Privacy regulations continue to multiply.
In previous articles, we’ve written quite a bit about frameworks such as the:
- European Union (EU) General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA) and Privacy Rights Act (CPRA)
- Health Insurance Portability and Accountability Act (HIPAA)
And the complex web of requirements with which businesses need to comply is still expanding.
Ensuring you can meet the demands of every applicable law is no doubt critical to minimizing compliance risk. But there are also more general principles you can apply to reduce your exposure, irrespective of the specific rule in question. So in this post we are going to look at practices across your business that can help to comply with all of them at once.
Minimizing data collection to master GDPR, CCPA, HIPAA and more
You can’t steal or corrupt data that doesn’t exist.
And simply not collecting certain types of data in the first place is an easy step organizations can take to reduce their exposure. While the GDPR and other rules require affirmative justification for data collection in the first place, there is some room for judgment in terms of what you gather. Some examples of where you might limit collection are:
- Email capture and other signup forms. Are you just collecting email addresses to which you’ll send a newsletter? If so, is there a need to collect someone’s name, phone number, and state or country of residence? Many marketing applications have fields to capture this by default, but it might not be in your best interest to do so unless you have a specific business requirement.
- Meeting recordings. Do you frequently record internal and external video meetings, and then use the recordings to identify people for follow-ups and action items using artificial intelligence (AI) tools? This likely constitutes processing biometric data according to the GDPR. Biometric information requires enhanced protection measures under the regulation, so make sure the productivity boosts you get from these AI apps is worth the additional risk. If the recordings are just sitting there unwatched, consider not creating them in the first place.
- Medical intake forms and records. Oftentimes patients must complete elaborate and detailed medical history forms when seeing a certain doctor or practice, despite the fact much of this information is already captured by the organization in question. Especially due to the sensitivity of protected health information (PHI), it makes sense to rigorously review the types you are collecting. If the data isn’t vital to delivering care – or is never going to be reviewed to begin with – then don’t capture it in the first place.
Enforcing data retention, destruction, and cryptoshredding to maintain privacy
Once you have decided you need to collect certain information, the next step is to determine for how long you need to keep it. While the collapsing costs of cloud storage have made it economical for many businesses to indefinitely retain every piece of information they have ever captured, this might not be the best move from a privacy or security perspective. Some steps you can take include:
List out all 3 headings with icons
- Specifying data retention policies. Understanding how long you need to keep records for both business and regulatory purposes should drive your decision-making here. Consult with legal counsel and business leaders to determine your requirements. These can help you to draft a policy based on type of record and source of information.
- Automating data destruction. Automatically enforcing your retention timelines is a best practice. Instead of relying on manual efforts to destroy information – especially of the personal kind – the easiest and most secure option is to set auto-deletion timers using enterprise software tools. Google Workspace, for example, allows setting customized retention timelines.
- Using cryptoshredding when storing with third parties. Whenever you provide data to another organization, you can never be sure as to how it is handled or whether all copies will be deleted per your requirements. An effective way to mitigate this risk is called cryptoshredding. If you are able to manage the encryption keys for the data stored with another provider, simply deleting these keys at the end of the retention period can greatly reduce the likelihood of anyone accessing this data in the future (although see the note below about quantum decryption).
Data encryption, masking, and access control as a final line of defense
While you are still storing and using personal data, there is a final set of controls you can apply to ensure its security and the privacy of your customers, employees, and other stakeholders. These include:
- Encryption. Using a widely accepted encryption standard like AES-256 to protect data-at-rest is essentially table stakes in this day and age. While most hyperscale cloud providers and enterprise applications will already do this on your behalf, having redundant methods of protection is never a bad idea. Additionally, be aware that some threat actors are reportedly stealing encrypted data so that they might one day decrypt it using quantum computing. So even modern encryption algorithms are by no means a surefire way to protect information.
- Role-based access control (RBAC) and masking. Even authorized users in your organizations likely have differing levels of “need-to-know” about sensitive personal data. The human resources department might need access to employees’ full social security numbers (SSN) and salary data to administer benefits and withhold taxes. A direct manager, however, might need to see only salary information while the SSN should be fully or partially obscured. Having an architecture that provides different levels of access based on role is thus a critical privacy architecture step.
Conclusion
While data is often your greatest asset, it can also be your greatest liability. Establishing effective policies and procedures to limit collection, destroy data when no longer needed, and protect it when in use are key privacy and security measures. You’ll also want to audit all of the above regularly for compliance with your policies as well as to identify areas of potential optimization.
With these best practices in place, you’ll be much better equipped to tackle a range of privacy standards like GDPR, CCPA, and HIPAA. If you want to learn how Scrut Automation can help, please reach out today!