Data Privacy and Dental Floss
Let’s face it, for most people, the idea of diving into data privacy regulations evokes about the same reaction as flossing your teeth – you know you’re supposed to and you might even feel better when you’re done, but actually doing it is messy and unpleasant. Understanding the basic objectives of the regulations can help a lot. But first let’s get the caveat out of the way, and then step back to provide some context.
Caveat: This article is not intended to provide any legal advice on compliance with any specific laws or regulations. You should consult an attorney for specific guidance on the applicability and compliance with privacy regulations in your specific situation.
Privacy, data protection and data security are often used almost interchangeably, but behind these words are two distinct concepts. One concept addresses the obligations a recipient of personal data has to the subject of that personal data. This concept is often addressed as “data privacy” in the US, and “data protection” in Europe and other jurisdictions. One component of data privacy or protection is the obligation to take reasonable steps to protect the data from unauthorized disclosure. That responsibility is data security. We are going to focus on data privacy here. We will offer a layman’s guide to data security in a subsequent article.
For years data protection in the US amounted to little more than disclosure plus compliance. The recipient of personal data was required to disclose what pieces of personal data were going to be captured and what the recipient intended to do with them. Legal liability could only arise if the recipient failed to follow its own disclosures. The disclosures often appeared in tiny typeface legalese, were rarely read by anyone, and thus could be used to justify some pretty outrageous stuff.
Meanwhile, the Europeans took the global lead in defining substantive regulations regarding personal data. Their first privacy regulatory framework was established in 1995, and was known as the European Data Protection Directive (Directive 95/46/EC). As a directive under the European government structure, it was not directly enforceable, but required each member state to adopt implementing legislation. Over the years, variations in the interpretation of the Directive and resulting legislation caused the Europeans to adopt the now infamous General Data Protection Regulation (GDPR) in 2016. It became enforceable in 2018. As a regulation, it both supersedes the Directive and is immediately binding within the EU and European Economic Area. As global companies struggled to comply, it became apparent that managing data in disparate ways between legal jurisdictions was impractical, and the GDPR has become a de facto global standard.
In the US, after years of inaction at the federal level, states have begun to implement data protection laws. While not the first, the California Consumer Privacy Act (CCPA) has had the most impact. It was passed in 2018, and together with subsequent amendments, went into force effective January 1, 2020. Although there are some differences, it largely follows the concepts of the GDPR. And like the GDPR, many large companies are choosing to apply the California privacy standards to all of their US customers, rather than attempt to manage to differing regulatory standards.
The GDPR and CCPA are long, complex laws and have generated untold riches for lawyers advising clients on compliance. It could cost you dearly just to determine whether either even applies to you – and if you are in a small US-based practice they may well not. How to comply would cost you even more.
Nevertheless, most practitioners will want to take reasonable steps to protect the information they receive from clients, and the privacy regulations offer an excellent standard for best practice. Despite their lengthy, detailed regulatory terms, most data privacy regulations are based on a few practical principles. These principles are:
- Collect only what you justifiably need, allow access to it only by persons with an essential need to know, and store only what is needed for the minimum time that is feasible.
- Be transparent about what data you are collecting, what you will use it for, who else may have access to it, how long you will keep it and how it will be erased.
- Allow the data subject control over the data. This includes the opportunity to consent to, or at least opt-out of, the collection of the personal data in the first place, the right to see what has been kept and to correct it, to require its deletion, or to prohibit its transfer in any form.
If you keep these principles in mind in the disclosures you make to your clients, and the way you manage the information you receive, you will be following a reasonable, defensible standard and will have gone a long way to compliance with any regulations. You could still have a technical infraction which you’d only sort out in advance with a thorough privacy audit by a knowledgeable professional. Even then, the evidence of your efforts to follow the basic principles is likely to help mitigate, or even forestall, serious penalties.
Using the right tools can make compliance easier. We have built ADR Notable to help. We have identified elements of data that comprise the basics – names, contact information, roles in the case – that you justifiably need to know. We believe these basic data elements may be needed to make future disclosures of potential conflicts, and therefore may be stored for some time. If you previously served as a neutral in a matter involving an individual or company, you may want to disclose that in a subsequent matter in which they are involved and should keep data for that purpose.
ADR Notable allows you to share case files with another professional, like a case manager or co-mediator at no additional charge. However, when you establish that access, you can choose security limitations to block certain types of data that may be more sensitive, like materials received from clients or the notes you have taken during sessions. This allows you to have administrative help while limiting access to confidential information, or open up access where the parties have agreed to it. ADR Notable also has a feature that creates a case summary report that contains only the minimal, non-confidential information of the type likely to be shared with a court or other third party – thus limiting what is shared with third parties in a manner consistent with privacy best practices.
In ADR Notable, materials and data you receive from clients can be sorted into a set file structure. The platform’s default case file structure provides a location for case specific files from parties plus a folder for key files you should retain, like your engagement agreement. At the conclusion of the case, with a few clicks you can delete, or schedule for deletion, files in the case folders and all of the notes you made during the process, while retaining only the key documents and the basics described above for your legitimate business record needs.
Getting beyond the details of data privacy regulations to the practical principles doesn’t need to be messy or uncomfortable. And implementing best practices can be made easier with well-designed software. Give it a try – you’ll feel better once you have a process in place.