How can RIM support Privacy
The month of April is recognized as Records of Information Management Month, we wanted to use this opportunity to talk about how RIM can support Privacy in promoting the principle of Data Minimization within organizations.
Data minimization is not only about privacy, but it is about implementing efficient data management practices. The need for efficiency in managing organizational data has become increasingly important not only from a regulatory standpoint, but it is also a necessity for maintaining competitive advantage. Decreasing the amount of data collected and stored allows an organization to become efficient, reduce the total cost of data storage and limit the consequences of a data breach.
However, one of the biggest challenges to implementing data minimization is determining what data is necessary to keep and what should be disposed of. Data minimization requires good planning, connecting the dots, and working collaboratively with all relevant stakeholders across the organization.
Records and information Management (RIM) and Privacy have potential for a successful and symbiotic relationship in promoting Data Minimization.
To gain a better understanding of their relationship and how it can turn mutually beneficial, let us first look at their individual requirements, challenges and how one affects the other.
Privacy, as we know, is no longer considered an afterthought but a default setting that is baked into all business practices. Establishing an efficient and sustainable privacy program within any organization to incorporate privacy by design involves the collaboration and collective effort of the entire organization.
In today’s data driven world, companies are constantly collecting and storing exponential amounts of data and retaining said data for long periods of time. This happens for two main purposes, first because storage costs are cheap and easy to access and maintain. Second, because of the belief that the data is an asset, could be useful and can be monetized in the future. The risk, as perceived, was in deleting data, not retaining it.
However, contrary to popular belief, collecting, processing, and storing large amounts of data brings liability, burden and can increase both privacy and security risks for the company. It is also a legal requirement under various privacy laws.
Data Minimization is an important principle within privacy. Data minimization adopts the ‘less is more’ approach. Wherein only that data collected should be adequate, relevant and should not be excessive in relation to the purposes for which it is being processed. In short, data minimization means that only relevant data is collected and is disposed when it is no longer required. This is a crucial aspect of a strong privacy program.
With data minimization, the privacy of individuals is respected as only the necessary data is collected from them and is then destroyed after its purpose has been served. Further the resources spent on the management of data and its security is significantly reduced. Exponential amounts of stored data acts as a liability as it attracts risks such as breaches, data loss, theft and so forth. But Data Minimization as a principle seems fundamentally at odds with the organizations goals to collect as much data as needed.
Records and Information Management
RIM is the field of management responsible for establishing and implementing policies, systems, and procedures to capture, create, access, distribute, use, store, secure, retrieve, and ensure disposition of an organization's records and information. as defined by ARMA International.
As we mentioned before, one of the biggest challenges to implementing data minimization is determining what data is necessary to keep and what should be disposed of. RIM can provide insight into what needs to be kept through the retention schedules.
To work collaboratively with Privacy and to ensure its own success and improved efficiency, the focus of RIM should be on providing guidelines and recommendations on when data collected by businesses should be disposed. This is vital for businesses as data needs to be consistently destroyed when it is no longer needed.
RIM has traditionally focused on retaining data rather than destroying it after its use. A requirement that was strengthened following the Arthur Andersen Enron scandal.
The scandal involved the dissolution of Enron, an energy, commodity, and services company due to its fraudulent accounting practices. The auditing of Enron was handled by the accounting firm Arthur Andersen. Arthur Anderson was convicted of obstruction of justice because they destroyed the documents relating to its audit of Enron. Following this case, the focus of RIM was around data spoliation (the destruction or loss of evidence) and ensuring that data was preserved.
This data preserving requirement of RIM does not necessarily aligns with the data minimization requirement. The retention schedules also focused on mainly the corporate records and did not address all information typically maintained by a company. For RIM and privacy to work symbiotically, RIM will have to build actionable and granular retention schedules, that addressed all information and not just records.
However, It is not impossible for RIM to build such schedules as the concept of data minimization takes into account the need for data to exist while its multiple purposes are being served and destroyed only after the fact, meeting the objectives of both, RIM and Privacy.
RIM can benefit greatly from collaborating with Privacy, as privacy will modernize RIM by ensuring that the guidelines and recommendations become effective, efficient, and relevant. On partnering with privacy, RIM can also help meet different organisational objectives such as providing structure and standardisation for managing all data – not just records.
Privacy in turn will gain a partner with RIM by helping strengthen, support and uplift Data Minimization. Privacy can also leverage the knowledge, capabilities and skill sets that RIM teams bring to the table. Data minimization is a strategic imperative. Working together the two teams can highlight the cost-savings and the efficiency that comes with Data Minimization. This will be key to gaining buy-in.
All in all, the alliance of the two with RIM promoting privacy by strengthening Data Minimization, is exceedingly beneficial for businesses. The competitive edge of gaining consumers trust that comes with heightened privacy, the strong compliance with the many regulations and the increased efficiency and effectivity of information management makes business processes both sustainable and scalable in the long term where data collection, use, processing and sale has become a key component of daily lives.