Data Privacy Laws: An Inflection Point for Information Managers

I have written about this topic several times, but with recent changes, I wanted to jump into it again. The basic premise is that with the rising numbers of data privacy bills becoming law, the Information Management/Records Management profession will face managing much greater amounts of corporate data.

The progression of cloud-based computing and data management has led to an explosion of data collection, data selling, data analysis, and data hoarding (the opposite of data minimization) by companies worldwide. As a result, there has been growing concern about data security and privacy needs to catch up with the new cyber-theft technologies leading to the inevitable implementation of new data privacy laws. These more recent data privacy laws, such as the EUs GDPR and California’s CCPA/CPRA, are becoming an inflection point for the information management profession.

The Impact of Data Privacy Laws

Data privacy laws require companies to obtain consent from individuals before collecting and using their personal information (PI). They also require companies (if requested) to disclose how they will use this data and to allow individuals to access, correct, or delete their data upon request. Failure to comply with these laws can result in significant fines, legal action, and bad press.

The EU’s GDPR and California’s CCPA/CPRA data privacy laws have significantly impacted how companies collect and use data. They have forced companies to be more transparent about their data collection and use practices and to ensure that individuals have greater control over their PI. In addition, these laws have increased awareness of data privacy issues among individuals, leading to more informed decisions about how they share their personal information as well as increasing numbers of data subject access requests (DSARs) to be filed with companies.

With more states passing data privacy laws, data collectors are being forced to adapt to an increasingly complex data privacy landscape. Imagine being required to track each individual’s PI based on individual state data privacy definitions, rights, and requirements, including when consent was given and for what specific use.

Data Privacy Laws and Information Management

New privacy laws are beginning to have and will continue to significantly impact information management practices. Companies must now take a more strategic and inclusive approach to data collection and management, considering the potential legal and financial risks associated with non-compliance. This is leading to a necessary shift in the way companies think about and manage data, with a greater emphasis on data inclusion, governance, and compliance.

Data inclusion refers to the need for data not currently centrally managed by information management applications, such as that data held locally by employees on their individual workstations and laptops, to be included in ongoing information management activities.

Could employees be storing content that includes PI on their laptops?

Data governance refers to the policies, procedures, and technologies that enable organizations to manage their data assets. This includes data quality management, data security, and data privacy. With the implementation of data privacy laws, companies must now incorporate data privacy into their data governance strategies, ensuring that personal data is collected, used, and stored in a compliant manner.

Because of the new laws, companies will now be forced to manage ALL data within their environment, including all data held locally on employee devices.


Data subjects now have the right to query companies on what of their PI the company is storing, whether it has been sold, how it’s being used, and for what purposes. Data subjects now also have the right to have their PI permanently deleted (if there are no regulatory or legal requirements to keep it). These rights are absolute, meaning an organization must completely comply with data subject requests, not just give it their best try – all within a specific timeframe.

For example, what if Bob Smith filed a data subject access request (DSAR) asking if the company was storing any of his PI, and if so, requesting it is deleted? How would IT search all employee devices for all PI on John Smith?

Because of these new data privacy rights, companies will be forced to either somehow ensure all PI cannot be stored on local employee workstations or actively manage all employee data centrally. Besides the cultural impact on employee data, IT having access to all data on a laptop, indexing it for easy search, and applying retention/disposition policies will be a significant undertaking.

Consider that organizations currently manage 5-10% of all the corporate data, only that they consider “regulated records.” Now, IT and information management professionals will be looking at 10 to 20 times more data to manage with more complex and granular policies.

New ways to manage all corporate data

Data privacy laws have also led to the development of new technologies and solutions to manage personal data. For example, consent management platforms enable companies to obtain and manage consent from individuals for collecting and using their personal data.

Data mapping tools will help companies identify where personal data is located within their central enterprise and how it is used. But do these data mapping tools have the ability to scan individual employee laptops?

Additionally, “manage in place” applications rarely reach out to individual workstations – making total PI management impossible.

The Future of Information Management

Data privacy laws are just the beginning of a new era of information management. As technology continues to evolve, the amount of data collected and used by companies will only increase. This will require new strategies and solutions to ensure that personal data is managed in a compliant and secure manner.

One area of focus for the future of information management will be the use of artificial intelligence (AI) and machine learning (ML) to automate data privacy compliance. AI and ML can be used to analyze data collection and usage patterns, identify potential risks, and automate data subject access requests. This will enable companies to manage personal data more efficiently and effectively while reducing the risk of non-compliance.

Another area of focus for the future of information management will be the development of new technologies and solutions to protect personal data. This will include using blockchain technology, which can be used to create secure, decentralized systems for managing personal data. It will also include developing and using new data encryption technologies such as field-level encryption, secure multiparty computation, data masking, and homomorphic encryption – which allows encrypted data to be used without needing to decrypt.

This means that PI will need to be encrypted in transit, at rest, AND while in use, ensuring that the company and individual data subjects cannot be extorted by threatening to release their PI on the dark web.

These new security measures will help protect personal data from cyber theft, ransomware, and extortionware.

Effective data privacy is dependent on evolving data security

Data privacy laws are the new inflection point for the information management profession. The laws have forced companies to take a more strategic approach to data collection and management, incorporating data privacy and security into their data governance strategies. They have also led to the development of new technologies and solutions to manage personal data anywhere in the enterprise.

The amount of data collected and used by companies will only increase. Additionally, as data privacy laws and technology continue to evolve, organizational risk will continue to rise. This new environment will require new strategies and solutions to ensure that personal data is managed in a compliant and secure manner.

However, AI and ML will partially automate data privacy compliance, including who can move PI, where, and who can access it. AI will automatically recognize PI in documents, encrypt it with the correct permissions, and store it in special, secure repositories.

Additionally, AI/ML-assisted granular data security capabilities and more pervasive data encryption use will ensure cyber-theft and extortionware will be less successful, which will, in turn, possibly reduce cyber-liability insurance rates.

But information management professionals will quickly be dealing with a great deal more data to manage.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s