In litigation, records are not background material. They are evidence. And evidence carries consequences.

When a lawsuit begins, one of the first formal steps is discovery. Discovery requires organizations to produce relevant emails, messages, drafts, reports, and metadata. Opposing counsel does not begin by reading your retention policy. They begin by examining what exists, what is missing, and whether the organization followed its own rules.

As a former trial attorney, I learned quickly that documentation practices often determine outcomes more than dramatic testimony does. An offhand message, a missing file, or irregular deletion can shape credibility long before opening statements begin.

That experience clarified something essential. The purpose of a records and information management solution is not administrative efficiency. It is defensibility. The issue is rarely whether an organization had a policy. The issue is whether it followed that policy when it mattered.

Key Takeaways:

• Shift to Records Management Defensibility: In litigation, your records are evidence, not just administrative files. A judge evaluates your systems based on whether you followed a consistent, repeatable process.
• The Liability of “Keep Everything”: Over-retention expands your discovery footprint, increases legal costs, and creates unnecessary risks during a data breach.
• Consistency is Your Best Defense: Courts don’t penalize organizations for following a reasonable, pre-established retention schedule. They do scrutinize selective or irregular cleanup performed under the shadow of litigation.

How Discovery Tests Your Records Management System

Discovery does more than gather documents. It tests systems. Regulators and opposing counsel approach it with three key questions:

1. Did the organization preserve relevant information once it reasonably anticipated litigation?
2. Did it follow routine practices before that point?
3. Do any gaps suggest unmanaged systems or selective deletion?

In practice, those questions appear in everyday situations:

• A leadership team discusses a major decision in a messaging app, but no one preserves those conversations when a dispute arises.
• An employee deletes text messages, unaware that the issue has already escalated.
• Multiple versions of a contract circulate by email, but no one can identify the final draft.
• A company thinks it has a written policy, yet no one can locate a record of its approval.

None of these situations seem extraordinary until someone asks about them under oath.

How does a judge view missing business records?

Judges do not expect perfection. They expect reasonableness and good faith. Organizations demonstrate that standard through repeatable processes, not polished policy language. When execution lacks consistency, even innocent gaps raise questions. Those questions increase cost, scrutiny, and risk.

Why “Keep Everything” is a Liability

Many organizations assume that keeping all information indefinitely reduces exposure. Leaders believe it is safer to keep everything than to risk deleting something that might later be requested.

In practice, unlimited retention expands risk.

What is the risk of keeping records too long?

When organizations keep more data, they broaden discovery. Broader discovery increases review time, legal costs, and the chance that someone isolates statements from their original context. Redundant drafts and informal communications multiply the material teams must review and explain.

Over-retention also creates operational drag. When everything is saved, nothing is prioritized:

• Employees spend more time searching for the right version of a document.
• Critical information gets buried in outdated files.
• Systems slow.

Storage may be inexpensive. The consequences of excess are not.

The risks extend beyond litigation. The more information an organization keeps, the more it must secure. Sensitive contracts, employee records, personal data, and confidential communications can remain accessible long after they serve a purpose. If a breach occurs, exposure expands with the volume stored.

Defensible deletion strengthens position. Disciplined governance does not destroy evidence—it enforces policy. Courts do not penalize organizations for following a reasonable retention schedule. They do scrutinize selective or irregular cleanup.

The distinction matters. Every retained document can become a witness.

Common Pitfalls in Corporate Information Governance

Risk rarely comes from dramatic misconduct. It grows from small, ordinary gaps that no one thought would matter.

Many organizations manage records responsibly. At the same time, new technologies and decentralized communication add complexity.

Teams make business decisions in messaging and collaboration tools, but those conversations are not always preserved in a searchable way. Managers send texts or use personal devices for convenience. Employees forward work to personal email accounts. Business records are created outside official systems.

Disposition presents another challenge. Organizations often keep records that should be deleted because someone believes they might prove useful someday. Old drafts and unnecessary files build up. Over time, temporary exceptions become permanent practice.

AI adds another layer of complexity. AI tools generate drafts and analyses quickly, and the records questions are not yet settled. Consider a scenario where a team uses an AI tool to draft a legal summary, then revises it through several iterations—if a dispute arises, the organization may struggle to explain which version governed a decision, who reviewed it, and where the prompts and outputs are stored. Governance continues to evolve, but disputes already involve AI-assisted content.

These patterns often go unnoticed until litigation begins. At that point, organizations must explain why certain information was kept indefinitely while other records cannot be located. They must show when preservation began and demonstrate that deletion followed established timelines rather than reacting to scrutiny.

Uncertainty weakens position. Consistency strengthens it.

Litigation-Ready Governance in Practice

Preparing for litigation does not mean assuming it will happen. It means building systems that hold up if it does.

Organizations strengthen defensibility when they tie retention periods to clear drivers such as legal requirements, contractual obligations, or operational need. If asked why a category is kept for a specific period, leaders should have a clear answer. Not a guess.

They must also define preservation triggers clearly. When a dispute arises, employees need to understand what changes and what they must preserve. Consistent disposition remains essential. A defensible program includes regular deletion that follows established timelines. Irregular cleanup creates far more exposure than disciplined retention.

Organizations must govern high-impact communication channels intentionally. If leaders make critical decisions in chat or collaboration tools, the organization must apply the same rigor it applies to email and shared drives. Executives should understand how isolated messages may be interpreted years later, outside their original context.

These measures are not abstract ideals. They are safeguards that influence litigation outcomes.

Credibility Is the Real Asset

In litigation, credibility carries weight.

An organization that can demonstrate a clear retention rationale, consistent execution, and a functioning preservation process begins from a position of strength. An organization that cannot explain its practices begins at a disadvantage. Records governance is not administrative overhead. It is litigation posture.

Where Experience Matters

Designing a litigation-ready records program requires understanding how others examine policies under pressure. It requires anticipating the questions they will ask and the inconsistencies they may challenge.

At Zasio, we help organizations evaluate retention frameworks, assess preparedness, and align policy with operational reality. We focus not only on compliance but on defensibility.

Once litigation begins, records no longer function solely as internal tools. They become evidence that speaks for the organization. The only question is whether your organization’s records management software can withstand scrutiny when ordinary emails are elevated to courtroom exhibits.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post What a Trial Lawyer Knows About Defensible Records Management appeared first on Zasio.

Data privacy law compliance is in large measure about showing your work. Five years into the swell of new comprehensive data privacy laws, privacy teams are getting used to ensuring their organization’s personal data activities are well documented. This means creating records—often lots of them. And for records managers, this means sorting out retention practices for all these new records.

This article identifies some key privacy law compliance records that records managers will likely encounter, and discusses how to apply classic retention principles to determine appropriate retention periods.

Types of Privacy Law Compliance Records

Article 30 of the GDPR requires organizations to maintain detailed records of their processing activities. This necessitates creating written documentation of processing activities and making them available to data protection authorities. Under CCPA, as well as a growing number of U.S. state privacy laws, organizations must analyze the risks associated with their processing activities through privacy impact assessments. Other records frequently generated through privacy law compliance include data transfer impact assessments before transferring personal data across borders, responses to data subject rights requests, breach assessments and notifications, personal data audits, and privacy-by-design assessments, to name a few.

Privacy law compliance records tell your organization’s story with respect to its personal data processing activities, such as its commitment to the letter of the law, thinking through privacy risks, respecting data subject rights, and curing defects.

Applying Basic Records Retention Principles to Privacy Compliance Records

By now we’re well acquainted with the storage limitation principle in data privacy—keep no longer than necessary. This has sent records managers scrambling to reduce retention periods for personal data. However, applying such aggressive deletion practices to data privacy compliance records can land your organization in regulatory trouble. For these, the tried-and-true general rules of identifying applicable legal requirements, and balancing risk with business need, are still largely your best practice.

Express Legal Retention Requirements

While less common than for other record types, there are still a number of express legal retention requirements that apply to data privacy compliance records. Breach investigation and notice records is a good example of where some of these can be found. Under Canada’s Breach of Security Safeguards Regulation, organizations must keep breach records for at least two years after the breach.[1] In Iowa, state law mandates a five-year retention period for records documenting an organization’s determination that consumer notice of a breach is not legally mandated.[2]

Another area for express legal retention requirements is under laws governing requests by data subjects to exercise data privacy rights. Under CCPA regulations, for example, an organization must maintain records of consumer requests for at least 24 months.[3] Colorado’s Privacy Act regulations obligate controllers to retain records documenting responses to their consumer data rights requests for the same period.[4]

While the GDPR does not specify retention periods for records of processing activities under Article 30, the subject is not without legal guidance. In 2017, the Belgian Data Processing Authority recommended keeping Article 30 records of processing activities for five years after termination of the processing activity.

But don’t let your search for legal retention requirements stop at data privacy-specific laws and recommendations. Retention periods in broader regulatory requirements can encompass records in your privacy compliance program, and where those are longer, they should be followed.

Where No Legal Retention Requirement Applies

When a record isn’t subject to an express retention requirement, records managers must balance business needs and legal risks to determine an appropriate retention period. To do this, records managers must ask how long their organization may need to justify its practices. This can mean turning to applicable statutes of limitation for guidance.

While statutes of limitations are not legal retention requirements, they’re a good measure of the time you may be called on by data privacy regulators or consumers to show compliance. Under the CPPA, administrative actions must generally be commenced within five years. The Illinois Supreme Court also in February clarified the general statute of limitations for civil claims under the state’s Biometric Information and Privacy Act (BIPA) is five years. But oftentimes, business need necessitates retention for longer than any regulatory or legal need, so whether to use an applicable statute of limitations as your retention benchmark must be evaluated on a case-by-case basis.

Conclusion

When setting retention periods, it’s crucial to understand the types of records your organization generates and which laws apply to these records. But knowing an organization’s specific regulatory and jurisdictional retention requirements, as well as balancing business needs and risk to determine retention periods, is something records and information management professionals have plenty of experience doing. For data privacy records compliance, it’s a matter of applying some trusted and familiar tools to a new set of records.

As privacy regulation expands, expect a lack of comprehensive privacy compliance recordkeeping to be a big part of regulatory actions. As a RIM professional, you can play a crucial role in ensuring your organization isn’t among those involved in these actions.

[1] Breach of Security Safeguards Regulations (SOR/2018-64) (amended Nov. 1, 2018): https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/page-1.html#h-858504

[2] Iowa Code 2023, Section 715C.2(6): (https://www.legis.iowa.gov/docs/code/715C.2.pdf)

[3] Cal. Code Regs. tit. 11 § 7101(a).

[4] 4 CCR 904-3-6.11.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Navigating Retention of Data Privacy Compliance Records appeared first on Zasio.

In another email, you learn an engineer realized they accidentally sent two large customer files early last week…to the wrong customer. Follow-ups to the recipient and their team have gone unanswered. A third email mentions someone from recruiting managed to check out several hard copy HR files the day before being terminated for cause. The files were not returned. Emails to the former employee’s personal address are bouncing, and they are believed to have started some travel abroad.

It’s looking to be a fun week, and some questions start to race into your mind:

• Are any of these incidents a data breach?
• Was customer confidential information exposed? What about sensitive personal information or company trade secrets?
• Does your organization have any notification obligations, and to whom?
• What policies were in place relevant to these incidents and how were they violated?
• What mitigation measures must the organization immediately take?
• What should the organization do now to help prevent these types of things from happening again?
• Managing records and information means keeping them secure. And these are a few of the questions that you—a records and information management professional and member of your organization’s information governance team—would need to help confront should any of these hypotheticals occur.

For RIM professionals, information security is an undeniable part of the job. But for the non-security professional, learning information security can be intimidating. Fortunately, knowing a handful of basic principles will help you get a good start.

What is Information Security?

It helps to understand exactly what information security means. At its core, information security is about protecting your organization’s records and information from loss. Technologically complex, external threats like malware attacks tend to occupy headlines; however, RIM professionals should not discount the risks posed by internal actors, including by mere carelessness. By many estimates, insider threats—including carelessness—are the primary cause of data breaches. Even temporary and seemingly inconsequential unauthorized access or use of information can easily constitute a data breach under most definitions, which may trigger legal and contractual notice obligations. The errant hypothetical email in this article is one way information security can be compromised by accident.

Where does information security start?

It is helpful to think of information security as bundles of threes. The first bundle consists of the three types of security safeguards—physical, technical, and administrative, which are also commonly called controls.

1. Physical, technical, and administrative safeguards (PTA).

Physical safeguards are things such as closed-circuit surveillance, alarms, locks, as well as physical walls and fences. While the digital age puts IT security at the front of most peoples’ minds, it’s important to not overlook your physical security controls—particularly when it comes to physical records, as strong physical safeguards are among the best protections against loss.

Then there are technical safeguards, such as encryption, firewalls, security information and event management tools (SIEM), anti-virus software, and firewalls. Technical safeguards tend to be the domain of your IT security experts; however, it’s necessary for RIM professionals to have a healthy understanding of technical safeguards, how they work, and how they interact with the records and information you manage. Information governance is the mother of all collaborative efforts, so knowing your technical safeguards will only improve your ability to partner with the IT security members on your information governance team.

Lastly, administrative safeguards are things such as your company’s security policies and procedures, as well as employee training and education. Policies are often considered the bedrock of an information security program, and an area where you, as a RIM professional, can have significant influence when it comes to how these policies will intersect with the records and information you manage.

2. Confidentiality, integrity, and availability (CIA).

The purpose of information security is to preserve information confidentiality, integrity, and availability. Preserving confidentiality means protecting information from unauthorized access or disclosure. Information integrity means safeguarding its authenticity, accuracy, and completeness. And information availability means knowing it will remain accessible when needed to those who have been authorized to use it. Information CIA should be your goal when developing any records and information security measure, so think thoroughly through how each measure will maintain information CIA.

3. The three phases of information security.

Prevention, detection and response, and remediation is the last information security bundle of threes. Preventative security means taking steps to limit the risk of a breach. While it’s impossible to eliminate all risks, ensuring you have taken every reasonable step in light of the risks and the type of information you oversee is expected. Making sure your organization has proper CIA safeguards is key to ensuring your organization has adequate preventative measures. As a RIM professional, you’re most likely to be involved in the preventative side of security, but in this capacity, you may have many roles. Designing policies and procedures to protect records and information is one area where RIM professionals can contribute a lot. So is developing training and education to make sure record custodians know their security responsibilities.

Breaches will happen—that is a fact of life—so it is imperative you’re able to quickly detect security failures and mount an appropriate response. Essential to any detection and response strategy is having a well-vetted incident response plan. A good way to vet your incident response plan is to conduct tabletop exercises to work through scenarios like the ones in this article. Doing this will help expose flaws in your response plan, which allows you to improve it before it gets tested in real life. Your security team should be performing tabletop exercises at least annually. If you or a member of your RIM team does not participate in your company’s tabletop exercises, ask to be involved.

Finally, remediation means analyzing the cause of a breach and improving (again using CIA safeguards) security to make sure such a breach cannot happen again. Like prevention, remediation is an area where RIM professionals can play an important role, particularly when your organization is developing new policies and procedures, as well as educating employees on new security risks and prevention.

Understanding Your Information is Key to Knowing What Security is Appropriate

You’ve heard this before, but it’s worth repeating: to have any hope of securing records and information, you must know what information you have, where it’s located, and what it’s used for. A data inventory details what records and information an organization collects, stores, uses, and discloses—both internally and without outside parties. A proper data inventory will also cover both customer, proprietary, and employee data. And depending on the kind of information your organization handles, a data inventory may be legally required. Identifying data types and classifying information helps it get assigned the level of protection it needs, and in many cases, is legally required to have. Once assembled, make sure your data inventory gets regularly updated.

Conclusion

All of the hypotheticals at the beginning of this article could easily constitute a data breach. But with good information security, the likelihood they will result in harm, or even be able to happen in the first place, goes way down. As a RIM professional, your knowledge and skills can be a vital asset for developing and maintaining proper security for the records and information you manage.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Managing Means Securing: Information Security for RIM Professionals appeared first on Zasio.

Privacy, however, can be a puzzling topic to approach. Formal RIM texts frequently contain little privacy. And a RIM professional’s first experience many times involves jumping headlong into some involved issues, and without much exposure to the foundations. This can be like being handed a pair of scrubs and pulled into the operating room without completing a surgical residency, let alone medical school.

In the U.S., federal privacy laws are a potpourri of requirements that apply based on the market sector, type of entity, or type of data you’re involved with. Bringing in knowledgeable legal counsel is often essential to help navigate RIM-privacy issues. But it’s also helpful to step back and gain a greater understanding of privacy’s rich backdrop to bring your issues into sharper focus. More privacy fluency will lead to better conversations with your legal team and the departments whose records you oversee. Further, it will boost your ability to spot privacy issues in the first place.

With the right knowledge (and with a knowledgeable team), RIM-privacy issues can be one of the more rewarding parts of managing a records program. With this in mind, below we’ll explore some privacy fundamentals for RIM professionals.

So What is Privacy, Anyway?

Information privacy is the rules around the collection, use, and disposal of personal information. It’s the degree of control a person has over information about them, and thus, another’s obligations with that information.

There are a handful of types of privacy. These include special—often called territorial—privacy (think keeping the inside of your home free from prying eyes) or communications privacy (no eavesdropping on telephone conversations). But overwhelmingly, it is information privacy—also called data privacy—that concerns the RIM profession. Still, defining privacy only gets you part of the way there. The bigger challenge is recognizing what information must be treated as personal information.

So what is Personal Information?

What’s considered personal information is very broad. Generally, it’s any information that can be used to identify a specific person. There are the most apparent pieces of personal information, such as an individual’s name, telephone number, or physical or email address. Audio, photos, and video of a person also often constitute their personal information. These are examples of a single data piece that directly identifies a person (a direct identifier). Personal information, however, also includes multiple data pieces that individually don’t identify a person, but taken together, can reveal much about a person. This is referred to as an indirect identifier.

Many indirect identifiers will fall into another category of personal information known as sensitive personal information. Examples include religious or racial information, political beliefs, health information, genetic information, or sexual orientation. Privacy laws guard sensitive personal information much more closely. Public expectations on how sensitive personal information is collected, handled, and shared are equally strict.

Information’s status as personal information doesn’t have to be static. Personal information ceases to be such if it has been sanitized to no longer be able to identify an individual. There are a variety of techniques to achieve this. Information is anonymized if the process is irreversible—i.e., an individual can never again be identified using it. In contrast, deidentified data has only had the known direct and indirect identifiers removed. And pseudonymized data has had only the direct identifiers removed. For deidentified and pseudonymized data, the process isn’t permanent, so it should be treated accordingly. True anonymization is difficult to achieve, and information should never be presumed to be anonymized.

Information Privacy Has Been Around For a Long Time

Information privacy is a hot topic right now, which can make it seem like a relatively new concept. A privacy expert of 20 years might seem like an elder statesman in many circles.

In reality, information privacy has been around for a long time. Notions of information privacy show up in Aristotle’s writings in the 4th century BC.[1] The Bill of Rights completed all the way back in 1791, enshrines certain information privacy rights guaranteed by the government.

And it was in 1890 that a young lawyer named Louis Brandeis—still decades away from becoming one of the nation’s most influential Supreme Court justices—prophetically helped write that “Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”[2]

To put information privacy’s age in further perspective, the Privacy Act of 1974, which broadly regulates the federal government’s use of personal information, is nearing its 50th birthday. It’s the technological advances of the last few decades, though, that have made privacy a top concern. Recent technological change has drastically increased the sophistication with which personal information is collected in our digital world and the degree to which information is used to influence human behavior.

Where Did Modern Privacy Laws Come From?—FIPs

Fair Information Practices (FIPs)—Also called Fair Information Principles, or Fair Information Privacy Principles (FIPPs)—are sets of principles on the collection and use of personal information. FIPs are not laws, but often form the backbone of information privacy laws. Many government agencies and intergovernmental organizations developed their own FIPs during the last half-century. FIPs attempt to capture consensus on the rights and obligations surrounding personal information.

One consistency in all FIPs is that a person retains a level of ownership of the information about them, even though they may have chosen to expose their information to another. When managing your records program, the best way to think about personal information is that you are merely a custodian—and have a limited right to use it, along with certain obligations that go along with that use.

FIPs’ incorporation into information privacy laws has given these laws many common elements; nonetheless, not all data privacy laws operate the same way. There are two basic but competing approaches to information privacy laws—the comprehensive approach and the sectoral approach; both of these are described in more detail below.

The Comprehensive Approach

The European Union’s Global Data Protection Regulation (GDPR) (2018) is the most well-known example of comprehensive privacy law; it declares information privacy a fundamental human right. Under the GDPR’s comprehensive approach, the same privacy rules apply across commerce. It doesn’t matter what industry or market you’re in, or what type of personal data you’re handling (whether it’s personal health data or financial information) a comprehensive privacy law imposes a baseline set of rules.

The GDPR applies to organizations in the EU; but it also operates as an ‘extra-territorial’ law—in other words, you don’t have to be in the EU for the law to govern your collection and use of EU personal information. If a commercial organization targets individuals in the EU—such as marketing to them through a website in the U.S. or monitoring their behavior through cookies—the organization is subject to the GDPR with respect to that personal information. The GDPR also regulates the transfer of personal information outside of the EU, meaning certain conditions must be met if your U.S. organization receives the personal information of people in the EU.

The Sectoral Approach and U.S. Privacy Laws

Unlike comprehensive laws, federal privacy laws in the U.S. are specific to different market sectors, entities, or data types. The following are five frequently encountered sectoral U.S. privacy laws:

HIPAA: Rules under the Health Insurance Portability and Accountability Act require that ‘covered entities (health insurance companies, most healthcare providers, and healthcare clearinghouses), must comply with a baseline set of privacy and security rules concerning personal health information. These rules also mandate that ‘business associates’ (e.g., a contractor handling personal health information for a ‘covered entity’) agree to certain privacy and security requirements.

Contrary to some popular perceptions, HIPAA regulates health information based on who possesses it (like your doctor’s office), and not across the board. As a result, while HIPAA requires your doctor’s office to safeguard your personal health information, it does not prevent a restaurant from requiring proof of your COVID vaccine and does not regulate your health data stored in a favorite health tracking app, like Fitbit.

FCRA: The Fair Credit Reporting Act regulates consumer reports like the credit report created when you applied for a loan, or the background check your employer ordered when you were hired. Under FCRA, your data in a consumer report must be accurate and relevant, and you have certain rights to access and correct this information.

GLBA: The Gramm-Leach-Bliley Act requires financial institutions to safeguard your financial information. It also requires financial institutions to notify you of their privacy policies, including what information is collected about you, with whom it is shared, and how an institution uses and disposes of it.

CAN-SPAM: This law with a stemwinder of a title (the Control the Assault of Non-Solicited Pornography and Marketing Act of 2003) regulates commercial email. The law requires senders of commercial emails to clearly and conspicuously inform you of how to opt-out of future messages and prohibits the sender from charging a fee for exercising this right. The law also regulates to a lesser degree commercial text messaging.

A blunt critique of the U.S.’s sectoral approach is it’s a “cluttered mess of different rules.”[1] Efforts have been underway for some time to enact a comprehensive U.S. information privacy law. The political challenges have been steep. While Congress this year has come closer than ever to passing a comprehensive privacy law, passage is still viewed by most as a long way off. Until a comprehensive privacy law happens, the nearest thing in the U.S. is the Federal Trade Commission Act (FTCA).

FTCA:  This law broadly prohibits unfair and deceptive commercial practices, including practices related to information privacy and security. The FTCA applies to a range of entities, from retailers to technology companies to pharmaceuticals, and even social media companies. The Act can be applied to any kind of personal information if the business entity collecting or using it is doing so in an unfair or deceptive way. The Federal Trade Commission (FTC) is the main enforcer under the FTCA, as well as a handful of other sectoral privacy laws, such as COPPA. The FTC maintains a website of its legal filings about conduct it considers unfair and deceptive. Regularly reviewing the FTC’s complaints and orders concerning other companies’ information privacy and security practices can be a good way to stay informed about what not to do with personal information in your organization.

State Comprehensive Privacy Laws

Absent a comprehensive U.S. information privacy law, an increasing number of states—which currently include California, Colorado, Connecticut, Virginia, and Utah—have since 2018 enacted their own comprehensive laws. The most notable is the California Consumer Privacy Rights Act  (CCPA). In 2020, California voters passed a referendum amending the CCPA known as the California Privacy Rights Act (CPRA), which will become enforceable in 2023.

Like the GDPR, the CCPA/CCPRA has an ‘extraterritorial’ effect, meaning non-California businesses with sufficient ties to California consumers are subject to it. The CPRA also requires businesses subject to the law to require their contractors and service providers handling personal information—even those not otherwise subject to the law—to follow a number of information privacy and security practices.

The CPRA brings California’s privacy framework closer to the GDPR’s; however, there are still numerous differences between them—as well as among all data privacy laws. Accordingly, compliance with one should never be presumed to be compliance with another, and each deserves detailed scrutiny before deciding on a compliance strategy.

The Bottom Line for RIM Professionals

If you’ve read this far you know there’s a lot to just scratch the surface on information privacy. Yet, despite an ever-changing privacy landscape, a few faithful takeaways exist to help you better incorporate privacy into your RIM practices:

• Neither the GDPR, the CCPA/CPRA, nor any other major privacy law set a retention period for personal information. Instead, these laws require your organization keep personal information only as long as necessary to accomplish the purpose for which it was collected it. This principle creates conflict with records retention laws that can set lengthy minimum retention periods. It also conflicts with many organizations’ habits of wanting to hold on to a lot of information, sometimes indefinitely. Ultimately, you must balance the need to preserve records with the need to delete personal information within the record.
• Define personal information in your organization broadly. When defining what personal information your organization possesses, remember that there are often numerous ways to combine data that would cause it to be able to identify someone. The safer approach—and often the legally required approach—is to generally define personal information broadly.
• Privacy requires a mindset change about what constitutes a record. With privacy as part of a records program, you must avoid thinking about records narrowly. It can be helpful to think of any information with more than a transient value as a record. Focus on managing all information rather than just documents.
• Privacy involves taking some educated risks. Many privacy laws have been on the books for decades; others, like the GDPR and the CCPA/CPRA, have sprung like a geyser in the past five years—and what they require remains uncertain in a number of contexts. For records programs, setting retention periods and handling requirements to records series can sometimes be done with a cut-and-dried approach. Accounting for privacy requirements, though, involves being comfortable with more legal ambiguities—a prime example of this often includes determining how long is no longer than necessary to retain personal information. This means setting a risk tolerance and being more comfortable with operating in gray areas.
• Inventory (‘Map’) your personal information. To have any hope of having a privacy-compliant RIM program, it’s essential to know what kinds of personal information you have and where it resides in your different electronic databases, paper files, records series, and elsewhere. It also means being able to access that personal information should a data owner exercise a right—such as the right to correction or deletion—under an applicable data privacy law.
• Isolate personal information as best you can. Keeping personal information in known, centralized databases wherever practicable is a good practice. Avoid creating unnecessary duplicates of this information. Restrict access to personal information to those whose job requires it. And where possible, keep personal information from being included in your records in the first place.
• Security. Security is fundamental to privacy, and you must keep security in the front of your mind when making any RIM-privacy decision. Data privacy laws generally require security appropriate to the records and the risks. However, there is no base security program spelled out in privacy laws, nor is there one appropriate to all situations. You must determine what appropriate security means in each situation.
• Keep Learning About Privacy. Data privacy laws will continue to grow and impact records and information management. How your organization gathers and uses personal information will also change. Accordingly, RIM managers will need to grow their privacy fluency in step to make sure legal requirements, not to mention public expectations, are properly reflected. But privacy can be enjoyable, and again, with the right knowledge and an informed team, will be one of the most rewarding aspects of RIM.

[1] See Swanson, Judith A. The Public and Private in Aristotle’s Political Philosophy (1992 Cornell University Press).

[2] The Right to Privacy, Samuel D. Warren; Louis D. Brandeis, Harvard Law Review, Vol. 4, No. 5 (Dec. 15, 1890).

[3] The State of Consumer Data Privacy Laws in the US (And Why It Matters), Thorin Klosowski, NY Times (published Sept. 6, 2021).

Zasio is an information governance software, SaaS, and consulting company based in Boise, Idaho. Zasio is not a law firm and does not provide legal advice or services. This material is for informational purposes only and not for the purpose of providing legal or other professional advice.

The post What is Privacy Anyway? A Brief Introduction for RIM Professionals appeared first on Zasio.