How does an enterprise reconcile cross-border retention, preservation, and discovery obligations with competing data protection principles that call for data minimisation and storage limitations along with the rights of erasure and restriction of processing? Very carefully.
Building a functioning enterprise Information Governance program can be challenging in the best of situations. The complexities multiply when the enterprise has an international presence and faces conflicting cross-border legal obligations and contrasting legal and social views on protection of personal data. Simply, how does a company operate an information governance program when one legal system they operate under requires extensive legal holds over vast quantities of data, while another legal system, they operate under contains constitutional-level rights for natural persons over the processing of their personal data? What are the evolving best practices to answer this question?
Best Practice #1: An enterprise information governance framework should seek to achieve an optimal balance between controlling information risk while supporting the extraction of information value.
The Sedona Conference, a U.S.-based think tank with working groups publishing work on eDiscovery, information governance, and cross-border discovery, has defined information governance as “an organisation’s coordinated, interdisciplinary approach to satisfying information compliance requirements and managing information risks while optimising information value.” The challenge to achieving this optimal balance between controlling risk and extracting information value multiplies when conflicting international legal risks arise. Yet, this core function must remain.
Best Practice #2: Develop or revise an enterprise information governance framework that actively considers the competing obligations for retention and timely disposition.
For enterprises operating internationally it is dangerous to function in the blind hope that conflicting obligations between legal systems on the retention and disposition of information will not impact your enterprise. A simultaneous U.S. litigation and EU supervisory authority inquiry may wreak havoc on more than your legal budget. If your information governance framework assumes that these competing obligations will, at some point, come into direct conflict, you can be prepared to defend your client across multiple jurisdictions and legal systems.
Best Practice #3: Decisions on finding a functioning balance between retention and disposition of information should be fitted specifically to your organization’s risk profile and the legitimate business requirements for the ongoing processing of the data.
There’s a challenge facing every enterprise operating internationally in dealing with competing, and sometimes conflicting, laws and cultural views of personal information. Decisions on how to address this situation are shaped by two elements: (1) the organisation’s exposure to legal risk in each jurisdiction to which it is subject; and (2) the organisation’s legal risk tolerance. When establishing an internal Information Governance framework and operational guidelines, these elements need to be considered, with particular thought given to the organization’s legitimate business requirements for ongoing processing of personal data. An important additional consideration is whether personal data can be segregated from other information that the business seeks to retain or if that personal data can otherwise be deidentified. Under most data protection laws, these issues fade away if personal data is scrubbed or made permanently unreadable or identifiable to a natural person.
Best Practice #4: Identify challenges that are specific to your market segment or unique to your enterprise
No two businesses are the same, but many in the same market segment share common concerns with the retention and disposition of information, particularly personal data. For example, businesses in life sciences, financial services, and insurance all operate in very different circumstances yet collect and process vast amounts of personal data under highly regulated environments. Each segment, and each enterprise operating in that segment, must look at how it handles personal data under its own Information Governance framework and develop an approach that works within its environment.
Conclusion Hopefully this brief examination provides ideas that outline both the complexity of and opportunities for managing an Information Governance program in an international context