The role of reasonableness in data protection compliance

By Bob Johnson, NAID CEO

Compliance with some regulations is determined by very objective, clear requirements. For instance, in the U.S. you must pay your personal taxes by April 15. If you don’t (without filing an extension), you have broken the law. Period. However, with other regulations like data protection regulations, compliance is determined by the principle of “reasonableness.” They require organizations take reasonable steps to fulfill the requirements.

Some data protection laws require organizations prevent unauthorized access, as is the case with the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) of 1999 (Financial Modernization Act of 1999), and the European Data Protection Directive. In other instances, they specify the destruction discarded personal information, as is the case with the Final Disposal Rule of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) or Regulation S-P of the GLBA. Either way, compliance is determined by the reasonableness of precautions.

The advantage of this approach is that it allows flexibility in compliance strategies for many types and sizes of organizations that have varying needs and resources. However, some people suggest that allowing every organization to determine what is reasonable is a weakness. But, in fact, the reasonableness approach actually challenges an organization to put a lot of thought into their particular compliance strategy. You see, while the organization must determine what it reasonable for themselves, they are not the final judge. In the event of an audit or data breach, the final judge of what is reasonable is the regulator. The challenge is developing a reasonable approach to compliance that reflects what regulators consider reasonable. The good news is those regulators have provided plenty of guidance.

Reasonable approaches and responses to data protection laws include creating written data protection policies and procedures and providing training to employees. Or, stated another way, not having written data protection policies and training programs would be considered unreasonable and, therefore, noncompliant. Also, not having a written selection criteria and process for hiring data-related vendors would be considered by regulators as unreasonable and noncompliant.

The lack of written policies, employee training and vendor selection criteria remain the weakest links in most data destruction practices. In the last few years, virtually every one of the thousands of data breach investigations ultimately exposed one or more of these critical shortcomings, which usually constituted severe consequences and large fines. Therefore, when reviewing the data protection laws, remember to determine what is reasonable for your organization to remain compliant and safe from penalty.