Documente Academic
Documente Profesional
Documente Cultură
www.elsevier.com/locate/bushor
Data management regulation: Your company needs an up-to-date data/information management policy
Anjanette H. Raymond
Kelley School of Business, Indiana University, 1309 E. Tenth Street, Bloomington, IN 47405-1701, U.S.A. & Visiting Fellow in International Commercial Law, Centre for Commercial Law Studies, Queen Mary, University of London
KEYWORDS
Data policy and regulation; European data law; Information and privacy law; European Union privacy regulation
Abstract Over the next 10 years, the intelligent use of data will become one of the greatest competitive advantages a company can possess. At the same time, the loss or mishandling of data/information is one of the bigger risks facing modern businesses. As consumers become increasingly aware of security issues, and of the value of their data, data/information policy is moving away from the gather-with-consent approach toward a model that holds the business accountable at each stage of the process. This fundamental shift in practice will need to be reected in the data/ information management policy of the business. Yet, many companies lack up-to-date data/information policies and few recognize the growing inuence of the European Union on the manner of data/information handling. This installment of Business Law & Ethics Corner seeks to assist in the development of new policy by explaining key legislative and policy initiatives in both the United States and the European Union, and by making data management policy recommendations. # 2013 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved.
why businesses are proclaiming that data is the new oil (Rotella, 2012). Despite this treasure trove of customer data and customers assumption that companies treat it as an important commodity worth protecting, the vast majority of businesses fail to appreciate data protection laws, and even fewer have updated policies that reect recent changes in the law. For example, the Edelman Privacy Risk Index surveyed 6,400 corporate executives in 20 countries and found that over half (57%) of respondents think their organization does not consider privacy and the protection of personal information to be a
0007-6813/$ see front matter # 2013 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.bushor.2013.03.001
514 corporate priority (Edelman, 2012). Roughly six out of ten (61%) companies do not strictly enforce all levels of compliance with laws and regulations. Possibly more concerning is the fact that the research also highlights a lack of awareness of the potential risks related to data security and privacy incidents. Over half (53%) of respondents think a data breach would not adversely impact their reputation or nancial position, despite nearly threequarters (71%) of consumers saying they would leave a company after such an event. Additionally, 57% of organizations believe that employees do not understand the importance of privacy, and twothirds do not make an effort to educate employees about privacy and security issues (Edelman, 2012). Of course, this situation becomes even more problematic when a business is in a position to pass on or share information in a cross-border situation. It is all too common for a medium- or large-size business to outsource certain portions of its operations, such as marketing or call centers, and these services are sometimes outsourced to a faraway place. Yet, recent studies suggest that even if your business considers privacy and security a priority, many other businesses (such as marketing rms) do not necessarily give privacy and security the same attention. It is important to keep this in mind: Even something as simple as conrming or passing on customerbased information to your outsourced marketing rm or customer helpline can implicate the sharing of information and various data protection and privacy laws. Clearly, businesses today need to develop policy that not only considers the leaking or stealing of information, but also the implications and policy needs of the rm when it intentionally passes on information to outside parties in an effort to facilitate business. In these environments, a company must consider the real possibility of a multitude of legal regimes covering the data, each of which should be reected in business data policy.
BUSINESS LAW & ETHICS CORNER such a high level of success that the company has even been able to predict when customers are pregnant, despite not having been directly informed by the individual (Hill, 2012). The use of analytics and business intelligence with such an amazing degree of success is a business advantage in a highly competitive environment; however, success oftentimes draws attention. For businesses to gather this amount and type of information requires consent. Of course, rms have little trouble in receiving consent from consumers in gathering this type of information, as many customers like loyalty and similar-type cards, and willinglyor unknowingly provide sometimes very personal information in exchange for future discounts (Spiekermann, Grossklags, & Berendt, 2001; Tsai, Egelman, Cranor, & Acquisti, 2011). Yet, as Target statistician Andrew Pole noted in an interview: We are very conservative about compliance with all privacy laws. But even if youre following the law, you can do things where people get queasy (Hill, 2012). The controversy faced by Target exemplies a growing data management issue faced by businesses: Consent might be all that the law requires to gather this wealth of information, but customers are beginning to demand businesses use this information in a responsiblenot merely legally compliant manner. Microsoft Chief Privacy Strategist, Peter Cullen (2012), pointed out: Privacy frameworks relying heavily on individual notice and consent are neither sustainable in the face of dramatic increases in the volume and velocity of information ows, nor desirable because of the burden they place on individuals. Generally, people [agree] that new approaches to privacy protection must shift responsibility away from individuals to organizations which use data, driving a focus on what uses of that data are permitted, as well as on accountability for responsible data stewardship rather than mere compliance. As highlighted by Peter Cullens remarks and other materials from the Microsoft Global Privacy Summit (Cate & Mayer-Scho nberger, 2012), the legal requirements of notice and consent are simply not working in the current data environment, where data collection is pervasive. In most instances, the original laws did not foresee the massive amounts of data that would be collected across environments, and few laws envision data collection from a global perspective. Moreover, even if businesses collect information in a legally compliant manner, consumers are growing uneasy about the use of personal information in such a wide-scale manner. This situation is quickly changing, however,
BUSINESS LAW & ETHICS CORNER as legislative bodies around the world begin to respond to individuals demands in relation to their data/information. Accordingly, businesses must begin to develop policy that reects the emerging trends in data management and protection. While it may seem easier and less costly to sit back and wait for the trends to become full-edged law, customers will no longer delay for these protections and will nd it increasingly difcult to understand the apathy of business toward data protection. Businesses must begin to act now to ensure a data/information policy that recognizes the importance of data protection. Simply put: It is most likely time you update your data/information policy and, in doing so, you should consider both consumer expectations and current trends in emerging global data protection legal requirements.
515 Do Not Track Online Act, and the Data Security and Breach Notication Act. Each of these legislative attempts failed at some point during the implementation stage. From a business policy development perspective, the failure to implement harmonized law is not as important as the emergence of any shifts in focus or responsibility similar across texts. In this instance, similarities exist, many of which are so fundamental that businesses will need to take note in their data/ information policy development. For example, the majority of the aforementioned Congressional works emphasized three key areas: (1) the creation of Federal Trade Commission, or FTC, regulatory powers; (2) insistence upon consumers having the ability to see and correct information collected about them; and (3) the creation of limitations in the amount of information gathered, the end use, and the length of storage that a business may undertakesometimes even to a single transaction. In addition, the Do Not Track Online Act limited rms ability to collect and use personal information obtained by tracking the online activity of an individual. As a result, some argue that the data/information management policy of the United States is shifting from a gather-with-consent notice-for-failure system to one that restricts collection of information and heightens responsibilities in terms of information safekeeping. While this shift is clearly gaining national attention, some argue that the most signicant change is reected within the U.S. Intellectual Property Enforcement Coordinator (2012) report titled Consumer Data Privacy in a Networked World. While this piece proposes basic principles for consumer privacy, it puts forth several other interesting notions, too. For example, it calls for the creation of enforcement powers to be vested in the Federal Trade Commission; insists upon cooperation amongst systems (i.e., international interoperability); and calls for the enactment of comprehensive, harmonized consumer data privacy legislation. Most importantly, the report creates a Consumer Privacy Bill of Rights intended to serve as a baseline for policy development. The report emphasizes the need for businesses to consider data management policy in light of: (1) individual control, (2) transparency, (3) respect for context, (4) security, (5) access and accuracy (6) focused collection, and (7) accountability (U.S. Intellectual Property Enforcement Coordinator, 2012). As can be seen, these seven principles create the expectation that a business will need to prioritize data management and will be held accountable for it at each stage of the information/data management process. It is worth pointing out that Consumer Data Privacy in
516 a Networked World suggests these principles are actual rights of consumers. As such, under this plan consumers will be empowered to hold the business responsible for many common data related issues such as the misuse, loss, or theft of data. Clearly, a shift in policy focus is occurring on the legislative front. In addition to extant expectations, businesses will also soon be able to gather less information, use that which is gathered for a limited time only, and be held responsible for problems associated with data/information loss or mismanagement.
BUSINESS LAW & ETHICS CORNER consistent with the context of the transaction or the companys relationship with the consumer (Federal Trade Commission, 2012). Presumably, this provision would allow for the business to collect information such as name, address, and credit card information when the business is engaged in a sales transaction. However, the recommendations will most likely be interpreted to prevent the collection of personal information as an identity or authentication device. For example, many informationgathering platforms currently require the individual to enter credit card or address information as a verication of age or as an authentication of a live person. This could be prohibited under the recommendations, which in turn will require businesses to create new means of age verication and fraud prevention. The recommendations place limits upon the presumptive consent provision by clarifying the need for consent when: (1) the business is using the consumer data in a materially different manner than claimed when the data was collected, or (2) the business is collecting sensitive data for certain purposes (Federal Trade Commission, 2012). Consequently, businesses using data in a new or unexpected mannerbased on the situationwould need to offer consumers the choice of opting out, and would need to obtain consent for any new data use. Moreover, the collection of data that could be thought of as sensitivewhich may include anything from a birthdate to a social security numberwould always require consent. Finally, the report mirrors some of the previouslydiscussed legal initiatives when it calls for the implementation of several key federal laws designed to harmonize consumer data protection. It is highly likely that the time is right for the creation of data protection legislation. The FTC report signals to businesses that the legislative wheels within the United States intend to create a data/information management and protection system that insists upon businesses gathering, handling, and storing information with heightened attention on prioritizing data management at each stage of the process. Probably most important to the rm is the plausible implementation of a system, through the use of the FTC, which will penalize businesses that do not prioritize data protection.
BUSINESS LAW & ETHICS CORNER headquarters. However, compliance with foreign data management/privacy laws has now become extremely important for multinational businesses even those that merely engage in the provision of services in an online environment. Consequently, it is no longer enough for business to only consider domestic law and policy; in todays globally connected environment, rms must also give weight to developments in foreign law and policy. At the current time there is one particular European Union legislative attempt that is garnering much attention in the data management circles, primarily because the initiative captures businesses located outside the European Union within its powers.
517 The potential application of foreign law to your business data/information activities should not be overlooked, as the United States is not the only country paying attention to data/information management. In fact, as will be explored, several countries and regions are farther along in their data/ information management reform efforts. In many of these situations, businesses may be surprised to learn that foreign law has been created to respond to a global data/information environment. As a result, foreign law: (1) may apply to some of your data/information management, (2) is likely more protective of information, and (3) may even provide for signicant penalties for data management related issues. Consequently, businesses must consider if their data is or could be considered to be covered by foreign law when creating data/information policy.
4.2. The staggering scope and impact of new European Union law
The foreign law drawing the most attention from U.S.-based businesses is the new European Union draft Data Protection Regulation. This is intended to bring legislation in line with the demands of the 21st century by attempting to strike a balance between protecting individuals rights to data privacy and preserving the commercial freedoms of companies to engage with consumers. However, the Regulation seems to have crafted the balance in a manner that signicantly favors the individual. Consequently, the Regulation takes the position that personal data should not be processed at all, except when the business can demonstrate transparency, legitimate purpose, and proportionality in relation to personal information. It is immediately apparent that this is a fundamentally different approach than the approach to data management being created within the United States. It is important to note, the Regulation seems clear in specifying that any business not established in the European Union whose processing activities relate to the offering of goods or services to EU subjects or who monitors their behavior shall have the same obligations as European Union businesses (European Commission, 2012). So, should this Regulation come into effectand it might, as early as late 2015any U.S.-based businesses will need to comply with the Regulation. To verify the application of this regulation to a U.S.-based business, several determinations must be made. First, the business needs to consider if it is gathering the personal information of someone located in the European Union. Within the Regulation, personal data is dened as any information relating to an identied or identiable natural
518 person and the identication can occur either directly or indirectly (European Commission, 2012, Article 2a). In effect, the collection of personal data occurs when someone is able to link the information to an individual, even if the person holding the data cannot make this link. Some examples of personal data include addresses, credit card numbers, bank statements, criminal records, and employment information. In fact, under the Regulation, IP addresses are classed as personal data, even if the information is contained in anonymized batches. Consequently, businesses must understand that it is irrelevant if the link between information and the person is made byor even facilitated bythe business in question. It is the collection of the information that is sufcient to trigger compliance with the Regulation. The business also needs to consider if it is performing a processing function in relation to the personal information gathered. Within the Regulation, processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (European Commission, 2012, Article 2b). Based on this denition, it is easy to appreciate that any online business trading, providing services, or monitoring the activities of any European Unionbased persons or businesses would most likely be processing data. In fact, it has been argued that the use of processing equipment located in the European Union would be sufcient to trigger the application of this regulation to a U.S.-based business. Frankly, if you are now asking yourself if this Regulation might apply to your business activities, it probably will when it comes into effect! Businesses in the position to develop policy that reects the EU Regulation will most likely be surprised at the approach that the Regulation takes toward data/information gathering and use. For example, the Regulation places signicant limits on the information that can be gathered. Under the Regulation, personal data: (1) can only be collected for specied, explicit, and legitimate purposes; (2) may not be further processed in a way incompatible with those purposes; and (3) is to be limited to the minimum necessary in relation to the purpose for which it is processed. Ultimately, businesses can only gather information that is critical to the furtherance of the transaction, and that purpose must be specically spelled out to the customer. As such, your rm most likely can gather information regarding a clients address for the purpose of
BUSINESS LAW & ETHICS CORNER shipment, but not then use that information to market products to the individual without his/her express consent. Additionally, businesses are only allowed to process personal data if the purposes of the information processing could not be fullled through the use of non-personal information. Fundamentally, if the business can perform its task without the collection of personal data, it must do so. Also interesting is the Regulations strict approach toward preventing businesses from trying to overcome the limitations placed upon them by merely transferring the data/information outside the European Union. Within the Regulation, personal data may only be transferred to third countries if that country provides an adequate level of protection. Because the United States is still in the developmental stages of harmonized, comprehensive data management legislation, the European Union has determined that it does not provide adequate protections to personal data. As such, each individual U.S.-based business transferring personal information gathered or processed in the European Union will need to demonstrate compliance with the Data Protection Directive (European Parliament, 1995). Finally, in a provision that will be most surprising to many U.S.-based businesses, the Regulation contains enforcement mechanisms unheralded in previous pieces of legislation. For example, it gives power to the Data Protection Authoritiesthink FTC, but more powerfulto impose nes of up to s1,000,000 per individual and up to 2% of a rms global annual turnover in the event of a breach in data laws. The provisions go even further, however, by also allowing the Data Protection Authorities to impose criminal sanctions (Article 78) and/or civil sanctions (Article 77), including the right for damages for individuals and entities harmed by the loss of data (European Commission, 2012).
5. Recommendations
Hopefully by this point, it is clear that legislative initiatives in both the EU and U.S. are about to necessitate new data/information management policies that fundamentally change the manner in which companies gather, transmit, use, store, and retain data. This article really only skims the surface of the issue in terms of the manner in which business data/information management policy must seek to protect data. While rms await the conrmation of nal legislation, now is the perfect time to update your data policy, as there is a clear shift in approach taken
BUSINESS LAW & ETHICS CORNER toward data management. Currently, business must at a minimum ensure two things: (1) consent, and (2) reporting when a data breach occurs. Of course, these two things are based upon a business guaranteeing best practices when gathering, using, handling, sharing, storing, and removing information gathered. However, in the not-too-distant future, legislative initiatives will demand much more from businesses in terms of data management. As regards policy development, it is essential that rms consider the emerging standard of accountability at each stage of the process and develop data/information policy that reects this shift. To accomplish this, business needs to certify that any policy ensures a high level of data security, insists upon reasonably limiting data collection and data retention, includes provisions in terms of the timely disposing of data, and creates policy that guarantees the accuracy of the data. Moreover, businesses need to begin to understand that some information/ data should be considered sensitive and, as such, additional protections should be in place for the dissemination, protection, correction, and deletion of such information. Equally as important, businesses should undertake an examination of any processes that gather information. Collected data must be necessary for conducting the deal and used in a manner consistent with the transaction. If not, consent for further use might be necessary and is probably something that the individual will expect. Even in the absence of legal requirements, this is one area that is clearly making individuals uneasy and should be considered within the development of data management policy. Although only briey touched upon within this article, businesses must ensure that internal employee policies concerning data management are clearly stated, respected by staff, and adequately enforced. Accountability at every stage of the process will most likely be considered to include the manner in which employees handle information. Many businesses are attempting to reduce employee-related risks in relation to their personal data processing activities by limiting employee access to data on a tighter, need-to-use basis. In the future, though, it will most likely not be enough that your company reports data breaches; instead, the expectation will be for your rm to create silos of information, have robust passwords, encrypt sensitive information, monitor employees to prevent data breaches, and develop a culture of attention to data protection. Your company needs to assert control over its data, regardless of any outsourcing agreements. Accountability at each stage of the process will
519 most likely mean that businesses cannot insulate themselves from liability when shifting, transferring, or sharing information with an outsourced provider. Consequently, the business policy and the contract with any of your outsourced providers of services needs to reect a robust attention to the protection of personal information/data. As most businesses are hopefully aware, rms should implement a breach-notication process that includes procedures for early detections of breaches and enhanced incident management processes that comply with already-existing regulation. In general, any data breach must be reported to the relevant authority, even if protective measuressuch as encryptionare in place or the likelihood of harm is low. Businesses need to consider and plan for the reality of an online world that deals in data transmission, sharing, and storing in a global environment. As such, rms must also consider the following: (1) Where are you gathering, using, and storing data/information? (2) Are you marketing, advertising, or otherwise sending information/data into a foreign jurisdiction, such as advertising a product/service online? (3) Are any of your data transfers occurring into or through the use of systems located in a country that lacks adequate data protection regulations? When reaching into, transmitting through, or storing information in a foreign jurisdictionwhich may even include internal transfers of information amongst business subsidiariesyou should remember that many countries legal systems protect personal data at a much higher level, sometimes even treating information as belonging to the individual (as opposed to the entity collecting the information). As such, a more robust data/information policy is in order. In addition to the aforementioned issues, the policy should also consider that most foreign jurisdictions protect more information than the United States. Currently, the most important thing for a business to consider is the imposition of clear and informed consent for the collection and use of data. Toward this end, businesses must ensure that their data policy is transparent and that any changes to the policy are agreed to by all impacted parties. Should your business be engaged in any activity that may implicate the application of European Union law, such as the Regulation previously discussed, it is fundamental that you appreciate a wide divergence between the U.S. and EU approaches to data management. And should the Regulation come into force, U.S.-based businesses will need to ensure that their data management policies reect a strong protection of personal
520 information. As such, data management policy will need to be developed to guarantee that: (1) any information collected is necessary to facilitate the transaction, (2) the information is only collected for the specied purpose, and (3) the information is not further processed in an unexpected and/or unnecessary manner. Finally, one of the widely discussed topics within the EU Regulation is the right to be forgotten. Because this particular issue has been covered so well elsewhere, it has not been addressed in detail herein; however, this does not mean the issue should be overlooked within your data management policy. The EU Regulation requires businesses to allow an individual to be forgotten by the organization. In practice, this will facilitate creation of a policy that enables individuals to demand organizations erase records that contain their personal information.
References
Cate, F. H., & Mayer-Scho nberger, V. (2012, November). Notice and consent in a world of big data: Microsoft global privacy summit summary report and outcomes. Retrieved November 21, 2012, from http://www.microsoft.com/en-us/download/ details.aspx?id=35596 Cullen, P. (2012). Notice and consent in a world of big data. Retrieved November 21, 2012, from http://blogs.technet. com/b/microsoft_on_the_issues/archive/2012/11/13/noticeand-consent-in-a-world-of-big-data.aspx Direct Marketing Association. (2012, July 30). Putting a price on direct marketing. Retrieved November 21, 2012, from http:// www.dma.org.uk/toolkit/putting-price-direct-marketing Edelman. (2012, November 16). Edelman study nds global businesses unprepared to meet customer and regulator expectations around privacy and data security. Retrieved November 21, 2012, from http://www.edelman.com/news/edelman-studynds-global-businesses-unprepared-to-meet-customer-andregulator-expectations-around-privacy-and-data-security/ European Commission. (2012, January 25). Proposal for a regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Retrieved from http://ec.europa.eu/justice/data-protection/document/ review2012/com_2012_11_en.pdf European Parliament. (1995). Directive 95/46/EC, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Retrieved November 21, 2012, from http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML Federal Trade Commission. (2012, March 26). FTC issues nal commission report on protecting consumer privacy. Retrieved November 30, 2012, from http://www.ftc.gov/opa/2012/03/ privacyframework.shtm Hill, K. (2012, February 16). How Target gured out a teen girl was pregnant before her father did. Forbes Online. Retrieved November 21, 2012, from http://www.forbes.com/sites/ kashmirhill/2012/02/16/how-target-gured-out-a-teen-girlwas-pregnant-before-her-father-did/ IBM. (n.d.). What is big data? Retrieved November 21, 2012, from http://www-01.ibm.com/software/data/bigdata/ Rotella, P. (2012, April 2). Is data the new oil? Forbes Online. Retrieved November 21, 2012, from http://www.forbes.com/ sites/perryrotella/2012/04/02/is-data-the-new-oil/ Spiekermann, S., Grossklags, J., & Berendt, B. (2001). E-privacy in 2nd generation e-commerce: Privacy preferences versus actual behavior. Proceedings of the ACM Conference on Electronic Commerce, 38-47. Retrieved November 21, 2012, from http://people.ischool.berkeley.edu/jensg/research/paper/ grossklags_e-Privacy.pdf Tsai, J. Y., Egelman, S., Cranor, L., & Acquisti, A. (2011). The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research, 22(2), 254268. U.S. Intellectual Property Enforcement Coordinator. (2012, February). Consumer data privacy in a networked world: A framework for protecting privacy and promoting innovation in the global digital economy. Retrieved November 21, 2012, from http://www.whitehouse.gov/sites/default/les/privacynal.pdf
6. Conclusion
Chances are good that your business data management policy is long out-of-date and lacks a robust approach to data management. Accordingly, it is time to update your policy, as signicant and far-reaching legal changes are about to occur within the data management world. Just on the horizon is U.S. federal legislation, which requires businesses to create a data/information management and protection system that prioritizes data management at each stage of the information/ data management process. And the new policy initiatives do not end with the United States, as many other countries are also in the process of updating their data management regulations. Given that the proposed nancial penalties for non-compliance are signicant, businesses should begin to take steps to ensure priority is being given to data management during the entirety of the data process.
Acknowledgment
My thanks to Joseph Kaufmann, Anthony Kelly, and TK IT Consulting, LLC for their assistance in the writing of this article. All opinions are those of the author.