debate right now. I personally think that records and information management is ideally positioned to play a key role in managing the privacy program. They are positioned so well because they have knowledge not just of the legal requirements, but also exactly what the records are, where the data lies, what the concerns are.
It's the old saying 'IT owns the tools, RIM owns the rules.' By owning those rules, it's really an opportunity for RIM programs to be empowered, get a higher profile and break through the glass ceiling.
Can development of a data privacy program also benefit regulatory compliance? Why or why not?
Isaza: Absolutely. In the old days, say 15 years ago, it was all about retention requirements. Now we've got to go beyond retention requirements into other information governance requirements that include privacy. Privacy is the No.1 concern for our clients, because privacy is an issue both domestically and internationally.
If you are doing business outside of the United States, there are restrictions on whether or not the data can leave the country, what kind of data can leave the country, what country the data can be shared with. This is all part of privacy compliance, and part of what that governance program needs to keep an eye on. There are thousands of regulations from all over the globe that regulate privacy, so a privacy program keeps you compliant. The sanctions are very serious if there is a breach: It could be millions of dollars in sanctions for one privacy breach. If you are a small software company trying to get started, it could break the bank for you. If you are huge organization with multiple violations, the sanctions could add up into the multimillions very quickly.
Who should 'own' the data privacy responsibility at an organization?
Isaza: Organizations have chief privacy officers now, and somebody at the C-level needs to own it. They need to create a position for it at the C-level. I don't think that it is necessarily something that should be owned by the CIO, I think the CIO has enough on his or her plate. But I think someone from the C-suite should be designated for it, or somebody can be taken from RIM and be made responsible for it.
But RIM [personnel need] to be careful what they wish for. Along with a raise will come all that additional responsibility -- and liability -- for owning data privacy compliance. Bottom line, I think we need to create a position for it if the organization doesn't already have a chief privacy officer in place.
Study: Data protection rules create legal obstacles