Do You Have Perfect FOIA 2020 Vision? What are the New and Emerging Government Recordkeeping and access Issues Likely to Arise over the Next Decade?
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
American Society of Access Professionals
National Training Conference
July 22-24, 2019
Renaissance Capital View Hotel
Arlington, Virginia
Do You Have Perfect FOIA 2020 Vision? What are the
New and Emerging Government Recordkeeping and
access Issues Likely to Arise over the Next Decade?
By Jason R. Baron
Drinker Biddle
“With permission to reprint from Spring 2019 edition of InfoGov World”.
INFORMATION
GOVERNANCE WORLD GDPR ONE YEAR OZ ALASHE ON ANALYTICS
LATER W/ RICHARD HOGG & CYBERSECURITY
ADVICE FROM
LEADING IG EXPERTS
JASON R.
BARON
ON RIM’S
MAJOR THREAT
NICOLAS
ECONOMOU
AI’S ROLE IN
E-DISCOVERY
SONIA LUNA
ON COSO & RISK
MANAGEMENT
NATHANIEL
PALMER
IG & INTELLIGENT
AUTOMATION
HEIDI
JOHN ISAZA
ON GLOBAL RIM
COMPLIANCE
MAHER
HER VISION FOR
CGOC + IG &
DATA PRIVACY
BENCHMARKS
VOL 1 • ISSUE 3
SUMMER 2019
INFOGOVWORLD.COM
YOUR GLOBAL IG RESOURCE®
PUBLISHER’S LETTER
W
e are proud and pleased to bring
PHOTO BY LILLI GARCIA
you another spectacular issue! It is
chocked full of engrossing content
and keen insights from IG leaders.
Our cover feature is an interview with
CGOC’s Executive Director, attorney Heidi Maher. Her
story of her childhood in Iran, then immigrating to the
US is intriguing; her rise to working in the Texas Attorney
General’s office and then becoming a leading tech attorney
is inspiring. And the story of how her parents met is quaint!
We also feature two interviews from across the pond
with keynote speakers at the annual MER Conference in
Chicago. Oz Alashe, MBE, served as a leader in the British
military and now applies his skills in leading a cybersecurity
firm that leverages analytics and AI to prevent and detect
threats. He offers some insights on looming cyber threats
that you won’t want to miss. Nicolas Economou, the
son of a diplomat who has traveled extensively, offers his
discernments on AI governance and AI use in e-Discovery.
Noted attorney and e-discovery expert Jason R. Baron
provides a detailed look at ephemeral messaging and its
threat to RIM. John Isaza, a leading attorney in the IG space,
talks about his immigration from Columbia to Southern
California, and his close friendship with fellow attorney
and co-author John Jablonski. He then provides insights on
global RIM compliance. Former ARMA President Fred Diers
also contributed a provocative piece on RIM programs that
every records management professional should read.
We focus on data privacy heavily, especially in this
issue. Richard Hogg, a leader in global privacy, gives us
a look at GDPR a year after it went into effect, and our
own Mark Driskill offers what he has uncovered about Metcalf, PhD, gives us a preview of the book he wrote
GDPR as well. Also, Scott Allbert writes about what with several colleagues on blockchain in healthcare.
financial institutions may not know about the impending Enjoy and learn! And please don’t forget to send us
California Consumer Privacy Act. your topic ideas, opinions, and feedback – this is the IG
Business process expert Nathaniel Palmer provides us community’s magazine and we strive to improve with
with a clear view of the intersection of intelligent automation each issue.
and IG. We also interviewed my friend Sonia Luna, CPA,
who gives us expert insights on the COSO risk management For more information about becoming
framework, cannabis compliance, and living in L.A. a Certified Records Manager or
My longtime colleague at IMERGE Consulting, Certified Records Analyst
Jim Just, and content analytics expert Brian Tuemmler, contact (518) 463-8644 or
Robert Smallwood
provide us with two viewpoints on cleaning up shared CEO & Publisher visit www.icrm.org
drives with some very good advice.
Again in this issue, data governance expert Merrill
Albert gives us lessons on running a good DG program,
and we are hoping the IG community picks up some
of her tips. Tom Motzel writes about the rise of the Please send your comments, suggestions, and
CDO and potential conflicts with the CISO; and David story ideas to me at Robert@infogovworld.com
4 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 5
CONTENTS
INFORMATION
YOUR GLOBAL IG RESOURCE®
GOVERNANCE WORLD
infogovworld.com
INFORMATION GOVERNANCE REGULATORY COMPLIANCE EMERGING TECHNOLOGY
VOLUME #1
IN SOCIETY 44 Law & Order: Interview with 64 Driving AI
ISSUE #3
10 ARMA Metro NYC Annual John Isaza, Esq. 65 AI Used to Transcribe Content
Spring Conference 47 High Standards: Interview with 65 Future of Defense is AI SPRING 2019
11 The Annual AIIM Conference Sonia Luna, CEO and President
at Aviva Spectrum INFORMATION GOVERNANCE
INFORMATION GOVERNANCE HEALTHCARE
BEST PRACTICES LEGAL & EDISCOVERY 66 Blockchain in Healthcare –
12 Mission Impossible 50 A.I. Governance: Interview Empowering Patients and
by Jason R. Baron with Nicolas Economou Professionals by David Metcalf, PhD
67 Medical Bills Are Killing Americans
INFORMATION PRIVACY RECORDS & INFORMATION 67 IG Leaders in Healthcare
16 GDPR One Year Later MANAGEMENT 68 Harvesting Computing Brainpower
by Richard Hogg 52 Creating a Sustainable to Improve Healthcare CEO & PUBLISHER
19 Facebook Always Watching RIM Program – Fact or Fiction? 69 Artificial Intelligence in Healthcare Robert Smallwood
20 Cali Privacy Act to Hit by Fred Diers, CRM, FAI 70 Six Strategies to Consider When
Financial Services Firms Implementing IG by Rita Bowen CHIEF OPERATING OFFICER
the Hardest? by Scott Allbert DATA GOVERNANCE and Erin Head Baird Brueseke
22 GDPR’s First Birthday 56 Data Governance: Insights from
by Mark Driskill the Field By Merrill Albert 72 INFORMATION GOVERNANCE CREATIVE DIRECTOR
57 What is Master Data Management? TRADE SHOWS Kenny Boyer
INFORMATION SECURITY
24 An Interview with Cybersecurity CONTENT SERVICES 74 INFORMATION GOVERNANCE SENIOR EDITOR
Leader Oz Alashe, MBE 58 Intelligent Automation & IG:The EVENTS Dan O’Brien
28 CSA’s Cloud Controls Matrix Critical Path to Digital Transformation
Maps to Leading Frameworks by Nathaniel Palmer
CONTRIBUTING EDITORS
by Baird Brueseke 60 The Rise Of The CDO:
30 CIS Releases New Mobile Controls Conflicts Emerge With CISO Role?
Mark Driskill, Martin Keen, Andrew Ysasi
by Baird Brueseke by Tom Motzel
CONTRIBUTING WRITERS
COVER STORY ARCHIVING & LONG-TERM Merrill Albert, Scott Allbert, Jason Baron
32 The Visionary: Interview with DIGITAL PRESERVATION Rita Bowen, Baird Brueseke, Fred Diers
Heidi Maher by Robert Smallwood 62 Newer Cloud-based Erin Head, Richard Hogg, Jim Just Check us out online
Approaches Simplify David Metcalf, Tom Motzel, Nathaniel Palmer and sign up today for a
ANALYTICS & INFONOMICS Digital Preservation Robert Smallwood, Brian Tuemmler
40 Clean-up content with Content free digital subscription to
Analytics Technologies by Jim Just
42 Kick Start Your IG Program with
CONTRIBUTING PHOTOGRAPHERS
Nikki Acosta, Lilli Garcia
Information Governance
Content Cleanup by Brian Tuemmler Nate Kieser, Robert Smallwood, Christian Yi World magazine.
SPECIAL THANKS TO INTERVIEWEES: Print subscriptions for
Heidi Maher, Nicolas Econmou
Sonia Luna, John Isaza, Oz Alashe the quarterly mag are
$49/year, or $195 for
five team members.
ON THE COVER: Heidi Maher,
Executive Director, Compliance,
Governance & Oversight
2358 University Ave # 488,
San Diego, CA 92104
infogovworld.com
1.888.325.5914 888-325-5914
Council. Photo by Nikki Acosta,
Magnetic Focus Photography. © 2019 InfoGov World Media LLC
INFORMATION GOVERNANCE EDUCATION, NEWS & EVENTS: subscribe.infogovworld.com
YOUR GLOBAL IG RESOURCE®
6 INFOGOVWORLD.COM
OPERATIONALIZE
Information Governance: YOUR PRIVACY
PROGRAM
A PRIMER O AUTOMATE GDPR
A
ccording to the Sedona Conference,
RECORD KEEPING
Information Governance (IG) is about
minimizing information risks and costs while
maximizing information value. This is a compact
way to convey the key aims of IG programs.
The definition of IG can be distilled
further. An even more succinct “elevator pitch” definition
“
of IG is, “security, control, and optimization” of information.
This is a short definition that anyone can remember. It is a READINESS & PIA, DPIA & PbD DATA MAPPING COOKIE CONSENT &
useful one for communicating the basics of IG to executives.
To go into more detail: This definition means that
An even more succinct ACCOUNTABILITY TOOL AUTOMATION AUTOMATION WEBSITE SCANNING
information—particularly confidential, personal, or other
sensitive information—is kept secure.
“elevator pitch” definition of IG is, Benchmark organizational
readiness and provide
Choose from pre-defined
screening questionnaires to
Populate the data flow
inventory through
Conduct ongoing scans of
websites and generate cookie
It means that your organizational IG processes control “security, control, and optimization” executive-level visibility with
detailed reports.
generate appropriate record
keeping requirements.
questionnaires, scanning
technologies or
banners and notices.
of information.”
who has access to which information, and when. through bulk import.
And it means that information that no longer
GDPR Articles 5 & 24 GDPR Articles 25, 35 & 36 GDPR Articles 6, 30 & 32 GDPR Articles 7 & 21
has business value is destroyed and the most valuable ePrivacy Directive Draft Regulation
information is leveraged to provide new insights and value.
In other words, it is optimized.
DG includes data modeling and data security, and
IG PROGRAMS REQUIRE CROSS FUNCTIONAL also utilizes data cleansing (or data scrubbing) to strip
COLLABORATION out corrupted, inaccurate, or extraneous data and de-
IG involves coordination between data privacy, information duplication, to eliminate redundant occurrences of data.
security, IT, legal and litigation/e-discovery, risk Data Governance focuses on data quality from the SUBJECT ACCESS UNIVERSAL CONSENT & VENDOR RISK INCIDENT & BREACH
RIGHTS PORTAL PREFERENCE MANAGEMENT MANAGEMENT MANAGEMENT
management, business records management functions and ground up at the lowest or root level, so that subsequent
more. It is a complex amalgamated discipline as it is made clinical assessments, reports, analyses, and conclusions are
Capture and fulfill data subject Embed consent management Conduct vendor risk Build a systematic process
up of multiple sub-disciplines. based on clean, reliable, trusted data in database tables.
requests based on regulation directly on website with assessments, audit and to document incidents and
IG must be driven from the top down by a strong executive specific requirements standardized transaction manage data transfers determine necessity for
sponsor, with day-to-day management by an IG Lead, which is THE CHALLENGE: MANAGING UNSTRUCTURED workflow. to third parties. notifications.
a person who could come from one of the major sub-disciplines INFORMATION
of IG. The IG lead could come from IT, cyber-security, privacy, Unstructured information is the vast majority of information
GDPR Articles 12 - 21 GDPR Article 7 GDPR Articles 28(1), GDPR Articles 33 & 34
RIM, analytics, legal, operations or related disciplines. that organizations struggle to manage. Unstructured 24(1), 29, 46(1)
information generally lacks detailed metadata and includes
THE KEY DIFFERENCES BETWEEN DATA and scanned images, email messages, word processing
GOVERNANCE & INFORMATION GOVERNANCE documents, PDF documents, presentation slides,
Data Governance (DG) and Information Governance spreadsheets, audio recordings, video files, and the like.
(IG) are often confused. Unstructured information is more challenging to
They are distinct disciplines, but DG is a subset of IG, manage than structured information in databases, and is
and should be a part of an overall IG program. DG is the
most rudimentary level to implement IG, and often DG
the primary focus of IG programs.
IG is much more broad and far-reaching than DG. IG
FREE GDPR WORKSHOP
programs provide the springboard for IG programs.
Data governance entails maintaining clean, unique
programs include the overarching polices and processes
to optimize and leverage information as an asset across
4.5 CPE Credit Hours
(non-duplicate), structured data (in databases). Structured functional silos while keeping it secure and meeting legal and Details and Registration Available For privacy professionals focused on tools and
data is typically about 10%-20% of the total amount of privacy obligations. These IG program aims should always be at PrivacyConnect.com best practices to operationalize compliance.
information stored in an organization. in alignment with stated organizational business objectives.
8 INFOGOVWORLD.COM
INFORMATION GOVERNANCE
SOCIETY
ARMA Metro NYC Annual The Annual AIIM
Spring Conference Conference
On March 5, the ARMA Metro NYC Chapter held their annual Spring The annual AIIM Conference took place
Conference in Manhattan to a crowd of over 220+ attendees. The group March 26-28 in San Diego. Approximately
was hosted by ARMA NYC Chapter President Gene Stakhov. Privacy was 600 attendees enjoyed excellent keynote
a major focus of the day, with presentations by Jo Ann Davaris, CPO at presentations and educational sessions,
Mercer; David Peach, CISO at The Economist Group; Wayne Matus, Chief as well as social networking events. And Smiling networker with
a humorous shirt
Compliance Officer at Sageguard√gdpr; Richard Hogg of IBM; attorneys the weather was spectacular!
John Isaza and Leigh Issacs, and more. Afterward, a networking
reception was held and many enjoyed conversing with colleagues. ARMA Metro NYC Board
CONTRIBUTED PHOTOS
Members
CONTRIBUTED PHOTOS
John Isaza presents
a case study
Iron Mountain’s Tom
Mary Arnold, USAA AIIM held its conference at the San Diego grand Hyatt Motzel makes a point
Josseline Corniel & Veronika Golberg of Karla Farley of Microfocus and
Vdiscovery flank Michael Landau of Veritas raffle winner John Attanasio
Longtime AIIM Fellow Priscilla Emery Iron Mountain’s Arlette Walls chatting up the table SD/LA AIIM Social attendees enjoying drinks
Many good connections were
made during lunch
(Left to right) Keynote speaker group: Wayne Matus (SafeGuard
GDPR), Jo Ann Davaris (Mercer), Gene Stakhov (enChoice), David
Peach (The Economist Group) and Michael Potters (Glenmont Group) A standing room only crowd Boshia Smith and Georgina A pensive Alan Pelz-Sharp Ryan Zilm rocks karaoke
10 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 11
INFORMATION GOVERNANCE
BEST PRACTICES (With the consent of its editors, the following is an abridged
version of an article that appeared in the Winter 2019 issue of
“Ethical Boardroom” magazine, a UK publication.)
M I S S I O N
IMPOS S I B L E ?
HOW TO SAVE RECORDS MANAGEMENT FROM THE
THREAT POSED BY SELF-DESTRUCTING MESSAGES
BY JASON R. BARON / PORTRAITS BY NATE KIESER
E
very month more than four billion people send 560 alleging that presidential staff were using communications
billion SMS text messages worldwide—a 7,700% platforms such as WhatsApp, Confide, and Signal, that allow
monthly increase over the past decade. Instant for self-deletion, while failing to put into place an adequate
message (IM) traffic on apps such as Facebook archiving scheme responsible for the capture of such messages
Messenger, WeChat, WhatsApp, Viber, and Line, (either by automated means or by staff copying messages
top 60 billion texts daily.1 As of 2018, cloud-based manually).4 The lawsuit was dismissed on the grounds that
collaboration tool Slack says it has eight million daily under existing precedent the court did not consider itself
active users and three million paid users.2 to have jurisdiction to interfere with Presidential records
According to one recent survey, nearly 78% of management practices. But on its merits, the allegations
people would like to have a text conversation with a in the complaint painted a picture of potential widespread
business, and 80% of professionals currently use texting noncompliance with recordkeeping policies that simply are
for business purposes. Interestingly, more than half not keeping up with the pace of technological change.
of professionals claim that they cannot stand even 10 And so, at the end of the second decade of the
minutes without responding to a text.3 21st century, we face what might be considered an
Coupled with the emergence of messaging generally existential threat to recordkeeping as we know it. This is
are self-destructing messaging services beyond the popular to the extent that business-related communications are
Snapchat and Telegram platforms, such as Bleep, Confide, increasingly conducted by employees of enterprises via
Cover MeHash, Signal, SpeakOn, VaporStream, Wickr, and these types of messaging channels, either on company-
a host of others. Unadorned use of these messaging apps owned or employee-owned devices. Shall we give up?
means there may, in fact, be no “record” in any sense that can Shall we try to rigidly enforce prohibitions on the use of
be captured by any actor or institution subject to regulatory these services? Or, as an intermediate position, shall we
oversight or compliance obligations. Although, admittedly, ask what data controls are reasonable to contemplate as
such applications are less prevalent amongst business people a matter of governance, compliance and oversight? The
than they are with the under 18 set, they nevertheless are question is of an urgent nature, given the accelerating
available to any potential interested party as a means of proliferation and use of such applications.
conducting business—for time-saving efficiency by many, Taking a step back, it may first be best to review the
and for possible dubious “off-the-books” uses by some. bidding on how we got here, including key milestones
In 2017, a Washington, D.C.—based public interest and earlier warning signals along the way. Armed with
group filed a lawsuit against the current White House, that knowledge, we can take a stab at sketching out a Jason R. Baron
12 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 13
INFORMATION GOVERNANCE | BEST PRACTICES
of communications technologies really started to take considerations to perform a risk analysis with respect to workarounds, especially on their personally-owned devices.
off, with the introduction of the Google search engine, the pros and cons of continuing allowance of ephemeral Second, corporate record retention policies and device
coupled with platforms represented by Gmail, Yahoo, and messaging as a matter of corporate policy. Arguably, there are use policies should be updated to explicitly include
other providers. For the first time, employees had realistic, substantial financial benefits in mitigating potential exposure recognition of the fact that business records may be created
easy-to-use alternatives to sole reliance on corporate to fines, through clear corporate guidance prohibiting the use on messaging applications, and that such messages need to
e-mail networks -- which in many cases have been subject of ephemeral messaging apps for the conduct of corporate be managed. While there is no iron-clad, general duty to
to slow-downs, connection issues, and glitches of all business. On the other hand, ephemeral messaging decreases preserve all business-related communications, under certain
types. In this same time period, there was an explosion overall corporate risks in at least three ways: first, by reducing circumstances legal holds may need to be put into effect
of laptops, mobile devices, personal digital assistants, and the volume of retained messages that may be subject to that cover relevant communications on ephemeral apps.
most of all, smart phones, with the capability not only cybersecurity threats; second, by controlling over-retention Accordingly, encouragement should be given to employees
of accessing e-mail networks (corporate and private), but with corresponding litigation exposure due to the inadvertent in the first instance to use stable forms of communications
also downloading a wide variety of apps. or default retention of messages with negative consequences; (as defined under corporate policies), that reasonably
It was therefore entirely foreseeable that employees – and third, as a matter of compliance with emerging General comply with existing record retention practices and which
including some of the most senior level officials -- would Data Protection Regulation (GDPR) policies aimed at allow for legal holds to be put into effect. Absent an
gravitate to using alternative means to communicate reducing long-term preservation of records containing outright prohibition of ephemeral messaging, companies
path to better compliance from both the perspective of in the course of carrying out various types of business personal data on individuals, including sensitive personal data. should at a minimum make clear what is permissible and
technology and information governance policy. activities. Just as inevitably, in the last half decade or This same risk factor balancing ideally should be considered by what is expected of employees using either corporate or
In 1986, employees of the National Security Council so, controversies over the use of commercial networks all companies, not just those affected by FCPA policies. personal devices, and should provide notice if the company
were informed in a White House guidance manual that and apps to communicate about official business have Corporate policies prohibiting employee use of wishes to perform some kind of audit of those devices.
e-mail should not be used to convey official records blossomed. The controversy over Secretary of State applications are certainly more easily enforceable on company- And third, as a matter of setting expectations in a
“
information. That written policy prohibition went Hillary Clinton’s use of a private email server is the owned devices, although some kind of software auditing
unheeded by Lt. Col. Oliver North, John Poindexter, and most prominent example of this phenomenon, but program – automated or manual – would still need to be put
others, who sent to each other thousands of emails (in
the form of “PROFS notes”) about high-level, sensitive
she by no means has been alone: many high-level state
and federal officials, as well as political leaders in such
into place. However, a substantial portion of the corporate
world has adopted some form of BYOD (bring your own
...we face what might be
matters of government, including pertaining to the countries as Australia and Canada, also have used private device) policies, allowing for employees to opt to carry out
considered an existential threat to
“recordkeeping” as we know it. ”
infamous Iran-Contra affair. Such messages were seized communications channels to discuss government business. corporate business on their personally owned devices. In such
as part of an Independent Counsel investigation, and From a lawmaking perspective, the federal government cases, although there are ways to embed software auditing for
subsequently were caught up in decade-long litigation has been out in front by enacting into law in 2014 provisions particular devices and apps on a voluntary basis, there would
over the record status of e-mail messages residing on that require officials who conduct government business by appear to be wide open compliance issues given the ease in
backup tapes. The government eventually lost the means of “electronic messaging” on a private commercial which individual employees may opt to install messaging apps given corporate culture, if senior officials show that
argument that only e-mail communications that had been network to take reasonable steps to forward or copy the that essentially can go undetected by their employers for some they are adhering to using more traditional channels
printed out were true government records. Subsequently, messages into an official recordkeeping system (with a “.gov” period of time. for communication, mid-level supervisors and their
the Clinton White House agreed to restore e-mails address).7 Notably, the statute does not prohibit the use of In view of the fast-changing world of ephemeral and employees may be more ready to toe the line. The counter
from backup tapes, including with certain metadata, for commercial services, but instead provides conditions on use. self-destructing messaging, here are some practical steps example of the head of an enterprise being known to
placement in government archives, and also agreed to put The statute also includes a provision for agencies initiating company officers should consider taking as part of a robust use private channels as a means to communicate about
into place a system for e-mail archiving going forward.5 disciplinary measures against employees who fail to adhere to information governance program. company business only incentivizes more widespread
In the intervening decades, e-mail became the lingua these legal requirements. First, C-suite executives should make every effort noncompliance with corporate policies.
franca of office communications, whereby virtually all More recently, the Department of Justice (DOJ) has to understand the IT environment that exists in their The genie is out of the bottle: there are a seemingly
public and private organizations comprising more than a focused on ephemeral messaging in connection with its workplace, including on corporate devices as well as endless amount of easy ways that we as individuals are all
few employees have instituted e-mail as a communications corporate enforcement policy pursuant to the Federal on devices owned by employees but used for company now able to communicate with each other. New forms of
channel at least in-house. As history repeatedly has shown, Corrupt Practices Act (FCPA). To that end, under its recent business. What kinds of communications apps are being technologies pop into existence with each passing year. A
however, institutional policies that enable end-users with Corporate Enforcement policy (USAM 9-47-120), DOJ used, by whom, and for what purposes? Executives should corporate strategy that embraces change in acknowledging
access to new types of communications technologies has put into place a presumption that companies will receive consider taking reasonable steps to attempt to control these new ways of doing business, while providing clear,
(as e-mail was in the 1980s), coupled at the same time a “declination,” i.e., full remediation credit towards what communications, via investing in archiving tools for up-to date-guidance (and notice) to everyone on staff on
with policy guidance informing those users that they otherwise would be a substantial monetary sanction, only social media that capture communications on designated what is and is not permissible, is a sensible path forward in
should not use the technology for “official” or “business” if the company satisfies certain conditions, one of which apps. As necessary or desirable, companies may consider the brave new workplace of our future.
communications, have proven to be a recipe for failure involves the company “prohibiting employees from using imposing software blocking the use of certain well-known
from a compliance perspective. software that generates but does not appropriately retain apps to restrain employees from engaging in ephemeral
JASON R. BARON SERVES AS OF COUNSEL IN THE IG AND EDISCOVERY GROUP AT DRINKER,
In 1995, the introduction of the Netscape browser business records or communications.” This phrasing clearly communications. A caveat here is in order, however: such BIDDLE & REATH LLP, AND IS CO-CHAIR OF THE INFORMATION GOVERNANCE INITIATIVE.
led to a period of information inflation, in which the was intended to include ephemeral messaging, although in efforts may only encourage users to find less-well known HE MAY BE CONTACTED AT JASON.BARON@DBR.COM.
number of websites grew from less than a hundred to over its scope it may potentially also sweep in very short retention
100,000 in very short order.6 This, in turn, heralded in times on e-mail messaging as well (where automatic deletion REFERENCE: [1] https://medium.com/bsg-sms/50-texting-statistics-that-can-quench-everyones-curiosity-even-mine-7591b61031f5; [2] https://www.businessinsider.
an era where end-users could, in theory, access a world is set to days, rather than months or years). com/slack-8-million-daily-active-users-wants-500-million-2018-11; [3] https://skipio.com/154-reasons-why-texting-is-the-future-of-business-to-customer-
communication/: [4] See Citizens for Responsibility and Ethics in Washington et al. v. The Hon. Donald J. Trump and the Executive Office of the President, 302 F.Supp.3d 127
of online connections from their workplace desktops. At a minimum, it is now in the interest of C-suite (D.D.C. 2018) (appeal filed); [5] See Armstrong v. Executive Office of the President, 1 F.3d 1273 (D.C. Cir. 1993); [6] G.Paul & J.R.Baron, “Information Inflation: Can
That said, it was only in the post-2000 era that the world executives in enterprises that might be affected by FCPA the Legal System Adapt?,” http://law.richmond.edu/jolt/v13i3/article10.pdf; [7] See 44 U.S. Code § 2911 (2019).
14 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 15
INFORMATION PRIVACY
Richard Hogg
GDPR ONE YEAR LATER
BY RICHARD HOGG | PHOTO BY LILLI GARCIA (LILLIPOPART.COM)
P
sst… have a private moment? It has been a year since catch businesses off guard as they realize that GDPR
the EU General Data Protection Regulation (GDPR) applies to some (or all) of their global business. As defined
went live, and the world is still spinning. Let’s take a in the GDPR, it applies to all Personal Data (in any
look at what transpired in the first year of GDPR. media or format, electronic and physical) of any living,
GDPR went live May 25, 2018 and it aimed to natural persons In Europe. If you’re not living—sorry—
standardize Personal Data (PD) privacy and protection then GDPR doesn’t apply to your personal data (but there
duties, obligations, and rights across all 28 member may be other regulations that do). If you’re in Europe––
countries in the EU. The new privacy regulation updates regardless of being a citizen, legal resident, temporary
and expands the previous EU privacy directive which had alien or just passing through an EU airport for an hour––
been in place for decades. With the historical reality of GDPR likely applies to your personal data.
human rights incidents and multiple dictatorships, Europe “Natural persons” refers to GDPR applying to the
continues to ramp-up its focus on privacy. personal data of all living people in Europe, but not to
People in the EU are ever more aware of the other legal entities, like corporations, who might claim
importance of data privacy and protection, and their personal business data. It still does apply to all businesses,
newly-defined rights under GDPR. They are now and applies anywhere in the world they are collecting,
exercising these rights, including their Data Subject Rights storing, or processing the personal data of anyone IN
around Rights to Enquire, Correct, Erasure, and Data Europe. It doesn’t mean GDPR only applies to legal
Portability. So, across the whole of Europe— (except entities or businesses based in Europe––or only on data
for five member countries who have still yet to adopt centers with data In Europe. It means anywhere.
GDPR into their national legislation), a consistent privacy
framework is in place. IS ‘PERSONAL DATA’ JUST PII?
As 2019 began, the Executive EU Commission reported “Personal Data” is just PII, right? Pedantically, Personal
more than 95,000 complaints1 were filed across Europe Data (PD) is the focus of GDPR. Of any direct or indirect
under GDPR so far. The first of those complaints filed was identifiers across a wide (and often surprising) range of
just six minutes into GDPR Day by None Of Your Business2 categories and types of Personal Data that can identify a
(NOYB.eu ), a nonprofit that is laser-focused on all things natural living person in Europe. If you’re talking GDPR,
privacy and protection, founded by Max Schrems, privacy PII is merely a subset of Personal Data.
activist and attorney. But definitions vary. For example, under the U.S.
Then Google was hit with a 50 Million Euro fine National Institute of Standards & Technology (NIST.
(about $56M dollars)— the largest fine to date—as of gov) definition, a network TCP/IP address isn’t considered
early 2019. It was levied by the French Privacy Regulator personal, whereas under GDPR (and most other privacy
(CNIL) under GDPR for transparency and lawfulness regulations) it most definitely is personal.
issues (think opt-in and consent). A 50M fine may sound
like a big number, but it is a mere speeding ticket for WHAT DID IT MEAN TO BE GDPR READY?
Google––a warning, if you will. The fines will get larger if My point of view is it “just” meant a focus and action for
Google (and others) do not comply. getting and sustaining readiness across three activities and
As conveyed from the central EU data protection outcomes:
supervisor Buttarell,7 along with many industry analysts 1. Compliance
(Iannopoll8) from late 2018, we’ve only just begun to see All the organizational change management activities
fines and sanctions hit major corporations for GDPR around people, policy, process, and education to raise
violations. Surely, some Eye-poppng ones are to come! internal awareness of privacy and protection. Ensuring
everyone is educated and practices with transparency and
EXACTLY WHICH “PEOPLE” ARE COVERED accountability—that there are policies in place and they
UNDER GDPR? have audited proof of being followed. Plus, via contractual
Citizens of the EU, right? Be careful, this is one of those and other terms, ensuring your global supply chain
many areas where terminology (and assumptions) still sustains readiness for you.
16 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 17INFORMATION PRIVACY
“
California CCPA and Brazil’s LGPD.
News
Let’s hope we can get to some A few months ago, Thailand issued
their privacy regulation which will FACEBOOK:
go live later in 2020. And Brexit, if
ALWAYS
meaningful federal level privacy it’s been resolved by now, adds to the
complexity.
WATCHING ATTORNEY GENERAL BECERRA, SENATOR JACKSON
regulation to make it a level playing
Other countries already have
some or most of a GDPR-like
Let’s be honest. Most of us use
INTRODUCE LEGISLATION TO STRENGTHEN,
regulation in place, but often without
CLARIFY CALI CONSUMER PRIVACY ACT
field across the country.”
our phones for much more than
the teeth of the large potential
making calls, checking social
penalties under GDPR so far (up media, and texting friends and SB 561 CLARIFIES ATTORNEY GENERAL’S ADVISORY
to 4% of annual revenue). Many family. We use dozens of apps ROLE, ADDS PRIVATE RIGHT OF ACTION, AND
countries are updating and expanding to do everything from figuring ELIMINATES SO-CALLED “RIGHT TO CURE”
their regulation, not only to protect out “who that actress is on that
consumers, but also, if we are honest, show” to checking out weather SACRAMENTO – California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson in
2. Data Protection and reduce risks and costs (e.g. of a to clawback some revenue from forecasts and mortgage rates. February unveiled SB 561, legislation to strengthen and clarify the California Consumer Privacy
All the cybersecurity actions and central privacy catalog and ROPA)? dominant American tech companies. And unfortunately, this data is Act (CCPA). The CCPA is landmark legislation passed in 2018 that provides groundbreaking
outcomes around encryption, For IBM, their examples are shared And in the U.S.? We’re seeing being shared with Facebook. protections for consumers in their ability to control the use of their personal data. California is the
access controls and monitoring, in the public GDPR journey e-book, at least 11 different states looking Given recent privacy concerns, first in the nation to pass a law giving consumers this right. SB 561 helps improve the workability
it comes as no surprise that the of the law by clarifying the Attorney General’s advisory role in providing general guidance on the
data loss prevention, and incident available at www.ibm.com/gdpr. to clone or copy most of what
tech giant aggressively collects law, ensuring a level playing field for businesses that play by the rules, and giving consumers the
breach readiness and reporting. California has in place with the
data even if a user doesn’t have ability to enforce their new rights under the CCPA in court.
3. Personal Data MOST WERE NOT READY CCPA. Even some cities, like “California, the nation’s hub for innovation, has long led the way to protect consumers in the
Facebook connected on their
Ensuring you have a good As ongoing media reports and studies Chicago, have enacted local data device. Perhaps most concerning digital age. And as we work to strengthen data privacy law, the world is watching. It’s essen-
understanding of what is Personal have shown, most businesses were ordinances as they await whatever is that dozens of popular apps tial that we get this right,” said Attorney General Becerra. “We thank Senator Jackson for her
Data across the business, by able to do just enough to be initially actions their state may take. share your personal data without commitment to data privacy and for
category and type, down to each ready. But they now realize far more Worst case, in the short term, the your clear consent. introducing SB 561, a critical measure to
main data source or system and extensive revisions across the three U.S. may have 50 different privacy Are we really dumfounded by strengthen and clarify the CCPA. We will
its location. Document and outcome areas are needed. We’ve regulations to meet, a very complex such a revelation at this point? continue to work together to protect all
maintain a Records of Processing only just begun. Some industries and web for any multi-jurisdictional Governments around the Californians and their constitutional right
Activity (ROPA) of not only what those with far more customer-centric business to operate in and sustain. world have set their sights on to privacy.”
is Personal Data, but for what practices have seen a spike in data Let’s hope we can get to some Facebook, Google, Amazon, and “Our constitutional right to privacy
business process and lawful basis subject requests and have struggled meaningful federal level privacy others, but fines alone have not continues to face unprecedented assault.
you are collecting and using it for. to complete these within the GDPR regulation to make it a level playing slowed down the runaway train Our locations, relationships, and interests
And readiness to respond to the deadlines of one month per request field across the country. Getting there that is unfettered data collection. are being tracked, bought and sold by
Some might be thinking, “Well, corporate interests for their own economic
deadlines for handling any data (businesses have one month to in the political short-term may be
I don’t even have a Facebook gain and in order to manipulate us,” said Senator Hannah-Beth Jackson. “With the passage of
subject requests (e.g. Right of comply and complete each request, hard, although the focus, priority, account.” That should provide the California Consumer Privacy Act last year, California took an important first step in protecting
Erasure) in sync with a global IG not just reply). These organizations and volume of attention and hearings some level of protection, but our fundamental right to privacy. SB 561 will ensure that the most significant privacy protections
and cybersecurity program. have documented leveraging the around these issues continues in a recent Wall Street Journal in the nation are robustly enforced.”
optional regulatory extensions to Congress, plus business lobbying, investigation revealed an SB 561 removes requirements that the Office of the Attorney General provide, at taxpayers’
Larger organizations then executed these deadlines. Request volumes various draft proposals, as well as the unsettling reality: Facebook was expense, businesses and private parties with individual legal counsel on CCPA compliance;
readiness plans and put in place are still in the early stages for many NIST Privacy Framework RFI9 that collecting data even in instances removes language that allows companies a free pass to cure CCPA violations before enforcement
sustaining ownership and activities countries and industries and have is ongoing. where someone doesn’t have a can occur; and adds a private right of action, allowing consumers the opportunity to seek legal
around these three outcome areas, been shown to spike whenever At the end of the day, it’s all about Facebook account. remedies for themselves under the act.
via different formal privacy program unfortunate data breaches occur. you and me, and our Personal Data. And despite tech giants
plans, policies, and processes. offering up boilerplate Background:
These often included dedicated WHAT’S NEXT? statements about requiring The CCPA was enacted in 2018, and grants consumers new rights with respect to the collection
workstreams such as where they are For now, it’s an ever-increasing RICHARD HOGG IS GLOBAL DIRECTOR OF disclosure for apps, they don’t and use of their personal information. As part of the law, businesses are prohibited from discrim-
INFORMATION GOVERNANCE AT THE LAW require that apps disclose all
acting as a Controller or a Processor. complex set of privacy and protection FIRM OF WHITE & CASEM. HE CAN BE
inating against consumers for exercising their rights under the CCPA. As required by the CCPA,
the partners with whom the data the Attorney General must adopt certain regulations on or before July 1, 2020. Effective January 1,
What common services do we regulations being refreshed and REACHED AT RICHARD.HOGG@PM.ME
is being shared. So, Facebook’s 2020, businesses must comply with the CCPA’s key requirements:
need to stand up and run across enacted, with momentum around the lack of concern for user privacy
the business to ensure consistency world. Coming in 2020 is both the continues unabated—until • Businesses must disclose data collection and sharing practices to consumers;
perhaps GDPR and CCPA • Consumers have a right to request their data be deleted;
REFERENCE: [1] https://phys.org/news/2019-01-complaints-eu-countries-law.html; [2] https://noyb.eu/faqs/; [7] https://techcrunch.com/2018/10/03/ regulatory enforcement hits full • Consumers have a right to opt out of the sale or sharing of their personal information; and
europe-is-drawing-fresh-battle-lines-around-the-ethics-of-big-data/; [8] https://go.forrester.com/blogs/gdpr-fines-are-coming-but-they-wont-be-your-biggest- stride. —Staff
loss/; [9] https://www.nist.gov/privacy-framework • Businesses are prohibited from selling personal information of consumers under the age of
16 without explicit consent.
18 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 19INFORMATION PRIVACY consumer financial transactions.
Scott Allbert
Since many financial services
institutions believe they have
full exemptions to CCPA, they
CALI PRIVACY ACT TO HIT FINANCIAL
could find themselves vulnerable
to risks, fines, and any related
law suits. This will happen
SERVICES FIRMS THE HARDEST?
MANY INSTITUTIONS MAY THINK THEY GET A PASS ON CCPA
because they did not prepare
properly and protect non-GLBA
related data. To be clear, the
BY SCOTT ALLBERT | PHOTO BY LILLI GARCIA (LILLIPOPART.COM) currently-drawn CCPA states
that if a GLBA entity, “collects
H
information beyond that of
ave you heard the buzz the reasons for collecting it, and order rules and heavier fines. These same providing a financial service or
about CCPA? them to refrain from selling any of it. tech giants are currently lobbying product to a consumer” then the
Sure, most of us have The personal information protected congress in Washington DC to CCPA regulations will apply.
heard about the new in these regulations contains a lot create new federal privacy laws. Not Examples of data collected
“California Consumer more than just financial or banking surprisingly, big tech companies are outside of a financial service or
Privacy Act,” yet many companies will data; PII includes all “information only looking out for themselves to product includes data like website
find themselves in serious trouble by not that identifies, relates to, describes, try to preserve their “surveillance” visitors and their locations,
preparing properly. This will especially associated with or could be reasonably business model by watering down using analytics for targeted
be true for financial services firms. linked, directly or indirectly, to impending privacy legislation. online advertising or collected
A couple of important things to a consumer or household.” This It is important to note the CCPA geolocation information.
know: first, which companies are consists of many different types has already been amended and It is vital that financial services
required to comply with CCPA (hint: of information, including IP politicians promise to make more firms realize the need to pay
this also includes firms located outside addresses, biometric data, personal changes before the dust to settles and attention and distinguish what
of California), and second, what data characteristics, browsing history, it goes into effect in January 2020. data is regulated GLBA and by
falls under the protections of the act. geolocation data, and much more. CCPA as they will inevitably be
California’s new privacy law FINANCIAL SERVICES required to prove which data is
will come into effect on January CCPA PASSED IN 2018 COMPANIES exempt. More financial services
1st 2020. This act is designed to On June 28, 2018, California Do financial services companies have organizations will find themselves
give California residents a better Congress passed Assembly Bill 375, an exemption? Well, yes… to an extent. struggling to stay compliant over
way to control and to protect their the CCPA. The act will apply to In September 2018, the CCPA bill most other industries because
personal information. California any “for-profit” organization which was amended with carve-out language they did not prioritize CCPA
consumers will have the right to grosses at least $25 million annually to address business information, compliance appropriately.
order companies to delete their and interacts with 50,000 or more including financial services data. This Just as we learned after the
personal data—similar to what Californians, or derives at least half of amendment provides a sweeping European GDPR came into effect
Europe’s all-encompassing GDPR its annual revenue from selling personal exception for financial institutions, last year, some companies were
regulation calls for. Many U.S. states information. Most importantly, CCPA including data regulated by the ready and many were not. We
are now debating new privacy laws applies to businesses “regardless of Gramm-Leach-Bliley Act (GLBA). You also learned how the companies
using CCPA and GDPR as models location” who meet the above criteria. can almost visualize compliance officers that made the commitment
to protect the personal rights of You must comply if you process at banks like Wells Fargo and B of A with enterprise Information
individuals and consumers. personal information of Californians celebrating one less regulation to deal Governance (IG) and Privacy
As we learned in the Winter, whether your corporation is located in with. However, as I tell our financial programs including software,
2019 issue of IG World in an article California or not. clients: “don’t be complacent—you systems, and organizational
by Osterman Research, privacy What was interesting is how must be prepared.” While the carve- changes throughout were much
regulations are rapidly spreading CCPA was rushed into law and signed out language is no doubt welcomed by better prepared for CCPA and
worldwide in countries such as India, by Governor Jerry Brown in June GLBA related entities, it really should will be for any new regulations
Brazil, and Australia. Even the U.S. of 2018, just days before a deadline not be interpreted as a full exemption. coming soon.
Congress has been working on a bill to withdraw a state’s ballot measure Financial services firms will remain
that could soon become federal law. on a privacy proposition coming subject to CCPA requirements if and
California consumers will have the up in the November election. Tech when they engage in activities outside
SCOTT ALLBERT IS PARTNER
legal right to force companies to not companies like Google and Facebook of the GLBA, which many most RECRUITER FOR M-FILES. INC. HE
only delete their personal information were ready to fight against this voter certainly do. The CCPA definition HAS OVER 20 YEARS’ EXPERIENCE
but also disclose what Personally initiative because it would have been of “personal information” is much IN ECM, IS A PAST CHAIR OF THE
AIIM BOARD, AND AN AIIM FELLOW.
Identifiable Information (PII) has more strict—holding them more broader than that of the GLBA data, HE MAY BE REACHED AT
been collected about them, demand accountable with more far-reaching usually related to services performed in SCOTT.ALLBERT@OUTLOOK.COM.
20 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 21INFORMATION PRIVACY
“
This last item is perhaps the most widespread global use of Facebook
troubling: 38% have yet to vet their
third-party software vendors. This
and its plethora of connected apps,
such inquiries from other EU member
With almost
means that a significant portion of
the global economy is not meeting
countries cannot be far behind.
In perhaps the most egregious case
95,000 privacy
GDPR compliance. The Forrester
survey’s primary findings were that
yet, a whistleblower forced Facebook
to reveal that “as many as 600 million complaints filed,
only 11 % of global companies are
prepared to undergo the type of
users’ passwords were stored in
plain text and accessible to 20,000 they have only just
digital transformation needed to fully
comply with GDPR-based privacy
needs of citizens. In its entirety,
employees, of which 2,000 made
more than 9 million searches that
accessed the passwords going back to
started to process
GDPR has yet to make a significant
impact, at least one beyond large tech
2012.”11 Added to this blatant breach
of basic cybersecurity practices is
those investigations,
company compliance.
A key implied issue that ultimately
the fact that Facebook knew about
the issue back in January and spent
findings, and
influences GDPR compliance several months trying to keep it
enforcements”
GDPR’S FIRST BIRTHDAY
checkpoints is the balance between from the public.12 They would surely
intrusion into a company’s have been embarrassing questions
business practices and its ability for to answer during the recent U.S.
BY MARK DRISKILL profitmaking. Industry leaders such as Congressional hearings. an anti-competition class-action case,
A
Kon Leong, CEO of ZL Technologies, As Forbes points out, cybersecurity the German court severely limited
s Brexit talks engulf revealed that some major tech complaints filed, they have only just note that “built into the challenge is at Facebook just might be obsolete. Facebook’s ability to collect user data
European and UK companies use personal data in ways started to process those investigations, the paradox that achieving complete In the wake of the sensational stories inside Germany. This essentially walls
politics, another that violates personal privacy in many findings, and enforcements. So many data privacy required by GDPR entails regarding recent Russian interference off Germany’s Facebook users from
smoldering issue ways. of the “privacy fines” we’ve seen an unprecedented level of intrusion. into American elections, “Facebook the rest of Facebook’s user base. The
threatens far-worse Large data handlers like Facebook, since GDPR went live were really In order to truly protect personal did not conduct a top-down precedent set by German regulators
damage to the EU/UK relationship, Google, and Amazon have come cases that occurred pre-GDPR and data, you [must] know exactly where security audit of its authentication was substantial. Facebook (at least in
and indeed the global economy. under close examination by EU thus much smaller in scope and and whose it is. This necessarily systems.” This is a profound, if not Germany) can longer use tactics such
Last May, the EU implemented regulators, forcing CEOs in the penalties under the prior EU privacy requires intrusion, which many don’t provocative, revelation, particularly as using user data to make fictitious
sweeping new data privacy and “personal surveillance data business” regulation. What has been happening understand.” Leong’s point is apt given Zuckerberg’s promise to reform profiles. Moreover, it can no longer
protection laws meant to protect the to defend, and even rethink, their quietly, almost behind the scenes, is because the global economy depends Facebook’s business practices. use Facebook Pixel, a single character
Personal Data (PD) of those in the business models (e.g., Google a tacit acceptance that data privacy on the flow of information. What is That promise, made to Congress imbedded in a page that transmits data
EU—importantly—be they citizens, now cites privacy regulation as from the person-centered perspective the balance? As conveyed by Richard just prior to GDPR’s May 2018 roll- back to the company’s servers. With the
temporary residents or visitors, from a major threat to their business must begin with forcing larger Hogg, Global GDPR Evangelist, IBM, out, seems now to be empty. While German precedent, Facebook can no
unauthorized use, AND, extra- model in corporate documents). companies such as Facebook, Google, “Identity is a key challenge and duty Zuckerberg testified, his company longer claim what it does with user data
territorially, wherever in the world These have included both Privacy and Amazon to comply. This hangs around GDPR privacy compliance.” continued its intrusive practices, even on its platform is proprietary.
their personal data is stored or used. Regulators around GDPR (e.g., over companies in the consumer as he tried to simplify for legislators In some ways, the first year of
The issues stem from the EU’s UK ICO, Ireland DPC, etc.) and tech sector like thick fog. American ENFORCEMENT AND Facebook’s business practices. What “GDPR-live” was marked by both
broad definition of PD and the long EU competition regulators. Under businesses and culture do not like PRECEDENT SETTING Zuckerberg did not tell Congress was confusion and denial that such
history in Europe of privacy being the new GDPR these companies, anyone telling them how to run With the new GDPR mandate in that “GDPR has highlighted not only regulation was really needed. Today,
viewed as a fundamental human without exception, must follow things. Apparently, this is also true place, EU member countries have a the privacy impact of a data-driven the establishment of a nation-specific
right, against too much history of EU privacy law. The issues rest for GDPR compliance, adding to a valuable tool for ensuring compliance society,” notes Kon Leong, “but also precedent is the exception, not the
dictatorships and fascist control. primarily with the advertising data persistent lack of full compliance. even as these companies undertake the issues that come with enterprises’ rule. However, enough cannot be said
The EU’s General Data Protection insights these companies have created A December 2018 Forrester actions to protect their business siloed IT architecture.” Facebook’s IT about the fact that Germany is one
Regulation (GDPR) took effect, using proprietary algorithms. The survey commissioned by Microsoft models. Ireland, for example, has architecture was (and probably still is) of the main economic powers of the
provoking a new era of tech-company invasiveness is secretive and at times found that more than half of “opened 10 statutory inquiries into compromised. globe. Without German leadership,
corporate accountability. unsettling as these companies seem to businesses failed to meet GDPR Facebook and other Facebook-owned In the business world, laws and GDPR might die an unceremonious
The GDPR didn’t just standardize know when someone will buy a pair compliance checkpoints.9 Other platforms in the first seven months regulations are street signs to setting death. The same must happen in
data privacy and protection across of socks! highlights included: since” GDPR adoption last May.10 precedent. During this initial phase other countries involved in setting
all (current) 28 member states of At first glance, it might seem as if The Irish Data Protection of GDPR compliance, it is crucial global economic policy.
Europe, but refined both how to seek the first year of GDPR compliance • 57 % instituted “privacy by design” Commission (DPC) commissioner that leading EU countries, such as In short, GDPR-style privacy
permission to use personal data and has been largely uneventful, at least • 59 % “collected evidence of having Helen Dixon notes the inquiries match Germany, take positions of authority. must come to the United States.
refreshed the personal rights of each in terms of other leading global addressed GDPR compliance risks” the public’s interest in “understanding Germany’s Federal Cartel Office, the Thankfully, California is leading the
person in the EU to view and take news stories. It’s really a journey, as • 57 % “trained business personnel and controlling” their own personal federal agency that regulates Germany’s way with its California Consumer
control of their own personal data. the EU regulators and analysts have on GDPR requirements” data. The Irish DPC fully intends that competition laws, set a new precedent Privacy Act (CCPA), which is going
As 2018 came to a close, it was shared. With almost 95,000 privacy • 62 % “vetted third-party vendors” these be precedent-setting. Given the in a February 2019 court ruling. In live January 2020.
22 INFOGOVWORLD.COM INFORMATION GOVERNANCE WORLD 23You can also read
