A Records Retention Schedule is a TOOL that EMPOWERS organizations to GOVERN and DEFENSIBLY DISPOSE of their information.
Records retention is first and foremost about complying with laws and regulations. However, a retention schedule, when properly developed and utilized, is not simply a tool that tells you how long you must keep (or when to destroy) your records, it is a blueprint that provides powerful insight into the information lifecycle and knowledge management capabilities of your company as a whole. It saves you money on storage and helps shape the way you curate your information enterprise-wide.
Records retention is first and foremost about complying with laws and regulations. However, a retention schedule, when properly developed and utilized, is not simply a tool that tells you how long you must keep (or when to destroy) your records, it is a blueprint that provides powerful insight into the information lifecycle and knowledge management capabilities of your company as a whole. It saves you money on storage and helps shape the way you curate your information enterprise-wide.
OUR RETENTION SCHEDULES:
Serve as a primary tool for ensuring records compliance with federal, state, local laws, regulations and business requirements
Identify business continuity records
Document all records categories, records formats, systems of record, retention requirements and data classifications
Can be updated automatically and integrate with IT infrastructure
Reach out to us today to schedule a free consultation at 323-413-7432
In response to recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size. Yet each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.
What you need to know and do to ensure compliance with California’s new Consumer Privacy Act
New regulations governing use of customer and personal data needn’t be burdensome. Rather, they help reduce expenses and monetize the information lifecycle, identify opportunities for better governance to avoid fines and litigation exposure and foster trust to enhance customer experiences. Download this FREE detailed CCPA roadmap to see how you can get your company on the path to compliance.
This slideshow requires JavaScript.
Our CCPA and GDPR engagements include:
Data and resource mapping
Conducting gap and risk assessments
Controls evaluation to standards
Establishing governance with clearly defined roles and responsibilities
Policies and procedures review
Domestic and International legal review of privacy and security policies to fit the organization’s risk profile and culture
Consumer data request and delivery mechanism (including website notices)
Providing education and training
Design of role-based access control (RBAC) rights
Privacy impact assessment (PIA/DPIA) during product design
Third Party Due Diligence Support
Pre-contract due diligence and consulting
Cloud services guidance
Managed security services (build or buy guidance)
Third-party management program/policy
Our consulting and software solutions enable clients to comply with CCPA provisions 1798.110(a)(4), 1798.100, 1798.105, 1798.110, 1798.120, 1798.145, 1798.140, 1798.150
Call us today to see how we can help you with:
California Consumer Privacy Act of 2018, Amendments and Rulemaking
HIPAA/HITECH Security, Privacy and Breach Notification Rules
Generally Accepted Privacy Principles (GAPP)
EU’s General Data Protection Regulation (GDPR)
ISO/IEC 27001-2:2013
CIS Top 20 Critical Security Controls (CA AG requires)
SEC OCIE Cybersecurity Initiative
NIST Cybersecurity Framework
U.S. Sentencing/DOJ/OIG Guidelines for Effective Compliance (program foundation)
Applying Risk Management Program Management and Principles
By Rafael Moscatel, Certified Information Privacy Manager (CIPM)
HEY BOSS, LOOKS LIKE PRIVACY IS KIND OF A BIG DEAL NOW
IAPP’s Privacy.Security.Risk. Conference 2019took place in Las Vegas over four days at the end of September and was attended by more than 2000 attendees hailing from all over the United States as well as a number of countries. The Fortune 500 was well represented but I also met a number of other astute organizations and took a tour of the industry’s big vendors on the showroom floor. Although I live tweeted the event I’d been waiting to share my complete thoughts until after I passed my CIPM exam, which I did just a couple days ago. More on that later…
THE FIELD OF INFORMATION MANAGEMENT CONFERENCES GROWS MORE CROWDED
First, as a Certified Records Manager (CRM) and Information Governance Professional (IGP), I’ve been to and spoke at my share of conferences touching on best practices for information management, privacy, security and content. What made this one different? Well, besides how well the conference was organized and the venue, The Cosmopolitan, almost all of the workshops were just first rate, chalk full of real take home targeted content and timely. The vast majority of the presenters were seasoned and even the first-timers made the grade. Here we are on the heels of one of the biggest new privacy laws, the California Consumer Privacy Act, and these sessions were speaking directly to its attendees on how to take specific action and plan for additional state directives. The education aspect and sales piece blended well, with technology complementing best practices and not the other way around. And the conference also left me with a lot of questions…
DO WE HAVE THE RIGHT TO BE FORGOTTEN?
I didn’t attend the training sessions on the first two days but made it to the opening keynote by Former Chairman of the FCC, Tom Wheeler who gave the audience a 30,000 foot view and shared thoughts from his new book, From Gutenberg to Google. A great way to set the tone for the conference and then it was followed up by Janelle Shane who focused on rudimentary examples of AI but didn’t really connect her topic that well to Privacy. Nonetheless, it was an interesting takeaway. However, my favorite keynote came in the form of a play by Sharyn Rothstein and directed by Seema Sueko entitled The Right To Be Forgotten. The play examined a concept that we find in Europe but which still hasn’t taken hold in the States. It follows the impact of a young man’s juvenile mistakes and how they follow him around as he gets older, impacting his reputation and his life.
IS THERE A PLACE FOR DIGITAL ETHICS?
I know a number of people who have been personally affected by the internet, both by their own doing and also unfairly, and so this was a terrific way of introducing these challenges to the audience. The problem was that the rest of the conference didn’t really touch on this topic because it was more focused on CCPA and the corporate aspects of privacy program implementation. That’s fine but it left me wondering if in the United States we’re really where we need to be on the privacy front. We seem to only be focused on the issue from a data protection standpoint rather than an ethical one, whereas GDPR and other parts of the world take a more holistic view. Yes, we have HIPAA and the Children’s Online Privacy Protection Act (COPPA) but it feels like many of our laws are still really about breaches and liability and not about the value of privacy.
The conundrum seems to be that while we’re moving, as industries, toward a business culture of privacy, our culture as a whole is moving in the opposite direction, away from arms length communication and behavior and towards oversharing and a lack of discrepancy. How do these two worlds exist? We know that hackers are now using personal information voluntarily shared with the world to design more sophisticated phishing attacks and deep fakes. We know that thieves use location and vacation information shared through social media to know when you’re home and plan robberies. And despite all of these controls supposedly put in place around the world, we continue to give more of our personal information away which ends up being held as ransome against our companies. Yes, we know we have to share this information to enjoy convenience and in many cases now, to simply survive and get daily errands completed, but it still feels like digital sisyphus. In the age of the personal brand, are there even any private people around anymore? What good is all of this data protection if society as a whole has given up on the ethics of privacy? Besides the play at the conference and some of the discussions around children’s privacy, I didn’t see much of a discussion here, but perhaps it wasn’t the venue. I recently had a discussion with noted Data Privacy Professor Anita Allen, who wrote the first casebook on privacy law, on these ethical aspects of privacy that will soon be available in my book, Tomorrow’s Jobs Today.
THE RISE OF THE MACHINES
So, full disclosure, I work with a few vendors in the privacy space but my thoughts on privacy vendors are not influenced by those relationships. I saw some amazing products at P.S.C.19. The products seem to be maturing and there is a lot of venture funding going into developing large enterprise scale platforms that do an A to Z job in addressing GDPR and CCPA. There are a couple big players in the business and the industry should be grateful for their sponsorship of conferences like this and generally moving the ball forward in terms of conversations around privacy.
What I’m seeing is a lot of enterprise product that is designed specifically for large organizations and a lot of file analysis, enterprise architecture and other similar companies trying to adapt their solutions to solve the problem. The problem is that the problem is constantly evolving and despite a pretty clear prescription in the CCPA legislation, I just don’t think one size fits all. Especially if you’re looking at a capital investment to check a compliance box that might be covered in a more strategic manner. Let me explain…
I had the pleasure of sitting with a team of folks from a major multinational and a peer and I questioned them about their approach to CCPA. It was pretty impressive. They had half a dozen folks attending the conference from a number of their offices. They had hired an industry leader to implement their program. So lots of investment, lots of buy in and it was proportional because their size makes them a natural target for a regulator. One of the more amusing partners in the group casually replied to me after I asked if they were ready by saying, “Yeah, but I’m going to be really pissed if we did all this work and don’t even get one request!” That’s of course what a lot of organizations realized following the GDPR where the flood of data subject requests turned out to be a trickle. So, despite their aversion to risk and likely thorough, appropriate strategy, I still wonder it it’s right for everybody. What about the companies with a smaller footprint and much smaller budget? Does it make sense to have an omnibus-like enterprise product, with dozens of API’s and infrastructure demands take over a section of your IT department?
WHAT ABOUT STRATEGY?
Here’s the truth about privacy programs and tools. There’s no silver bullet. Dumping a ton of money into an existing IT or Records Management program or hiring a team of half a dozen twenty-six year old MBA’s from one of the big four to turn your enterprise upside down (yes I’ve seen that) is not even close to a smart information governance strategy. Unfortunately this is the first time many organizations have had to take a close look at their information and records management programs. In many cases, especially with regulated industries, information management has played a role in meeting regulatory and audit demands but it wasn’t necessarily center stage the way it is now. Many companies have a retention schedule or policy but were probably over-retaining a lot of their data and not taking action on some of the other aspects of it like data classification until the privacy movement came along.
Data Protection Impact Assessment with CAPP using LogicGate
Privacy-centric records management is basically the ideal Information Governance project or initiative. That’s because to accomplish privacy goals, companies need to not simply revise policies, they need to holistically understand how those policies work with other areas of their business like data security and records management. Fortunately, a lot of the groundwork has already been in place at many organizations, specifically in Finance and Health, in order to integrate a privacy-centric framework. If it has been performed you should also complement it with a DPIA or Privacy Impact Assessment.
That said, how do you get the most value of the technology you implement? I think you do that by having the types of conversations that allow the best minds in your organization to become stakeIholders in the ultimate solution. Before you buy product, you need to survey your landscape. It may be that you need a privacy program and privacy protections for your consumers, employees and vendors but your data subject requests are not so cumbersome that you require an overhaul of your inventory and integrations.
Can you use an Enterprise Architecture and data mapping tool in concert with a separate data subject request tools instead of automating everything? Maybe. Consider the investment and time that might go into continuously monitoring a complicated, heavily API dependent and seldom-used privacy tool. Might that effort be better put into maintaining an EA tool that not only supports the mapping requirements of data privacy legislation but also supports other areas of the IT business? Don’t we want our organizations to be agile and be able to swap-in and swap-out tools as needed? Do we really want to tie an entire business process to one solution? Haven’t we learned anything from our legacy mainframe days? Remember how hard it was, and is, to untangle ourselves from those.
Mapping Data for GDPR with CAPP in Ardoq
I’m not saying that an enterprise-wide product isn’t right for large organizations with a lot of risk and endpoint exposure. I just believe that companies need to consider the process as a whole and take their time building these programs. Although California may serve as the baseline, we still don’t know what the rest of the States will do or what the future brings.
BEING A NEWLY MINTED CIPM
I can’t comment on the substance of the exam as I’m prohibited to by the agreement I signed. What I can say is that like most designations the value I find is not necessarily in the certification as much as the legwork and study necessary to achieve it. The reward is in the knowledge you acquire along the way, not just the medal you get at the finish line. If you check out the publicly available study materials and Body of Knowledge (BOK) available on the IAPP site you’ll see that it looks very much like the protocol of other information management organizations.
My belief though is that this BOK is evolved precisely because it’s privacy-centric. It covers many areas familiar to IG and Data Privacy disciplines but it is much more a holistic model and prescription than I’ve ever seen. It’s one of the reasons I’m so impressed with the IAPP.
THE RACE JOURNEY BEGINS
I came back from meeting with data privacy officials and business people in Brussels in 2018 knowing that Privacy was going to change the world. It’s one of the reasons I decided to engage more fully in it professionally. I’ll be spending more time talking about my journey towards privacy and speaking about the CCPA and related issues over the coming months and in my new book which should be available early next year. The concept of privacy is not just important for data protection and to check a compliance box, it’s important because it affects the lives of our colleagues, our friends, our children, our parents and pretty much everything around us. We need to not only protect our data but we need to value it and teach others to value theirs and that’s what I’m dedicated to.
I’m available for consulting opportunities and interviews and would love to discuss your corporate challenges. Feel free to contact me at rafael@capp-llc.com to schedule a free two-hour workshop or just give me a buzz at 323-413-7432.
Rafael Moscatel, managing director at CAPP, joins GRC & Me to discuss how his background in law and consulting ultimately led him to the world of GRC. He shares how one tweet led to a watershed moment in compliance and privacy, and tells his deeply personal connection to California adoption records. Rafael also explains how CCPA should be viewed as a blessing that helps better understand what’s “under the hood” of your company.
EPISODE NOTES:
Top 3 Quotes
“The more that you can show your customers that you’re being a good steward with their data, the more they’re likely to trust you. And from a reputational standpoint and a branding standpoint, that’s always one of the best benefits and one of the reasons that consumers will choose one product or service over the other.”
“And I think if you look carefully, the CCPA is quite a blessing. It helps reduce expenses and monetize the information life cycle because you have a better understanding of what’s under the hood in your company.”
“…you know there’s not one silver bullet when it comes to preparing data for an information governance strategy, IG is essentially a multidisciplinary type of approach.”
Show Highlights
[01:28] Rafael’s background in law and consulting [02:35] Discussing Rafel’s company and beginnings [04:36] The “Olympics of Privacy” [05:59] A watershed moment in Compliance and Privacy [08:05] Rafael’s personal connection to records in California [09:05] The incredible moment Rafael received his birth records [12:00] The “blessing” of CCPA [14:11] Rafael’s personal opinion of CCPA [16:19] Best practices for privacy and policy management [19:30] Policy management systems [21:04] How to read more about Rafael’s thoughts on these issues [22:58] The Little Girl With The Big Voice [24:03] Vendor Risk Management [25:00] Being mindful of what’s outside your company walls as well as what’s within them
We share and store our most sensitive personally identifiable information (PII) on countless computers, networks, and devices. Within an organization, PII can be found scattered in emails, databases, shared drives and more. The new California Consumer Privacy Act (CCPA) is making a strong privacy program an essential part of an organization’s records and information governance program. Join our presentation as we discuss:
How are you leveraging the focus on privacy and complying with this new law?
Is Record and Information Governance at the table for the conversation?
Will you and your organization be ready when the Act goes into effect on January 1?
Media Contact: Ally Bertik ally@marketingmaven.com (310) 405-0358
Williams Data Management to Host Data Protection Lunch at Century City
Chamber of Commerce
Leader in
Data Protection Partners with Cyber Hygienist and Technology Expert to Discuss
How Fiduciaries Can Prepare and Protect Their Businesses for Data Breaches
LOS ANGELES. – (September 18, 2019)– Williams Data Management, southern California’s leader in data protection, has partnered with Rafael Moscatel, managing director of Compliance and Privacy Partners, and George Baldonado, president and CEO of Oasis Technology, Inc. to host a “Data Protection, A Primer For Your Fiduciary: It’s Your Business, Protect It!” lunch in conjunction with the Century City Chamber of Commerce. The panel will take place from 11:30 a.m. to 1 p.m. on October 3, 2019 at Greenberg Glusker, 1900 Avenue of the Stars, Suite 1400 in Century City, California.
Data
Protection Pro, Douglas C. Williams, president and CEO of Williams Data
Management will discuss how small businesses can take advantage of a data
breach reporting service powered by CSR Privacy Solutions, Inc. to enable
companies to protect Personally Identifiable Information (PII). Other topics
will include the California Consumer Privacy Act (CCPA), cyber security
protection and data governance.
“We
are thrilled to lead the conversation for fiduciaries on how to better protect
their businesses,” said Williams. “Our goal is to keep your information safe,
secure and available regardless of what it is or where it is stored. We hope to
provide a clear solution for companies in all industries moving forward,
especially with our new data protection suite that provides a pathway for
self-assessment and structural gap analysis for internal management.”
Guests
will have the opportunity to network with business professionals, engage in
this informative panel with expert sources and enjoy lunch provided by Williams
Data Management.
Williams Data Management is southern California’s leading source for
data protection management. The company educates, consults, has the source
materials, and provides the structure for self-assessment and corporate plan
structure for information breach notifications in the United States. Over the
last decade, the firm has become an expert solution provider, offering
professional records management, data protection, imaging and digitization,
cloud storage and certified data destruction services to all sectors and sizes
of businesses.
Williams holds numerous certifications for data compliance and
destruction including SSAE16, NAID “AAA” Certification, and is a member of
PRISM. For more information, visit www.williamsdatamanagement.com or call
888-478-FILE.
About Century City Chamber of Commerce
The Century City Chamber of Commerce is one of Los
Angeles’ most active, involved and relationship-driven chambers. The chamber
places a special emphasis on its members working together to build effective
relationships and relevant programs that help individuals and companies expand
their marketplace reach. Under the clear and powerful guidance of many
energetic committees and councils, the Century City Chamber has grown to
encompass representatives from virtually every industry, helping to make
Century City one of Los Angeles’ most prestigious business communities. From
the largest corporations to mid-sized businesses and emerging entrepreneurs,
its diverse members thrive with one another and with key decision makers.
7 Ways To Prepare Data In The Age Of Privacy and Information Governance
7 Tips for Data Preparation in the Age of Information Governance
Content may still be king, but now the rights to some of it may belong to the people! In response to the EU’s General Data Protection Requirement (GDPR) and recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size but each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.
Notably, while many companies are already familiar with records retention laws, these latest controls also introduce a duty to destroy data once no longer required for a legitimate business purpose. For entities that have grown accustomed to leveraging cheap digital storage, this new responsibility presents a number of logistical hurdles.
However, directives on how you may use your customer’s data or any other information you store doesn’t necessarily have to be burdensome. In fact, these new guardrails present numerous opportunities to implement better governance, monetize the lifecycle of information assets and foster trustworthy relationships that can actually enhance the customer experience.
These 7 tips can help prepare your data to support an IG strategy:
Automate Retention Schedules – Legal and compliance requirements are the cornerstones of corporate governance programs. Yet tracking the multitude of historical and emerging state, federal and international laws and regulations that affect your data decisions can be a monumental task that even the most robust law departments aren’t prepared for. Consider leveraging SaaS software to keep your Risk, Compliance and Legal staff current on the latest citation changes to these nuanced instructions. These tools empower you to defensibly destroy and cleanse costly data no longer useful to your organization.
Cover Your Assets – Satisfying new compliance requirements like GDPR and CCPA means it’s not enough to simply know what kinds of records you keep, you need to know what systems they’re kept in and how that data flows between them. That’s why Chief Data Officers and Enterprise Architects are increasingly embracing asset management tools that not only perform diagnostics on their application stack but allow them to inventory their attributes and map related processes that inform long-term strategic roadmap planning. Tools like these also help support application rationalization projects which in turn aid in classification and disposal of unneeded data.
Introduce Big Buckets – The biggest challenges with enforcing retention across an enterprise are “event triggers” that complicate how long sets of records must be retained. For example, an employee file might be held X years following a termination “event.” Big Bucket strategies allow you to simplify and group “like” records together to support more efficient destruction actions while assuming some risk. Work with your governance partners to determine reasonable standards for a Big Bucket policy and quantifying the acceptable amount of risk your company is willing to assume to achieve cost and efficiency benefits.
Enforce Legal Holds – Cleansing your data lakes and silos to save costs and minimize risk is an exercise in defensible destruction but requires awareness of outstanding legal holds. A company that spoliates evidence subject to a legal hold, even without malice, can be fined and suffer adverse inference litigation rulings resulting in unfavorable judgments. Additionally, healthy oversight of records under a preservation hold doesn’t just make good legal sense, it can also help better identify opportunities for even more defensible destruction, cost reduction and risk mitigation.
Activate File Analysis – The tricky thing about new laws like the CCPA is that they require companies to find and produce data for the consumer wherever it exists. That can be a cumbersome test for many entities that have hundreds or thousands of repositories. Luckily, advanced File Analysis tools can plug directly into your network and help quickly identify sensitive and personally identifiable information (PII). They can also help you deduplicate records and find redundant, obsolete and trivial data clogging your systems, also known as ROT. These tools produce a tangible ROI that management can point to as a prime example of why IG works.
Embrace Content Migrations – Unless you’ve only lived in one home your entire life, you’ve probably experienced the cathartic process of cleansing your old wares in preparation for a move. Bringing in a new content management system is not much different and it’s a unique opportunity to apply retention to your data, discard ROT and provide employees with more accurate knowledge resources.
Bake-in Best Practices – Information Governance is not a “one and done” proposition, it’s a rinse and repeat discipline that only works when management sees to it that organizational culture is along for the ride. These days a basic understanding about data handling is vital for every new hire. Concepts like records retention, data protection and privacy should be part of any overall corporate training plan.
By complementing policy frameworks and toolsets with the types of Information Governance approaches noted here we can better enable our workforce to hone their knowledge skills, achieve defensible destruction and improve audit outcomes. In effect, we are future proofing ourselves for a business world destined to face increased scrutiny and under siege from data breaches and privacy issues with seemingly no end in sight. IG is the bright light at the end of that tunnel.
Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.
Originally published in Document Media Magazine, July 2019.
Thirteenth in a series of in-depth interviews with innovators and leaders in the fields of Risk, Compliance and Information Governance across the globe. From the soon to be released book, “Tomorrow’s Jobs Today.”
Erick Swaine is a practice director for Mackenzie Ryan, a global talent recruiting firm. He specializes in Information Governance, AI and Analytics. He has placed thousands of job candidates across a wide spectrum of industries into mid-level to executive leadership positions and speaks frequently on their journeys and the mechanics of professional development. He received his Bachelor’s in Marketing from the University of North Carolina at Chapel Hill. I spoke with him in July about today’s recruitment process, outsourcing strategies and the nuances of succession planning in the information age.
Erick, you were an early pioneer in helping employers understand the value and talent that information governance, AI, and analytics professionals offered when these disciplines were in their infancy. How has the demand for these emerging fields transformed recruiting in the job market?
There’s a lot to unpack there as it relates to tech itself, the demand for these emerging fields and how that has transformed over the years. I come from the industry myself. Prior to my current role I sold analytics software with built in compliance and document management capabilities. Our firm recognized value in analytics and was looking to build a technology practice. Mackenzie Ryan, which split off from Personify last year (both held under Mackenzie Ryan Holdings) didn’t have it when I came abroad so they went to their private equity VC partners and asked them, “Where are you investing as it relates to technology?” There was a resounding theme around electronically stored information. This was about a dozen years ago. At that point not everyone had a content management system. The players were SharePoint, OpenText, and OnBase and companies like Stellent, which was later picked up by Oracle, and Filenet, which was picked up by IBM. But they hadn’t penetrated all the markets. Early on the investment was in Content Management and overall repositories. It was really a soup-to-nuts storage of data, you know, manipulating workflows for all components of information management.
Overall, the human capital demand is there because of the efficiency that you can create by understanding your data. The newfound efficiency is driving advanced analytics and AI over the last five to six years, with massive amounts of investments around how we make decisions around these resources. This strategy requires the right talent.
As companies started to evolve, and you had social media come into play, around the same time, there were massive amounts of electronically stored data being created. Although storage kept getting cheaper and cheaper, there was a lot of regulation coming out requiring governance of data. Many of them looked at the discipline of Information Governance as a cost only, and then hopped over into advanced analytics. Over the last three or four years, they have moved more into Artificial Intelligence.
Yet, it’s all about making sense of the data that we’re already storing, and probably not defensibly disposing of. What the new technology has done for both large and small employers is really allow these companies to make data-driven decisions, and they drive those decisions based on a lot of historical legacy data. We noticed there are several companies that either used advanced analytics platforms or AI for internal knowledge management (to enhance institutional knowledge and train their people better), or they began aggregating and analyzing the data in order to develop additional revenue streams externally.
LEVERAGING A GDPR COMPLIANCE INVESTMENT FOR CCPA / PRIVACY BY DESIGN WORKSHOP
Part I – Join European attorneys and privacy compliance experts from Brussels based law firm Ethikos to learn how to leverage GDPR compliance investments for California’s new Consumer Privacy Act. In this presentation they’ll review key data protection concepts and privacy by design strategies already in place across the EU and explain how they’re now spreading throughout the United States. Find out what you need to know about the rules of transferring data and records internationally, PII records retention requirements, rules for managing content on customer facing websites and the impact of these new records management guidelines in contract negotiations.
SELECT THE LINK BELOW TO VIEW THE WHOLE PRESENTATION.
Part II – Meet solutions engineers from Active Navigation who will show you real world examples of how state of the art privacy software helps apply concepts and rules from GDPR and CCPA directly into an information lifecycle program. Learn about machine learning classification, consent validation, uncovering dark data and many more intricacies of implementing a privacy framework as part of your Information Governance roadmap.
Presenters
Miguel Mairlot, Ethikos Law Firm, Brussels
Miguel Mairlot is a trusted compliance expert, with significant breadth of experience across Europe. He provides clients with advice and support on all aspects of their compliance program. His areas of expertise include Asset Management, Wealth and Insurance businesses to cover cross-border regulatory issues, risk management, contractual documentation and product development, advising and influencing senior stakeholders at executive committee level, enabling them to meet their responsibilities across a range of group policies and local requirements, including MiFID II, GDPR, AML, ABC and Sanctions. Before Ethikos, Miguel has worked for prestigious international law firms and financial institutions as Head of Compliance. Miguel speaks English, French, Dutch and is a Certified Compliance Officer (Febelfin Academy) since 2013 and a Data Protection Officer. He has written and spoken widely on compliance and financial law topics and teaches at the Cooremans Institute. He also serves on the Editorial Board of “la Revue de Droit Bancaire et Financier”.
Information Governance (IG) is quite the buzzword these days, yet too many organizations still find themselves struggling with implementing a practical roadmap for success. Here’s a proven strategy and a few tips I picked up while developing board level IG programs for the Fortune 500.
Walk Before You Run
It’s true that your strategy needs to be agile to support the modern workforce but it also must be driven by methodical policy and technology planning when it comes to IG. As a leading practitioner of this discipline at Fortune 500 companies as well as smaller firms, I learned first hand the benefits of careful strategic planning and executing capstone projects under the umbrella of IG. Over time and as a result of tough lessons learned, I began to develop tested strategies essential for enterprise wide adoption and success.
The first strategy is also a lesson… a lesson about cadence and setting expectations. Understanding company culture, its maturity level and appetite for change helps you plan your IG strategy over 1, 3, 5 years. These are not things you alone determine but they are considerations you leverage and may need to influence to get things done. A company that’s behind the curve on IG, or has slipped a little off the slope shouldn’t be perceived as a problem but an opportunity. How you respond to inefficiencies, gaps, audit findings and weaknesses will make the difference between an organization hostile to IG or welcoming to change. Rushing into IG will serve you up a big plate of the former.
Copyright 2019 Compliance and Privacy Partners LLC
For example, many groups that pick up the mantle of IG, excited by its potential, end up taking a scorched earth approach to handling their data projects, hurriedly setting up IG committees, imposing rules, writing up new guidelines, buying shelfware and basically racing towards what they think will be early wins. But IG is not a race, nor is it a repository for IT and Legal’s kitchen sink. It actually requires an initial 30,000 foot view and assessment of the regulatory landscape, a tactful application to core program components. A planned yet flexible cadence covers essential bases and addresses the unique needs of the business.
A clear executive level strategy around IG…
Presents opportunities for better governance to avoid fines and litigation exposure
Helps to reduce expenses and monetize the information lifecycle
Fosters trust to enhance customer experiences
Instead of rushing in, organizations first need to have the types of open, honest discussions that will achieve the goals and end results noted above. That happens by bringing the right people to the table and under the right setting.
Set the SME Table
At Compliance and Privacy Partners we work with highly regulated, US-based companies essential to America’s economic success. However, our solutions are only as effective as the commitment of our clients to their efficiency and compliance goals. Successful governance transformations require both capital investment and executive leadership.
The Sedona Conference, which has done an amazing job of raising the profile of Legal Hold and eDiscovery processes in litigation, offers up a decent definition of Information Governance but it leaves out (or at least does not fully define) one thing… the valuable people that make the whole process work. People are the “coordinated approach” in that definition and their subject matter expertise is the secret sauce in IG. So, what types of people do you want sitting at an IG table or on an IG committee?
Consider these folks for starters:
Chief Data Officer
Chief Enterprise Architect
Chief Compliance Officer
Chief Privacy Officer
Chief Risk Officer
Information Security
Internal Audit
General Counsel
Human Resources
Records Management
Now we know people are what make the world go around, and they’re the stakeholders that drive Information Governance, but what’s next? How do we begin building the type of IG program that will last, that will really manage our risks and optimize, or even monetize, our organization’s information and data value?
That next step is a core strategy that lays out the building blocks for establishing a world-class program. Yet this is the point where many companies get sidetracked and wander into the meeting hell desert for forty years. Companies that succeed stick to the basics when they’re starting new IG programs or even breathing life into old ones. At Compliance and Privacy Partners, our experience is that the formula for setting the cornerstones of IG include four basic building blocks.
The 4 Basic Building Blocks of IG
Any company serious about Information Governance requires:
Strategy for defensibly preserving and / or producing that data
Tools to identify / protect those records
Policies that tie that knowledge, strategy and toolset all together
Align Policy with Technology
Information Governance as a discipline has already proven to many corporations around the globe the importance of aligning their policy pillars and best practices with state of the art technology. It is almost a necessity in the high-paced, data driven world we live in. As AI, Machine Learning and Big Data continue to evolve as operational necessities and revenue streams, it becomes even more important to apply governance. But IG is also still a young discipline, exploited by some vendors and consultants as a cure-all with very little practical workmanship behind its practice and execution.
Copyright 2019 Compliance and Privacy Partners
Don’t put the cart before the horse when making a serious commitment to transforming your organization with the power of Information Governance. Spend time developing your strategy, setting the table with the right stakeholders, planning around the basic building blocks of IG and aligning your policies with your technology. Don’t just take our word for it, we’ve seen these principles in action and they work!
Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com
From its inception the internet has always been about search…. searching for that answer, that perfect example, that one you love? But search has also changed the way we think about information, about primary sources and really about each other in wildly different ways that aren’t always, well….helpful.
In the wrong data steward’s hands the integrity of our records and information, both in the style and context in which it is delivered, can be easily and unfairly distorted. This has worsened over time and is horrifying when you consider the extent of “deep fakes,” “fake news” and other purposeful misleading propaganda being spread. A trend towards misinformation and bias is clearly what has happened over time with Google’s search results and it’s having disastrous unintended consequences on the pursuit and preservation of knowledge, wisdom and the humanities around the entire world.
With exciting new A.I. tools like Alexa and Siri becoming commonplace, search has entered a second renaissance and results have even more power to shape hearts and minds. Yet nobody, no one monopoly, should be in the business of brokering access to facts or opinions.
We need new tools that deliver intelligent results that protect the privacy of its users and promote resources which enrich our lives, communities and world around us without exploiting our vulnerabilities.
With proper regulation of monopolies like Google there’s going to be a better way to find what you “need” without being subtly persuaded how to believe and incessantly pestered about what you should “want” along the way. In other words, a return to search that offers a wealth of information minus manipulation.
True search results should provide access to knowledge you can rely on for personal, professional and academic growth. A search engine should steer you away from groupthink and encourage critical thinking, not bully you into becoming a “follower.” We need independent thinkers to reclaim their independence as information consumers, as teachers and students, as citizens, as moms, dads, brothers, sisters and yes, even as politicians. After all, the internet has the power to be the great equalizer in spreading knowledge. But that knowledge can only bring light to our present darkness if it can shine through the praetorian ideologues that have begun to guard its boundless prism.
Google was perfect for its time and helped both connect and open the world to itself. Yet now, as our collective tastes become more refined, we realize our search time is equally as valuable as increasingly for-profit algorithms. Rather than wasting another moment sifting through information curated through a corporate or political filter, knowledge seekers should demand to be able to create their own!
We deserve new tools that deliver intelligent results that protect the privacy of its users and promote resources which enrich our lives, communities and world around us without exploiting our vulnerabilities.
For almost 65 years, ARMA International has provided an exceptional level of educational value, professional resources and guidance to members of the information management field and business community. Those efforts have aided organizations in recognizing the importance of RIM/IG practitioners’ unique skillsets and helped incorporate them into their IT and governance programs. Indeed, both public and private entities benefit enormously from the mission of this organization, which much like its subject matter, has swiftly transformed to meet evolving civic and corporate demands. This rich history and dedication to its members, the business community and the public is exactly what I’d like to see continue in the coming decade. But my hope would also be for all of our membership, from fellows on down, to more enthusiastically apply the insight, lessons and strategies they’ve acquired over their careers to help ARMA in both achieving its long-term strategic plans and in exceeding its annual goals.
ARMA can lead the way by developing and fostering cutting edge information strategies that sit on the peaks of this new horizon and by driving the conversations that illuminate the valleys in between.
For the last twenty years I’ve held prominent leadership roles at both Fortune 500 companies and revered legal firms including Farmers Insurance, Paramount Pictures, Relativity Media and Kilpatrick Townsend. My work history has taken me from the trenches of service bureaus to the hot seat of penthouse boardrooms. Along the path I’ve attained a set of credentials beginning with a CRM from the Institute of Certified Records Managers in 2013, followed by an IGP from ARMA International in 2014. In June of 2016 ARMA International selected me for its Member Profile and in 2017 my team’s efforts at Farmers Insurance earned us ARMA’s coveted Excellence for an Organization Award. Because of all this I am eternally grateful for the opportunities which ARMA has provided along my career path. I’ve also been affiliated with the local ARMA-GLA chapter for the better part of the last decade and had the chance to see how powerful and influential a local chapter can be in bringing education and awareness to members of the organization as a whole. Those chapters need our resilient support and their leaders deserve most of the credit for keeping ARMA together all these years. They are the pillars of this intellectual edifice.
The next few years will see organizations in all industries balancing a world ripe with business opportunities with an evolving universe of risk and regulations. Technology, processes, people and the associations they subscribe to are being forced to adapt to this dynamic new digital landscape in both their personal and professional lives. ARMA can lead the way by developing and fostering cutting edge information strategies that sit on the peaks of this new horizon and by driving the conversations that illuminate the valleys in between.
As we dive into the second decade of the 21st century, I want ARMA to emerge as a defining voice in the global digital disruption and transformation discussion. By the same token, the professional development and success of ARMA’s members is central to that voice being heard loud and clear. The imminent need for effective information governance throughout the software and document lifecycle will likely broaden ARMA’s appeal to groups, professionals and verticals once unfamiliar with its offerings. In continuing to partner with and perhaps exploring mergers or acquisitions of like-minded organizations and businesses, ARMA can enhance its niche, enrich the knowledge offering and bolster its network.
We’re excited to share that pre-registration for the ARMA Conference 2019 opened January 1st as our final countdown announcement! This is the lowest price available and will only be offered until full registration opens. #getitnow#savenowhttps://t.co/3y9RSg9vKSpic.twitter.com/hmwutZHJ55
With the right choices, ARMA is poised to stand as a premier educational and professional service offering for this brave new world, in part by having established itself as the knowledge and resource mecca for Information Governance standards, but equally as a promoter and champion of its members, helping them connect to tangible digital transformation solutions. This means enabling and encouraging our colleagues to rise to the challenges that will shape and define the newest careers in the Information Age.
ARMA should also find new ways to play an instrumental role in highlighting and refining best practices and approaches around not just Enterprise Content Management but Big Data, Blockchain, AI, Privacy, the Internet of Things and Quantum Computing. It must pursue unique engagements with new corporate sponsors who are at the forefront of much of the change and innovation we’re witnessing. I would hope ARMA would want to have a valued and notable sponsorship level presence at the major technology conferences in the coming years including BoxWorks and BlackHat which are hungry for our narrative and talent. ARMA must strive to remain platform agnostic but must also accept the realities of dominant technologies and embrace their significance.
The association should work closely with the legal, regulatory and ethical bodies and communities that study the impact of digital transformations on businesses as well as the individual in society. This need is evidenced by the increase in privacy regulations and laws recently passed in the EU and in the United States. Building on these relationships will lend credibility to our certifications and designations. That credibility should in turn be used by ARMA leaders and members to participate in media commentary on newsworthy information management events and issues. ARMA should strive to have those perspectives sourced by popular media and journalists alike, thus bringing further recognition to the organization and marketing its relevance. ARMA should act to elevate its experienced speakers as well as new disruptive voices. Our expertise is newsworthy and needs to be heard!
The next few years really are a once-in-a-lifetime opportunity to seize on this demand for Information Governance solutions and tap the potential of the professional community that supports it. My hope is that community will be the people that love and celebrate ARMA.
Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com
I can’t comment on the substance of the exam as I’m prohibited to by the agreement I signed. What I can say is that like most designations the value I find is not necessarily in the certification as much as the legwork and study necessary to achieve it. The reward is in the knowledge you acquire along the way, not just the medal you get at the finish line. If you check out the publicly available study materials and Body of Knowledge (BOK) available on the IAPP site you’ll see that it looks very much like the protocol of other information management organizations.
