Choices and opportunities

A new generation of state data protection regulations is emerging that dramatically will impact data destruction service providers and their clients. In so doing, these regulations will put additional pressure and importance on the data protection certifications that verify compliance.

While data protection regulations rank with insurance and contracts as being among the least exciting aspects of doing business, the reality is that those very same regulations (and the fines and headlines stemming from them) are the primary reason data destruction now is such a high priority.

What’s happening?

In May 2018, the European Union’s General Data Protection Regulation (GDPR) took a “data-protection-as-a-human-right” approach to a new level, not only upping the penalties for allowing unauthorized access to information but also giving data subjects (individuals) new rights and controls over how organizations collect, retain, share and process their personal information.

Then, in the U.S., with the GDPR having laid the groundwork and the continued abuses of personal information exemplified by the Cambridge Analytica scandal, the states themselves began taking the matter of data protection rights into their own hands in the face of federal gridlock. Of course, this isn’t the first time they have done this. U.S. states did the same when the federal government remained silent on identity fraud and breach notification.

California was the first state to pass a law giving individuals new controls and protections over their personal information, followed by Colorado, North Carolina and Virginia. Utah and Florida have similar regulations waiting for their governors’ signatures. At the same time, Massachusetts, New York and Pennsylvania have similar laws in committee, and more than a dozen other states are reviewing similar proposals.

As it stands, clearly data-subject-rights regulations are coming to all states and this decade will be to data subjects’ rights what the 2000s were to data breach notification.

What are data-subject rights?

These new regulations give individuals far more control over how their personal information is collected, protected, retained and processed. For instance, in addition to assuring no unauthorized access to personal information occurs, an organization that is collecting personal information cannot retain it for longer than is needed nor can it share the information with any third parties without the individual’s written permission.

Many of these new rights actually show up by way of additional transparency requirements, such as organizations giving an individual the right to review and correct his or her personal information, requiring the data controller (e.g., banks, hospitals, Facebook, Google, etc.) to provide all relevant personal information to the data subject upon request. Where the rubber hits the road for service providers is that these regulations give individuals the right to request information about data processors on which a data controller relies to prevent unauthorized access, including their data destruction and information technology asset disposition (ITAD) services. This means an individual can request not only the name but the actual policies and procedures and even the contracts of those service providers.

Should the data subject be inclined to contact that service provider—as is his or her right—to obtain additional information, that service provider is obligated to respond (though the nature of that response might simply be to acknowledge the request and direct the individual back to the data controller).

The impact on data destruction firms and certifications

In a world where individuals have the right to request information about policies and procedures regarding data destruction and ITAD from banks, hospitals and insurance companies, it’s not a stretch to realize those same organizations are going to be extra careful about vendors they hire. The ability of those service providers to withstand such scrutiny is imperative.

It also is important to note that under these new regulations, organizations, be it the data controller (the client) or the data processor (the service provider), will have no choice but to respond because not responding results in automatic fines and, where the regulations allow, leads to an additional risk of lawsuits that are virtually impossible to defend.

This isn’t necessarily bad news so long as the service provider is prepared to welcome such scrutiny. In fact, for those service providers that are prepared, these new regulations will lead to a boon, going a long way to eliminate competition from service providers skirting (or unaware of) their regulatory compliance requirements.

Certifications and global compliance

There is little doubt an increased level of service provider scrutiny will further advance the relevance of data protection certifications, especially where those certifications diligently verify compliance with new regulations.

Within the last year, i-SIGMA’s National Association for Information Destruction (NAID) AAA certification, a widely recognized data-related compliance certification, has added a requirement for service providers to name a data protection officer, as well as a requirement for service providers to have a Data Subject Response Policy stated in their policies and procedures. These additional requirements were aimed directly at harmonizing the certification program with the new regulatory requirements.

Of course, the fact that other countries, and even within the U.S., have differences in their regulations makes compliance and certifications tricky. All these new regulations are borderless, too, meaning they apply to the citizen of the jurisdiction regardless of which borders they are in. For example, a hotel in Florida may be viewed by California as violating the rights of a Californian citizen—and this is more than a technical issue. Countries and states actually have prosecuted, fined and sanctioned organizations outside their borders for violating their citizens’ rights.

The good news is that as long as a certification is responsive to all data protection requirements, the certification can simplify compliance with remote regulations by harmonizing with all of them, thereby defaulting to the common denominator. This is the only practical strategy, not only for certifications but also for data controllers and data processors.

Compliance monitoring: The next level certification

Given the escalation of data protection laws, the role of NAID AAA certification has evolved dramatically over the past several decades. Where service providers once used it as a source of differentiation, it now serves to inform them on being compliant with global data protection regulations. In the past, it gave the client a sense of comfort that someone else was looking at their vendor, but it now serves as the initial and ongoing service provider due diligence required by law.

The arrival of data-subject-rights legislation takes that role to the next level in many ways and, in so doing, warrants improved tools by which clients can demonstrate their service provider selection and monitoring.

As a result, i-SIGMA now offers a free compliance monitoring service (CMS) to data controllers, wherein clients directly can obtain and continually receive automatic service provider compliance updates—providing tangible evidence of the service provider qualifications and processes the client has a regulatory duty to track. The reports—initial and ongoing—which clients anonymously request, are sent to them directly, further validating its authenticity and reporting on a detailed and customized basis the compliance status of the particular vendor.

Obviously, the criteria evaluated and reported by the CMS are gleaned from NAID AAA certification audits and, as a result, this client-facing, client-serving tool is only available when their service provider participates in the certification program. Early evidence suggests the i-SIGMA CMS will grow to be a highly valued tool for our members’ clients, and as the association more widely promotes it to clients facing new data-subject-rights regulations, the association is betting heavily on its popularity.

Activism and lawsuits

Of the more significant risks related to this new generation of regulations are provisions allowing the “Private Right of Action,” wherein a private citizen legally is entitled to enforce their rights under a given statute. This differs from situations in which a state or the federal government enforces something like legal violations under a statute. It also means violations are sufficient to bring suit even in the absence of demonstrated damages.

This low threshold drastically increases the likelihood of lawsuits and activism. Though unintended, it is easy to image individuals testing a data controllers’ (or data processors’) preparedness simply to expose the opportunity to collect, and it is just as easy to imagine legal professionals ready to assist in this endeavor.

Data destruction and ITAD service providers need to prepare. Whether the coming tide is a boon or bust is largely dependent on the difference of being proactive or reactive. While the calculus is one of economic fortune, it also is one of responsibility. It is worth considering that service providers have a professional duty to be prepared themselves while at the same time preparing their clients. That is the choice, and that is the opportunity.

Bob Johnson is the CEO of Phoenix-based i-SIGMA. He can be reached at rjohnson@isigmaonline.org.