In the past an often-overlooked area of risk management was data privacy or data protection. Many companies did not even associate data privacy with risk. However, as more and more countries begin to regulate the use of data by companies, and as more and more companies are experiencing data theft or hacking, data privacy has emerged as one of the hot topics of legal risk management. More and more countries are enacting tougher regulations when it comes to personal data. South Korea is an example, as due to its credit card hacking scandal, it recently amended its data privacy protection laws to be more rigorous and comprehensive. There are five main reasons why data privacy has become a major area of risk requiring attention of a company’s Law Department, Risk Management Department and, ultimately, management itself. They are:
- Knowledge economy: Many businesses, through the use of the Internet and computers, compile and use large batches of data.
- Penalties: The European Union, Canada, and other countries, such as South Korea, have strict data privacy laws, which can levy significant penalties and fines for data privacy law violations.
- Publicity: As more and more people begin to jealously guard their personal data, a company’s violation of data privacy laws can create a publicity nightmare, creating in effect a crisis of potential epic proportions. This has to be managed or contained.
- Extraterritorial reach: More and more data privacy laws restrict the transmission of data abroad, creating cross-border risks.
- Tougher Regulations: More and more countries are enacting tougher regulations on the use and dissemination of personal data such as South Korea.
Managing the risks inherent in data privacy related issues can be quite a task. There are three major risks involved with data processes and each risk must be considered prior to implementing a risk management solution. The three major risks are :
- Financial risk: Fines and penalties resulting from privacy laws, EU directive, litigation, litigation costs, U.S. data protection laws, and U.S. state data protection laws, other data protection laws
- Intellectual property risks: Loss of competitiveness in the marketplace due to loss of trade secrets or other forms of IP to competitors wherever situated
- Brand risks: Loss of reputation, customer loss, negative publicity, negative reaction of stakeholders, and increased scrutiny of regulators. Tougher regulations as more and more countries or jurisdictions, such as the European Union, are enacting tougher and tougher regulations on the use of personal data.
In determining the risks a company faces prior to developing a LRM solution as well as implementing an effective one, an organization must answer a series of tough or painful questions, including but not limited to ones such as:
- What data does the organization have and where is it located including data already published or disseminated?
- What kind of data does the company have and how sensitive or confidential is it?
- What processes, if any, are currently in place to protect the data?
- What processes, if any, should be implemented to protect the data?
- What major risks, are involved when considering what processes to use or implement to protect the data?
- How many custodians have access to the data?
- Are protocols in place in handling the data?
- Has an inventory of all ESI been taken?
- Are obsolete or unneeded records still being preserved and why?
- Has the IT architecture been reviewed and also mapped?
Only once these questions have been answered and the risks associated with personal data has been considered is a company in the position of creating and implementing a risk management process to handle its personal data. But remember- the tough questions must be answered first.