Business Horizons (2013) 56, 513520

Available online at www.sciencedirect.com

www.elsevier.com/locate/bushor

BUSINESS LAW & ETHICS CORNER

Data management regulation: Your company needs an up-to-date data/information management policy
Anjanette H. Raymond
Kelley School of Business, Indiana University, 1309 E. Tenth Street, Bloomington, IN 47405-1701, U.S.A. & Visiting Fellow in International Commercial Law, Centre for Commercial Law Studies, Queen Mary, University of London

KEYWORDS
Data policy and regulation; European data law; Information and privacy law; European Union privacy regulation

Abstract Over the next 10 years, the intelligent use of data will become one of the greatest competitive advantages a company can possess. At the same time, the loss or mishandling of data/information is one of the bigger risks facing modern businesses. As consumers become increasingly aware of security issues, and of the value of their data, data/information policy is moving away from the gather-with-consent approach toward a model that holds the business accountable at each stage of the process. This fundamental shift in practice will need to be reected in the data/ information management policy of the business. Yet, many companies lack up-to-date data/information policies and few recognize the growing inuence of the European Union on the manner of data/information handling. This installment of Business Law & Ethics Corner seeks to assist in the development of new policy by explaining key legislative and policy initiatives in both the United States and the European Union, and by making data management policy recommendations. # 2013 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved.

1. Your company policy matters

At businesses and organizations in every industry, across the globe, leaders wonder whether they are extracting full value from the massive amounts of information they possess within their rms. Consider that IBM (n.d.) researchers claim we are, in 2012, creating 2.5 quintillion bytes of data every 24 hours enough information to ll the equivalent of 625 million DVDs a day. It is easy to understand

E-mail address: angraymo@indiana.edu

why businesses are proclaiming that data is the new oil (Rotella, 2012). Despite this treasure trove of customer data and customers assumption that companies treat it as an important commodity worth protecting, the vast majority of businesses fail to appreciate data protection laws, and even fewer have updated policies that reect recent changes in the law. For example, the Edelman Privacy Risk Index surveyed 6,400 corporate executives in 20 countries and found that over half (57%) of respondents think their organization does not consider privacy and the protection of personal information to be a

0007-6813/$ see front matter # 2013 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.bushor.2013.03.001

514 corporate priority (Edelman, 2012). Roughly six out of ten (61%) companies do not strictly enforce all levels of compliance with laws and regulations. Possibly more concerning is the fact that the research also highlights a lack of awareness of the potential risks related to data security and privacy incidents. Over half (53%) of respondents think a data breach would not adversely impact their reputation or nancial position, despite nearly threequarters (71%) of consumers saying they would leave a company after such an event. Additionally, 57% of organizations believe that employees do not understand the importance of privacy, and twothirds do not make an effort to educate employees about privacy and security issues (Edelman, 2012). Of course, this situation becomes even more problematic when a business is in a position to pass on or share information in a cross-border situation. It is all too common for a medium- or large-size business to outsource certain portions of its operations, such as marketing or call centers, and these services are sometimes outsourced to a faraway place. Yet, recent studies suggest that even if your business considers privacy and security a priority, many other businesses (such as marketing rms) do not necessarily give privacy and security the same attention. It is important to keep this in mind: Even something as simple as conrming or passing on customerbased information to your outsourced marketing rm or customer helpline can implicate the sharing of information and various data protection and privacy laws. Clearly, businesses today need to develop policy that not only considers the leaking or stealing of information, but also the implications and policy needs of the rm when it intentionally passes on information to outside parties in an effort to facilitate business. In these environments, a company must consider the real possibility of a multitude of legal regimes covering the data, each of which should be reected in business data policy.

BUSINESS LAW & ETHICS CORNER such a high level of success that the company has even been able to predict when customers are pregnant, despite not having been directly informed by the individual (Hill, 2012). The use of analytics and business intelligence with such an amazing degree of success is a business advantage in a highly competitive environment; however, success oftentimes draws attention. For businesses to gather this amount and type of information requires consent. Of course, rms have little trouble in receiving consent from consumers in gathering this type of information, as many customers like loyalty and similar-type cards, and willinglyor unknowingly provide sometimes very personal information in exchange for future discounts (Spiekermann, Grossklags, & Berendt, 2001; Tsai, Egelman, Cranor, & Acquisti, 2011). Yet, as Target statistician Andrew Pole noted in an interview: We are very conservative about compliance with all privacy laws. But even if youre following the law, you can do things where people get queasy (Hill, 2012). The controversy faced by Target exemplies a growing data management issue faced by businesses: Consent might be all that the law requires to gather this wealth of information, but customers are beginning to demand businesses use this information in a responsiblenot merely legally compliant manner. Microsoft Chief Privacy Strategist, Peter Cullen (2012), pointed out: Privacy frameworks relying heavily on individual notice and consent are neither sustainable in the face of dramatic increases in the volume and velocity of information ows, nor desirable because of the burden they place on individuals. Generally, people [agree] that new approaches to privacy protection must shift responsibility away from individuals to organizations which use data, driving a focus on what uses of that data are permitted, as well as on accountability for responsible data stewardship rather than mere compliance. As highlighted by Peter Cullens remarks and other materials from the Microsoft Global Privacy Summit (Cate & Mayer-Scho nberger, 2012), the legal requirements of notice and consent are simply not working in the current data environment, where data collection is pervasive. In most instances, the original laws did not foresee the massive amounts of data that would be collected across environments, and few laws envision data collection from a global perspective. Moreover, even if businesses collect information in a legally compliant manner, consumers are growing uneasy about the use of personal information in such a wide-scale manner. This situation is quickly changing, however,

2. Consent as a means to collect information is no longer enough

It is important for businesses to understand that the tide may be turning in relation to the locus of responsibility for the means of gathering and safekeeping of data. Consider the growing backlash against business loyalty, registry, and point-earning store cards and similar devices. Target, an industry leader in terms of data-driven analytics and business intelligence, gathers copious amounts of information concerning its customers. Indeed, Target gathers so much information and interprets it with

BUSINESS LAW & ETHICS CORNER as legislative bodies around the world begin to respond to individuals demands in relation to their data/information. Accordingly, businesses must begin to develop policy that reects the emerging trends in data management and protection. While it may seem easier and less costly to sit back and wait for the trends to become full-edged law, customers will no longer delay for these protections and will nd it increasingly difcult to understand the apathy of business toward data protection. Businesses must begin to act now to ensure a data/information policy that recognizes the importance of data protection. Simply put: It is most likely time you update your data/information policy and, in doing so, you should consider both consumer expectations and current trends in emerging global data protection legal requirements.

515 Do Not Track Online Act, and the Data Security and Breach Notication Act. Each of these legislative attempts failed at some point during the implementation stage. From a business policy development perspective, the failure to implement harmonized law is not as important as the emergence of any shifts in focus or responsibility similar across texts. In this instance, similarities exist, many of which are so fundamental that businesses will need to take note in their data/ information policy development. For example, the majority of the aforementioned Congressional works emphasized three key areas: (1) the creation of Federal Trade Commission, or FTC, regulatory powers; (2) insistence upon consumers having the ability to see and correct information collected about them; and (3) the creation of limitations in the amount of information gathered, the end use, and the length of storage that a business may undertakesometimes even to a single transaction. In addition, the Do Not Track Online Act limited rms ability to collect and use personal information obtained by tracking the online activity of an individual. As a result, some argue that the data/information management policy of the United States is shifting from a gather-with-consent notice-for-failure system to one that restricts collection of information and heightens responsibilities in terms of information safekeeping. While this shift is clearly gaining national attention, some argue that the most signicant change is reected within the U.S. Intellectual Property Enforcement Coordinator (2012) report titled Consumer Data Privacy in a Networked World. While this piece proposes basic principles for consumer privacy, it puts forth several other interesting notions, too. For example, it calls for the creation of enforcement powers to be vested in the Federal Trade Commission; insists upon cooperation amongst systems (i.e., international interoperability); and calls for the enactment of comprehensive, harmonized consumer data privacy legislation. Most importantly, the report creates a Consumer Privacy Bill of Rights intended to serve as a baseline for policy development. The report emphasizes the need for businesses to consider data management policy in light of: (1) individual control, (2) transparency, (3) respect for context, (4) security, (5) access and accuracy (6) focused collection, and (7) accountability (U.S. Intellectual Property Enforcement Coordinator, 2012). As can be seen, these seven principles create the expectation that a business will need to prioritize data management and will be held accountable for it at each stage of the information/data management process. It is worth pointing out that Consumer Data Privacy in

3. U.S. legal requirements and the emerging trends

Like so many other nations, the United States has no comprehensive data protection legislation. Instead, it employs a sectorial approach featuring a mix of legislation, regulation, and self-regulation. The practical reality of this method is that businesses must navigate a plethora of laws and regulations that vary based upon the jurisdiction, the nature of the information, and even the type of user about which information is collected. Fortunately for business, the current approach to data/information management places emphasis upon self-regulatory measures and provides no real sanctions in the event of data loss. This may be about to change, however, as there has been a recent push to harmonize the law in regard to data/information management. Within these reform efforts two key areas must be explored, as the approaches within these activities are reective of the larger policy changes most likely forthcoming within data/information management legislation.

3.1. Proposed federal privacy law

Within the United States, data/information management law is an interesting and confusing mix of state and federal law. The absence of a single legislative instrument covering data/information management has been problematic for both businesses and consumers. As such, Congress has attempted to implement federal legislation to harmonize this area of law. For example, Congress has provided texts such as the Commercial Privacy Bill of Rights, the Personal Data Privacy and Security Act, the Secure and Fortify Electronics Data Act, the

516 a Networked World suggests these principles are actual rights of consumers. As such, under this plan consumers will be empowered to hold the business responsible for many common data related issues such as the misuse, loss, or theft of data. Clearly, a shift in policy focus is occurring on the legislative front. In addition to extant expectations, businesses will also soon be able to gather less information, use that which is gathered for a limited time only, and be held responsible for problems associated with data/information loss or mismanagement.

BUSINESS LAW & ETHICS CORNER consistent with the context of the transaction or the companys relationship with the consumer (Federal Trade Commission, 2012). Presumably, this provision would allow for the business to collect information such as name, address, and credit card information when the business is engaged in a sales transaction. However, the recommendations will most likely be interpreted to prevent the collection of personal information as an identity or authentication device. For example, many informationgathering platforms currently require the individual to enter credit card or address information as a verication of age or as an authentication of a live person. This could be prohibited under the recommendations, which in turn will require businesses to create new means of age verication and fraud prevention. The recommendations place limits upon the presumptive consent provision by clarifying the need for consent when: (1) the business is using the consumer data in a materially different manner than claimed when the data was collected, or (2) the business is collecting sensitive data for certain purposes (Federal Trade Commission, 2012). Consequently, businesses using data in a new or unexpected mannerbased on the situationwould need to offer consumers the choice of opting out, and would need to obtain consent for any new data use. Moreover, the collection of data that could be thought of as sensitivewhich may include anything from a birthdate to a social security numberwould always require consent. Finally, the report mirrors some of the previouslydiscussed legal initiatives when it calls for the implementation of several key federal laws designed to harmonize consumer data protection. It is highly likely that the time is right for the creation of data protection legislation. The FTC report signals to businesses that the legislative wheels within the United States intend to create a data/information management and protection system that insists upon businesses gathering, handling, and storing information with heightened attention on prioritizing data management at each stage of the process. Probably most important to the rm is the plausible implementation of a system, through the use of the FTC, which will penalize businesses that do not prioritize data protection.

3.2. The Federal Trade Commission

As the reader will recall, one of the initiatives undertaken by the federal government was to empower the Federal Trade Commission regarding consumer data protection. In response to this charge, the FTC issued a report titled Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. This piece is particularly relevant to business as it is intended to serve as a framework for the creation of best practices in policy creation (Federal Trade Commission, 2012). At the heart of the framework stand three policy approaches: (1) privacy by design, (2) simplied choice for businesses and consumers, and (3) greater transparency. Each of these highlights the need for business to consider a shift in current practices. First, the report emphasizes the concept of privacy by design. At its most basic, this principle means that a business should implement data/information protections at each stage of business practice. For example, businesses should incorporate privacy protections such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy (Federal Trade Commission, 2012). However, the concept seems to embody much more than basic implementation, as the language seems to suggest rms need to ensure a proactive approach to data management. In these situations, the business would need to certify that data protections are in place and a part of all phases of the data management process. For example, one could imagine the need to create a business culture that insists upon a high level of attention being paid to data management. The creation of the datasensitive business culture, as can be seen from the research reported in the introduction, is something that businesses tend to currently lack. Second, in an effort to recognize the need to emphasize consumer choice, the recommendations allow businesses to gather information without consent when the data collected is purposed for and

4. Considerations of foreign law

Before the late 1990s, data privacy was comprehensively regulated in only a few countries. Those few data laws had mostly local effects and rarely caught the attention of compliance ofcers at corporate

BUSINESS LAW & ETHICS CORNER headquarters. However, compliance with foreign data management/privacy laws has now become extremely important for multinational businesses even those that merely engage in the provision of services in an online environment. Consequently, it is no longer enough for business to only consider domestic law and policy; in todays globally connected environment, rms must also give weight to developments in foreign law and policy. At the current time there is one particular European Union legislative attempt that is garnering much attention in the data management circles, primarily because the initiative captures businesses located outside the European Union within its powers.

517 The potential application of foreign law to your business data/information activities should not be overlooked, as the United States is not the only country paying attention to data/information management. In fact, as will be explored, several countries and regions are farther along in their data/ information management reform efforts. In many of these situations, businesses may be surprised to learn that foreign law has been created to respond to a global data/information environment. As a result, foreign law: (1) may apply to some of your data/information management, (2) is likely more protective of information, and (3) may even provide for signicant penalties for data management related issues. Consequently, businesses must consider if their data is or could be considered to be covered by foreign law when creating data/information policy.

4.1. Where is your data?

Surprisingly, many businesses fail to ask an essential question in terms of their data policy: Where is your data? Of course, this question would have seemed a bit strange in 1985. Any business would have had a very good idea that its data was on a few ofce computers, employees desks, and in the le room. Recent technology advances, however, have made this question far more complex. Your companys data is now likely stored on internal servers, cloud servers, desktops, laptops, touchpads, smart phones, social media sites, andjust maybe employee desks and in the le room down the hall. This growing intricacy means that your business needs to give serious thought to the location of your data, as laws that govern how you manage and share that data are often vastly different in foreign jurisdictions. One small example highlights the growing use of business data in a globally connected world. According to Putting a Price on Direct Marketing, a study by the Direct Marketing Association (DMA), businesses in the United Kingdom spent 14.2 billion on direct marketing in 2011 and forecast their expenditure to increase by 7% in 2012 to nearly 15.2 billion (Direct Marketing Association, 2012). The DMA attributes the vast majority of this growth to increased expenditure on digital marketing. Of course, digital marketing occurs through a combination of push-and-pull Internet technologies to execute marketing campaigns that often gather tons of information in relation to the rms customers, website visitors, and online social engagements. The use of the Internet to market products and serviceseven those primarily based in or occurring at a physical locationoften means that you, as a business, must be concerned with both the location of where you are gathering the information and where it will be used/stored. And in an Internet connected world, this means you need to consider foreign law in the development of your data policy.

4.2. The staggering scope and impact of new European Union law
The foreign law drawing the most attention from U.S.-based businesses is the new European Union draft Data Protection Regulation. This is intended to bring legislation in line with the demands of the 21st century by attempting to strike a balance between protecting individuals rights to data privacy and preserving the commercial freedoms of companies to engage with consumers. However, the Regulation seems to have crafted the balance in a manner that signicantly favors the individual. Consequently, the Regulation takes the position that personal data should not be processed at all, except when the business can demonstrate transparency, legitimate purpose, and proportionality in relation to personal information. It is immediately apparent that this is a fundamentally different approach than the approach to data management being created within the United States. It is important to note, the Regulation seems clear in specifying that any business not established in the European Union whose processing activities relate to the offering of goods or services to EU subjects or who monitors their behavior shall have the same obligations as European Union businesses (European Commission, 2012). So, should this Regulation come into effectand it might, as early as late 2015any U.S.-based businesses will need to comply with the Regulation. To verify the application of this regulation to a U.S.-based business, several determinations must be made. First, the business needs to consider if it is gathering the personal information of someone located in the European Union. Within the Regulation, personal data is dened as any information relating to an identied or identiable natural

518 person and the identication can occur either directly or indirectly (European Commission, 2012, Article 2a). In effect, the collection of personal data occurs when someone is able to link the information to an individual, even if the person holding the data cannot make this link. Some examples of personal data include addresses, credit card numbers, bank statements, criminal records, and employment information. In fact, under the Regulation, IP addresses are classed as personal data, even if the information is contained in anonymized batches. Consequently, businesses must understand that it is irrelevant if the link between information and the person is made byor even facilitated bythe business in question. It is the collection of the information that is sufcient to trigger compliance with the Regulation. The business also needs to consider if it is performing a processing function in relation to the personal information gathered. Within the Regulation, processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (European Commission, 2012, Article 2b). Based on this denition, it is easy to appreciate that any online business trading, providing services, or monitoring the activities of any European Unionbased persons or businesses would most likely be processing data. In fact, it has been argued that the use of processing equipment located in the European Union would be sufcient to trigger the application of this regulation to a U.S.-based business. Frankly, if you are now asking yourself if this Regulation might apply to your business activities, it probably will when it comes into effect! Businesses in the position to develop policy that reects the EU Regulation will most likely be surprised at the approach that the Regulation takes toward data/information gathering and use. For example, the Regulation places signicant limits on the information that can be gathered. Under the Regulation, personal data: (1) can only be collected for specied, explicit, and legitimate purposes; (2) may not be further processed in a way incompatible with those purposes; and (3) is to be limited to the minimum necessary in relation to the purpose for which it is processed. Ultimately, businesses can only gather information that is critical to the furtherance of the transaction, and that purpose must be specically spelled out to the customer. As such, your rm most likely can gather information regarding a clients address for the purpose of

BUSINESS LAW & ETHICS CORNER shipment, but not then use that information to market products to the individual without his/her express consent. Additionally, businesses are only allowed to process personal data if the purposes of the information processing could not be fullled through the use of non-personal information. Fundamentally, if the business can perform its task without the collection of personal data, it must do so. Also interesting is the Regulations strict approach toward preventing businesses from trying to overcome the limitations placed upon them by merely transferring the data/information outside the European Union. Within the Regulation, personal data may only be transferred to third countries if that country provides an adequate level of protection. Because the United States is still in the developmental stages of harmonized, comprehensive data management legislation, the European Union has determined that it does not provide adequate protections to personal data. As such, each individual U.S.-based business transferring personal information gathered or processed in the European Union will need to demonstrate compliance with the Data Protection Directive (European Parliament, 1995). Finally, in a provision that will be most surprising to many U.S.-based businesses, the Regulation contains enforcement mechanisms unheralded in previous pieces of legislation. For example, it gives power to the Data Protection Authoritiesthink FTC, but more powerfulto impose nes of up to s1,000,000 per individual and up to 2% of a rms global annual turnover in the event of a breach in data laws. The provisions go even further, however, by also allowing the Data Protection Authorities to impose criminal sanctions (Article 78) and/or civil sanctions (Article 77), including the right for damages for individuals and entities harmed by the loss of data (European Commission, 2012).

5. Recommendations
Hopefully by this point, it is clear that legislative initiatives in both the EU and U.S. are about to necessitate new data/information management policies that fundamentally change the manner in which companies gather, transmit, use, store, and retain data. This article really only skims the surface of the issue in terms of the manner in which business data/information management policy must seek to protect data. While rms await the conrmation of nal legislation, now is the perfect time to update your data policy, as there is a clear shift in approach taken

BUSINESS LAW & ETHICS CORNER toward data management. Currently, business must at a minimum ensure two things: (1) consent, and (2) reporting when a data breach occurs. Of course, these two things are based upon a business guaranteeing best practices when gathering, using, handling, sharing, storing, and removing information gathered. However, in the not-too-distant future, legislative initiatives will demand much more from businesses in terms of data management. As regards policy development, it is essential that rms consider the emerging standard of accountability at each stage of the process and develop data/information policy that reects this shift. To accomplish this, business needs to certify that any policy ensures a high level of data security, insists upon reasonably limiting data collection and data retention, includes provisions in terms of the timely disposing of data, and creates policy that guarantees the accuracy of the data. Moreover, businesses need to begin to understand that some information/ data should be considered sensitive and, as such, additional protections should be in place for the dissemination, protection, correction, and deletion of such information. Equally as important, businesses should undertake an examination of any processes that gather information. Collected data must be necessary for conducting the deal and used in a manner consistent with the transaction. If not, consent for further use might be necessary and is probably something that the individual will expect. Even in the absence of legal requirements, this is one area that is clearly making individuals uneasy and should be considered within the development of data management policy. Although only briey touched upon within this article, businesses must ensure that internal employee policies concerning data management are clearly stated, respected by staff, and adequately enforced. Accountability at every stage of the process will most likely be considered to include the manner in which employees handle information. Many businesses are attempting to reduce employee-related risks in relation to their personal data processing activities by limiting employee access to data on a tighter, need-to-use basis. In the future, though, it will most likely not be enough that your company reports data breaches; instead, the expectation will be for your rm to create silos of information, have robust passwords, encrypt sensitive information, monitor employees to prevent data breaches, and develop a culture of attention to data protection. Your company needs to assert control over its data, regardless of any outsourcing agreements. Accountability at each stage of the process will

519 most likely mean that businesses cannot insulate themselves from liability when shifting, transferring, or sharing information with an outsourced provider. Consequently, the business policy and the contract with any of your outsourced providers of services needs to reect a robust attention to the protection of personal information/data. As most businesses are hopefully aware, rms should implement a breach-notication process that includes procedures for early detections of breaches and enhanced incident management processes that comply with already-existing regulation. In general, any data breach must be reported to the relevant authority, even if protective measuressuch as encryptionare in place or the likelihood of harm is low. Businesses need to consider and plan for the reality of an online world that deals in data transmission, sharing, and storing in a global environment. As such, rms must also consider the following: (1) Where are you gathering, using, and storing data/information? (2) Are you marketing, advertising, or otherwise sending information/data into a foreign jurisdiction, such as advertising a product/service online? (3) Are any of your data transfers occurring into or through the use of systems located in a country that lacks adequate data protection regulations? When reaching into, transmitting through, or storing information in a foreign jurisdictionwhich may even include internal transfers of information amongst business subsidiariesyou should remember that many countries legal systems protect personal data at a much higher level, sometimes even treating information as belonging to the individual (as opposed to the entity collecting the information). As such, a more robust data/information policy is in order. In addition to the aforementioned issues, the policy should also consider that most foreign jurisdictions protect more information than the United States. Currently, the most important thing for a business to consider is the imposition of clear and informed consent for the collection and use of data. Toward this end, businesses must ensure that their data policy is transparent and that any changes to the policy are agreed to by all impacted parties. Should your business be engaged in any activity that may implicate the application of European Union law, such as the Regulation previously discussed, it is fundamental that you appreciate a wide divergence between the U.S. and EU approaches to data management. And should the Regulation come into force, U.S.-based businesses will need to ensure that their data management policies reect a strong protection of personal

520 information. As such, data management policy will need to be developed to guarantee that: (1) any information collected is necessary to facilitate the transaction, (2) the information is only collected for the specied purpose, and (3) the information is not further processed in an unexpected and/or unnecessary manner. Finally, one of the widely discussed topics within the EU Regulation is the right to be forgotten. Because this particular issue has been covered so well elsewhere, it has not been addressed in detail herein; however, this does not mean the issue should be overlooked within your data management policy. The EU Regulation requires businesses to allow an individual to be forgotten by the organization. In practice, this will facilitate creation of a policy that enables individuals to demand organizations erase records that contain their personal information.

BUSINESS LAW & ETHICS CORNER

References
Cate, F. H., & Mayer-Scho nberger, V. (2012, November). Notice and consent in a world of big data: Microsoft global privacy summit summary report and outcomes. Retrieved November 21, 2012, from http://www.microsoft.com/en-us/download/ details.aspx?id=35596 Cullen, P. (2012). Notice and consent in a world of big data. Retrieved November 21, 2012, from http://blogs.technet. com/b/microsoft_on_the_issues/archive/2012/11/13/noticeand-consent-in-a-world-of-big-data.aspx Direct Marketing Association. (2012, July 30). Putting a price on direct marketing. Retrieved November 21, 2012, from http:// www.dma.org.uk/toolkit/putting-price-direct-marketing Edelman. (2012, November 16). Edelman study nds global businesses unprepared to meet customer and regulator expectations around privacy and data security. Retrieved November 21, 2012, from http://www.edelman.com/news/edelman-studynds-global-businesses-unprepared-to-meet-customer-andregulator-expectations-around-privacy-and-data-security/ European Commission. (2012, January 25). Proposal for a regulation of the European Parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Retrieved from http://ec.europa.eu/justice/data-protection/document/ review2012/com_2012_11_en.pdf European Parliament. (1995). Directive 95/46/EC, on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Retrieved November 21, 2012, from http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML Federal Trade Commission. (2012, March 26). FTC issues nal commission report on protecting consumer privacy. Retrieved November 30, 2012, from http://www.ftc.gov/opa/2012/03/ privacyframework.shtm Hill, K. (2012, February 16). How Target gured out a teen girl was pregnant before her father did. Forbes Online. Retrieved November 21, 2012, from http://www.forbes.com/sites/ kashmirhill/2012/02/16/how-target-gured-out-a-teen-girlwas-pregnant-before-her-father-did/ IBM. (n.d.). What is big data? Retrieved November 21, 2012, from http://www-01.ibm.com/software/data/bigdata/ Rotella, P. (2012, April 2). Is data the new oil? Forbes Online. Retrieved November 21, 2012, from http://www.forbes.com/ sites/perryrotella/2012/04/02/is-data-the-new-oil/ Spiekermann, S., Grossklags, J., & Berendt, B. (2001). E-privacy in 2nd generation e-commerce: Privacy preferences versus actual behavior. Proceedings of the ACM Conference on Electronic Commerce, 38-47. Retrieved November 21, 2012, from http://people.ischool.berkeley.edu/jensg/research/paper/ grossklags_e-Privacy.pdf Tsai, J. Y., Egelman, S., Cranor, L., & Acquisti, A. (2011). The effect of online privacy information on purchasing behavior: An experimental study. Information Systems Research, 22(2), 254268. U.S. Intellectual Property Enforcement Coordinator. (2012, February). Consumer data privacy in a networked world: A framework for protecting privacy and promoting innovation in the global digital economy. Retrieved November 21, 2012, from http://www.whitehouse.gov/sites/default/les/privacynal.pdf

6. Conclusion
Chances are good that your business data management policy is long out-of-date and lacks a robust approach to data management. Accordingly, it is time to update your policy, as signicant and far-reaching legal changes are about to occur within the data management world. Just on the horizon is U.S. federal legislation, which requires businesses to create a data/information management and protection system that prioritizes data management at each stage of the information/ data management process. And the new policy initiatives do not end with the United States, as many other countries are also in the process of updating their data management regulations. Given that the proposed nancial penalties for non-compliance are signicant, businesses should begin to take steps to ensure priority is being given to data management during the entirety of the data process.

Acknowledgment
My thanks to Joseph Kaufmann, Anthony Kelly, and TK IT Consulting, LLC for their assistance in the writing of this article. All opinions are those of the author.