Recap of our Session at The Florida Records Management Association’s 2023 Conference
Organizations and government entities collect data all of types. With that comes challenges as these entities not only have a duty to safeguard the data they collect, but they need to comply with certain regulations and be held accountable to maintain public trust. The beginning point to compliance with these regulations is to understand what data you have, where it is located, and how the organization is using it. This is called Data Discovery.
Data Discovery in Privacy and Publics Record Requests was the subject for discussion, which was led by Trustpoint.One’s Matt Mahon and Jerry McIver at the Florida Records Management Association’s 2023 Conference, held in Daytona Beach, Florida.
We first began by discussing just what is Data Discovery and Data Mapping, and defined Data Discovery as:
The process of creating an index of the information contained within a data source(s) to support an information governance initiative, including records retention and disposition compliance; data mapping; data minimization; data classification; sensitive data identification; ROT remediation; eDiscovery readiness; and data request workflow optimization.
But what does that really mean? We discussed how Data Discovery is the fundamental first step to handling data subject access requests, compliance with data privacy regulations, and more efficient responses to public record requests. By going through and identifying each endpoint, personal and sensitive information, and classifying the information, entities will be in a better information governance stance to comply with data privacy regulations and respond to public record requests.
Data Mapping is a colloquially used word that means a few things. It includes Data Inventory, Data Classification, and Data Map workflow. During our presentation, we went over these items in detail and why they matter to an entity. Knowing this information allows organizations to understand not only what information they have and where it’s located, but also allows them to start answering the question of why they are collecting, storing, and processing certain information.
After discussing Data Mapping, we moved on to discuss the efficiencies gained by performing a Data Mapping exercise along with Data Discovery. Not only does Data Discovery and Data Mapping help with compliance and public record requests, but entities could see reduced spend, easier decision making, a better data governance stance, updates to IT infrastructure, and reduction in eDiscovery costs, if that is incurred in the future. One of the most important efficiencies gained is the realization to implement a firm Data Minimization stance. This information governance principle is becoming increasingly important, as it allows for less data to be collected, as organizations and government entities should only collect information that is needed. Once the information is no longer needed, it needs to be properly disposed of subject to a defensible retention policy. Less data = less you have to respond to.
We then moved on to discuss the how data discovery can be very useful for public record requests. After performing Data Discovery, a government entity has a much easier time locating requested information, as they know exactly where it is. If a government entity also has a portal or records management software to handle the request, the response time is substantially less. This allows for less resources required to respond timely, reduction of spend, increased transparency and trust with the public, a repeatable and auditable process, and applying proper presentation and retention of documents. If a Data Map has been performed on top of Data Discovery, then the information sources and owners are able to create a playbook for responding to the public record requests, leading to even more efficiencies.
After our break, we moved into discussing data privacy and data security and why they are different. Organizations use data security to use access controls for certain information, in addition to other safeguards. Data Privacy is the high level policy and to show the collection, storage, and processing of the information. Data security is necessary to properly protect data, but doesn’t necessarily address Data Privacy.
With Florida HB 7055 (2022), we are seeing an increase emphasis in state and local government in Florida to protect our information. So we need to continue to focus and be proactive on our data privacy efforts. With an increase in data security incidents, an entity may have difficulty in understanding what personal and sensitive information may have been exposed if a threat actor is able to access their systems. This can lead to damaging fines, reputational costs, and hurting the public trust of the entities ability to collect and store an individual’s information. By identifying the personal and sensitive information, entities reduce the information that is stored by using data minimization principles, and thus, reducing the amount of personal and sensitive information that could be subject to a data security incident. We then went through a couple of scenarios with volunteers (thank you, again, volunteers!). One scenario included going over a public records request without Data Discovery performed and one was with Data Discovery performed. As we went through the scenario, we realized just how much more efficient that a records manager could respond to a public records request if a Data Discovery exercise had been completed.
Lastly, we concluded with our final scenario about a data security incident that occurred. The records manager needed to figure out what to do when he was unable to access the network. If Data Discovery and Data Mapping was not performed, the records manager (and by extension, the government entity) may not understand what information was accessed and what information the records manager may need to proceed. If the government entity had an incident response plan, they would be able to respond more effectively, making sure all stakeholders follow their respective roles to prevent a hectic situation in events after a data security incident. With preparation, the government entity would be ready to respond to the threat actors. The threat would also be substantially less if the government entity performed Data Discovery and Data Mapping, reducing the amount of possible personal and sensitive information that could be exposed.
We finished our presentation by asking the crowd how many knew their entity’s retention policies. Surprised by the response, we encouraged everyone to not only ask about that information when they return to work, but also to begin to ask why we are collecting certain information in the first place.
Still have questions? Speak with an Expert