If you are in the information governance space these days, in virtually any role, you hear a lot about data privacy. And unless your organization is way ahead on this, or so behind that you do not even know it is a concern, there’s probably a lot of discussion about what you should be doing to bring your organization up to date concerning the confidentiality of information through M&A advisory.
Privacy is Never a One-off Topic
There are good discussions to be had, but in doing so, remember that privacy is not a one-time act, something you do or implement, and then forget about it. Rather, privacy is a philosophical stance you need to take, which will drive results across a wide range of processes, technologies, and data repositories. Some are standard processes and documents, such as record keeping and retention programs. But many others, such as the need to provide disclosures, obtain permissions before collecting personal data and set retention periods.
In tackling this daunting problem, it is important to understand that information privacy is not a one-size-fits-all. The results you will need to achieve are dictated by the laws and what those laws require varies a lot. So, if you’re doing business in Europe, you face a very different privacy landscape than in the United States. But even in the United States, the mix of states in which you do business presents an assortment of privacy laws that vary from state to state with the help of an M&A advisor.
These days, it is tempting to assume that, in the United States, the California Consumer Privacy Act (CCPA) is the only one possible, but that would be a mistake. Many other states have passed privacy laws and many more are in the works. Not only is it a complex landscape, but it is changing.
Even the European Union, with its General Data Privacy Regulation (GDPR), which was supposed to provide a level playing field in EU countries, is a complex amalgamation of rules and regulations that organizations must adhere to.
Data Privacy Principles
That said, there are general principles to keep in mind that serve as the framework for virtually all privacy laws:
If it can be linked to a specific human being, it is personal information. Some privacy laws contain long lists of specific information considered personal, but many, including the CCPA and GDPR, are much broader and more general – and the landscape is constantly changing. It is therefore not a good idea to assume that such and such personal information does not concern you.
Less is more, and less is better. If you do not need some personal information, don’t collect it in the first place. If you need them and you are done using them, get rid of them. This notion of data minimization – reducing the amount of personal information in your possession – is a central tenet of all privacy laws. And by implication, this tells you that you must have and enforce a document retention program, the vehicle by which you dispose of old information.
When in doubt, disclose and ask. You do not always have to disclose the purpose for which you are collecting personal information and you do not always need to request permission to proceed with such collection. But if permission is required and you do not comply, you could be making a very costly mistake. It is never wrong to disclose and ask. If nothing else, it’s good from a PR perspective so unless you’re sure you do not need it, ask.
No one should see them unless they need to. Confidentiality is about keeping secrets, and it is not so secret if everyone in your organization can read that information. If they can access it now, it must stop.
Of course, the implementation of these simple principles is extremely complicated. In future posts, we will be looking at the details of where exactly you can face this challenge, and how to overcome it. In the meantime, look inside your organization and ask how well these principles are being implemented right now. If you find gaps, you have obvious starting points for your new privacy initiative.