Legal & Compliance

Data Privacy 2023:  A reinvigorated data disposition strategy will bolster trust

Data Privacy Day, held every year on January 28, is a time to raise awareness and promote data protection best practices that build trust.

As we honor this day and mark a new year, the global privacy landscape continues to develop. For example, Australia recently passed new privacy reforms significantly increasing penalties for violations and expanding its extraterritorial reach. In the U.S., in addition to the California Privacy Rights Act (CPRA) amendments that have expanded consumer rights, privacy laws enacted in the states of Colorado, Connecticut, Utah and Virginia went or will go into effect in 2023. Until a pre-emptive federal privacy law is passed, more state legislation is certain to follow and organizations will be left to decipher the application of these laws to their business and program activities.

In this blog, I want to share some recent survey findings on brand trust and highlight why, I believe, data disposition activities and retention principles will play a pivotal role in privacy program development this year. 

Brand trust is at stake

Beyond regulatory compliance, retaining customer loyalty is a key consideration for privacy program development. In this new era of consumer activism, individuals are making buying decisions based on their perception of how an organization is handling their personal data or information. OpenText commissioned a global survey among consumers that demonstrates the impact that trust has on brand loyalty. A third (33%) of our respondents indicated they would no longer use or buy from a company they were previously loyal to if it failed to protect or leaked their personal data.  In fact, just under a quarter (24%) of global respondents did not trust that a company knows where all their personal data resides or how that information is being used.

There is a growing awareness among Americans of their privacy rights resulting in a greater sense of empowerment and increased expectations that businesses they provide their personal data to use it appropriately and competently.  According to our survey, almost three in five (57%) of U.S. consumers would proactively get in touch with an organization to see how it is using their data or to check if their data was being stored in a compliant manner. Almost a third (31%) would abandon a brand if it failed to respond to a Subject Rights Request (SRR) including a request to access, delete or correct the information a company has about them. Three in ten (29%) felt the same way if a SRR was not completed or dealt with satisfactorily.

Data minimization is the impetus to get the digital house in order

Data minimization requirements incorporate privacy-by-design principles supporting limited and purposeful retention.  A core regulatory mandate of most data privacy laws, the data minimization principle limits the collection, processing and storage of personal data to that which is relevant and necessary to fulfill a specified purpose; organizations should also ensure that data is no longer retained once it is no longer necessary. Roughly a quarter (24%) of both our global and U.S. respondents indicated they would no longer use or buy from a company they were previously loyal to if their personal data was kept longer than necessary for its specified purpose. Therefore, unsurprisingly, a critical organizational focus to create absolute trust and ensure compliance is to address retention practices including improving data categorization, classification and data disposition.

According to the 2022 IAPP-EY Annual Privacy Governance Report, data deletion was a top 3 strategic privacy priority for privacy and data protection offices last year. For certain industry sectors, such as banking and insurance, education, and business services, it was the top priority. This will continue to be a key focus not only to adhere to data minimization requirements but to respond to consumer-initiated deletion requests.  Nonetheless, whether engaging in data discovery or leveraging file analysis technology to identify and categorize over-retained risky data (that should have been discarded) or harmonizing deletion requests with other retention obligations, these activities are critical to retain trust and loyalty. In fact, the loss of trust itself may be the impetus for consumers seeking deletion requests in the first place. 

Subject Rights Requests can lead to scrutiny of your retention practices

As awareness increases, so will consumers’ desire to scrutinize business data handling practices. In California, with the expiration of the exemptions for employment-related personal information and the extension of the same consumer privacy rights to employees and job applicants, there will be a significant uptick in SRRs. Moreover, due to the breadth of HR and other employment-related data that is frequently stored in unstructured environments or distributed across siloed systems, efforts to satisfy these employee-initiated requests will be ripe for failure. These may also require more effort, particularly when governance is lacking and organizations do not have robust document management solutions to improve efficiencies and bolster process defensibility and security.

How an organization responds to a requestor may also lead to further regulatory scrutiny – introducing exposure to potentially poor data hygiene and the need to defend practices. For example, if an organization claims to have fulfilled a request, and yet, absent an exemption, there is evidence of ongoing use of that information noted by that requestor, it may open the door to an investigation or enforcement action addressing potential compliance violations resulting from inadequate retention and disposition practices.  In the context of expanded employee privacy rights, SRRs may also be used by disgruntled employees to gather evidence or better understand document retention practices before claims are filed. Others may also try to use the process as a tool to obtain documents to assist with litigation proceedings or bypass normal legal disclosure activities. 

Over-retention can have a deleterious effect on an organization. 2023 will be the year companies re-prioritize records management and data disposition activities to reduce process deficiencies and mitigate future legal and regulatory risk.  With a strong foundation, organizations can improve the efficiency and efficacy of their operations – securing and using data correctly and responding to requests accurately and appropriately.  Beyond operational benefits, this strategy will improve customer satisfaction and create a result worthy of trust. 

Learn how OpenText can help you mitigate data privacy risk by rethinking your approach to information governance and privacy management activities.

For additional best practices to help build or augment your privacy program, you can also check out the guide 5 ways to prepare for data privacy laws.

5 ways to prepare for data privacy laws

Andy Teichholz

Andy Teichholz is the Sr. Industry Strategist for Compliance and Legal at OpenText. He has over 20 years of experience in the legal and compliance industry as a litigator, in-house counsel, consultant, and technology provider. Andy is focused on helping businesses succeed with digital transformation. In this capacity, he has served as a trusted advisor to customers by leveraging his business acumen, industry experience, and technical knowledge to advise on regulatory compliance, information governance, and data privacy issues as well as support complex litigation and regulatory investigations.

Related Posts

Back to top button