5 Steps to Deal with the Torrent of Data Requests in Regulated Industries
The Covid-19 pandemic has given a huge blow to economies worldwide. Quick responses from regulated industries, including the public sector and healthcare have been vital in suppressing the death toll, but have created a gateway for data privacy infringements.
In the aftermath of the pandemic, we can expect a surge in the number of eDiscovery requests and litigation cases.
Most people affected by the coronavirus will want to know whether their privacy has been compromised and in what ways. And this goes beyond the healthcare sector.
These will include people who lost their jobs, as well as parents whose kids used unsafe communication tools to attend classes. And they will also want to know how healthcare institutions, regulatory bodies, and school districts handled their data.
Time to Prepare for Data Requests is Now
Whatever could be said of the preparedness of healthcare institutions and government agencies, we should give them the benefit of the doubt that they did their best to preserve as many lives as possible. Still, this won’t abolish them from individual cases of data retrieval.
People will want to get access to their medical files, whether to get a better understanding of their symptoms or to seek evidence of data mistreatment.
And that’s not all: individual requests are only one part of the issue. On the other hand, regulatory bodies will check for compliance with regulations on business records preservation. This affects a broad range of sectors, including K12 schools and higher education institutions, legal companies, financial organizations and firms, as well as construction companies.
So what can organizations do to prepare for the inevitable rise in the amount of data requests? We’ve compiled a list of steps that can help companies prepare.
Step 1: Assign a responsible person
While this is something that might sound trivial, companies often fail at this step. But it’s essential: unless there is someone in your firm specifically tasked with the responsibility to ensure data compliance, chances are no one will pick up that responsibility.
This could potentially lead to some use cases/files slipping through the cracks, which could expose the entire company to non-compliance. There are hundreds of regulations on information archiving in the US, so you should really prioritize your compliance, no matter how large your organization is.
So first get your compliance officer, who will interpret the rules alongside your legal team. They should then work on creating and implementing comprehensive policies that will define the data that needs to be archived, as well as how this information will be captured.
They should also perform in-house random checks to ensure all data is backed up securely and that all personnel know how to handle sensitive data and which communication tools to use.
One of the first steps to achieving data compliance is determining what data is being held. This can be done via an audit. A data audit can help to establish exactly what information is being held, why, how it is being stored, and help to identify any weaknesses in your GDPR processes. For some companies, GDPR legislature can seem overwhelming and complicated, but being data compliant is very important. Finding a good company to use to carry out a full data audit can be the best way forward to ensuring full compliance.
Step 2: Identify which data needs archiving
This step requires thorough research but pays off in the long run. The key outcome here is to make a list of all channels of communications used among your employees and then decide on the ones acceptable for your businesses.
You need to understand where your business records are discussed. Is it WhatsApp or Slack? Do you use Zoom or Skype? Can you capture all this information? In a worst-case scenario, will you have concrete evidence to prove you didn’t disclose your clients’ data?
Once you know the range of business communication channels you use, you will be much better at tracking, capturing, and retaining all this data.
Step 3: Automate information capturing
The number of communication channels has been expanding vastly, and large organizations often find it difficult to keep track of all places and information exchanged. But once you know where to look for business records, you still need to make sure no piece of information gets lost in the way.
To this end, you need to rely on robust technology that can do this process for you automatically, without disrupting the work of your core departments. When selecting technology it is important to use software specific to your business needs. For instance, NDIS provider software could work for a disability care setting as it can be used to create comprehensive records you can access when they are requested.
You need to find an information archiving solution that can capture and search through not just email messages, but also video calls, voice calls, instant messaging, zipped files, attachments, and all other places where often vital business information lies.
Step 4: Keep all data unaltered
To face the rising number of data retrieval requests, you need to keep all communication intact. The reason for this is that your organization will need to present proof of the authenticity and integrity of information in case this information is used in a legal proceeding.
With a tamper-proof archiver, you can preserve the original content and metadata for all messages pertaining to a particular case.
So, in cases where you expect an audit or investigation, you should implement a technology that will allow you to apply the legal hold. That way, you will be able to preserve business communication for an indefinite period of time, even after the expiry of its retention period.
Step 5: Train your employees on best practices
As a rule, organizations in regulated industries work with sensitive information, such as health records, financial data, education records, and so on. And what we often see in practice is that no technology is good enough to prevent the mishaps that can happen due to employees being unaware of regulations they need to follow.
That’s why in the period when the number of these requests is likely to rise, you need to make sure all your employees understand their role in the process.
Thousands of pictures and videos taken in hospitals during the Covid-19 pandemic have swarmed social media, showing staff working endless shifts to save lives. In most cases, there was no bad intention: these scenes can help people understand why they need to respect the precautionary measures.
However, all of this information can contain some sensitive data: what if someone’s identity is revealed? In that case, the person affected can rightly ask for legal action against the hospital or clinic for disclosing their personal information.
Stefan is a writer at Jatheon Technologies, where he covers information archiving and compliance in regulated industries.