Post By: Stefan Vucicevic, Tech Writer at Jatheon Technologies
As Covid-19 hits regulated industries, an increasing number of data requests will start pouring in. But when companies are struggling to find their footing, with resources and staff scattered across locations, how to ensure full compliance with laws that guard regulated industries?
We’ve now lived and worked for months with the global pandemic of the novel coronavirus. And while we’ve learned something about—and from it—we’re still struggling to anticipate the full extent of its doing.
In the realm of information management, the unpredictable nature of the virus has been particularly hard on regulated industries. It’s the regulated industries, such as the public sector, healthcare, and education, that we all look up to for a response and guidance. Coincidentally, it’s in these regulated industries where compliance regulations are the most stringent. And the key issue is that when a pandemic hits, privacy protection doesn’t stop. In fact, it gains even more importance.
But, there’s another aspect to factor in.
The pandemic has shone some light on many aspects of business operations that have not been quick and nimble, and only exacerbated our failings.
Local governments, schools, and hospitals were all left dumbfounded, yet needed to quickly up their game and provide a meaningful response. Local council meetings went online and classrooms became virtual. Work became remote.
But what happened to privacy and compliance? Where have they gone? And perhaps more importantly, where do they go from here?
Unmonitored Channels Are Non-Compliance’s Tool
Before the pandemic forced companies to shift their operations to some remote extent, companies were already strained by trying to keep up with the rapid expansion of communication channels.
In healthcare, for instance, patients used mobile to book their examinations and consult with their doctors. In education, students and teachers used video conferencing tools, online learning platforms, social media, and email to communicate with their students or talk to parents. In financial services, sales teams used instant messaging tools to talk to their prospects and follow up with existing accounts. All of this information is considered official business records and so companies are required to preserve for a certain period.
Then the pandemic happened.
All of a sudden, those same communication channels were accessed from personal computers, home networks and personal mobile devices, often left unattended or with serious security shortcomings.
This gave rise to many questions.
First, if a company didn’t have a clear policy on the use of personal vs company-owned devices, who would be responsible if a network was hacked into and data leaked or erased? The employee or the employer?
And whoever might be responsible, what to do in the wake of the attack? Some security and privacy incidents are beyond repair. Fines are enormous.
More importantly, perhaps, tarnished reputation is today almost definitely beyond repair. If a single client gets affected, whether due to negligence or intentional misconduct, the results will be similar. Companies will face charges from relevant authorities and lawsuits from the affected client. And potential clients will suddenly stop replying to your calls. That is, if you’re not banned from operation.
And all of this because of a single email or text that got away, slipped through the cracks and was never preserved as required.
Truth is no one has the time to ponder the line of responsibility. Especially not during a pandemic.
Companies want all their information securely sealed and locked away, far from any security and compliance incidents. Patients want all their health records safely stored, with zero chances of their personal information getting out in the open. Parents want their children’s schooling to be safe online. Employees want their privacy protected in the workplace.
And while ensuring privacy protection and compliance is a complex matter, it should be your top priority right now.
What Happens During the Pandemic Will Certainly Get Out
Right now, no one can tell with certainty how long the pandemic will last. But it’s for sure that regulated industries are not likely to forget the challenges of transitioning to remote work.
Neither will regulators. As new options for doing business are discovered, the legislation will evolve to govern those new channels, which means company documentation will be essential. The adoption of GDPR and CCPA has led to the advent of new privacy laws that give more freedom to customers, and going forward, these laws will continue to expand customer freedoms.
And where better to exercise these freedoms than during such a global scale event. Take healthcare for example. Patients will want to know how hospitals treated their records and test results. Who had access to their files? How was this communicated? How did the hospital disseminate these data to health authorities?
It’s safe to assume that the number of eDiscovery requests will rise in the coming period. People know they can ask any government agency, hospital, school, or company for an insight into records stored about them.
Then, there’s a heightened sense of fear caused by the pandemic. People will want to be extra cautious about how information on them is collected and stored.
And there’s more here than just hypothesis. The US Department of Justice has reported that in 2019 alone there were 858,952 FOIA requests, as the upward trend continued over the past decade. It’s also worth noting here that there 120,000 backlogged requests in 2019, which is a decrease compared to a year before. This means agencies are keeping up with the rise in requests, but still have a long way to go.
If you possess all evidence, it’s easy to justify your actions, both before regulators and clients. But this is a long process, one that requires companies to first understand what needs to be included in the scope of their records retention.
Ensuring Compliance Starts Within
Objectively speaking, compliance solutions have a role to play in the grand scheme of compliance: there is so much data right now, and it will only grow in the future, so it’s futile to try and do things manually. Whatever we can automate, we should. Especially if it will save our company, and our clients, from privacy harm.
So, what can we do to ensure compliance and keep track of the rise in data requests?
First, we need to understand what data we have and don’t have to preserve. What’s a must-have and what’s nice to have?
To understand that, we need to take a step back and make sure there are clear boundaries and responsibilities with respect to compliance and data protection.
Now, this may sound redundant, but bear with me here: regulated industries sometimes can be slowed down and information gets segmented and locked away in silos, where departments and their systems don’t communicate. Instead, there are various backups of the same information, mostly partial. This way, bits of information, that could prove crucial, tend to get lost. So here’s what you first need to know:
- Is there a go-to team within your organization in charge of compliance?
- Who in that department is responsible for which part?
- Do you monitor records retention per client, per channel, per vertical, or is there a single source of control tasked with overall records retention?
- Which channels do you use across the company? This includes legal, administration, sales, marketing, HR. When was a policy on these channels last updated?
Only once you have this information and are able to create processes that can be continuously improved, should you start looking for software to optimize it. But in today’s business world, where customers are the focus, companies need to ask themselves the age-old question: what can I do to make this right?
About the Author: Stefan Vucicevic is a tech writer for Jatheon Technologies, an enterprise information archiving company that specializes in archiving solutions for email and social media to organizations in regulated industries globally. Founded in 2004, Jatheon is recognized as an information archiving pioneer, providing regulated industry players with a comprehensive archiving system in a variety of customizable deployments.
At Jatheon, Stefan covers information archiving and data privacy topics in regulated industries, including education, healthcare, and the public sector.