Susan Bennett, Author at InfoGovANZ

9 May 2023: The Information Governance Industry Report 2023 is InfoGovANZ’s fourth survey charting the development of information governance over the past seven years.

The IG Industry Report reveals that the key drivers and priorities for information governance activities within organisations were:

External regulatory, compliance or legal obligations
Good business management practices
Internal technology restructuring or transition; and
Mitigating risks associated with data that can be defensibly deleted.

Dr Peter Chapman, Partner Korda Mentha and InfoGovANZ International Council member said, “while most of these drivers have remained consistent in previous survey results, the elevation of ‘mitigating risks associated with data that can be defensibly deleted’ as a key priority for organisations is unsurprising given the Optus and Medibank data breaches in the latter part of 2022 and the more recent Latitude data breach, which have highlighted the risks of over-retention of personal information.”

Two new questions were added to the survey to gain insight into the impact of these data breaches on organisations more widely. While only 20% of respondents indicating a major impact to their organisation’s IG activities, more than half of respondents’ organisations had either implemented changes or formed the intention to make changes to information lifecycle management policies and procedures in the last 12 months. “This demonstrates a broader recognition by organisations that they need to ensure they have adequate information lifecycle management in place, including disposal of personal information that is no longer needed” said Susan Bennett, Executive Director InfoGovANZ.

The survey results revealed that a quarter of all IG projects either underway or planned to be underway in the next year were driven largely by changes or foreshadowed changes to privacy laws with a further quarter being ‘somewhat’ driven by changes or foreshadowed changes to privacy laws. Susan Bennett said, “In light of the recent high-profile spate of data breaches and foreshadowed changes to Australia’s Privacy Act, it is unsurprising to see a significant increase in IG projects planned across the next 12 months from 74% in 2021 to 82% in 2023.” Over a third of respondents indicated their organisations are expecting to increase their IG spend this financial year.

It is pleasing to see that organisations are increasingly governing with a formal IG framework. The number of respondents reporting that their organisation is doing so has increased from 51% in 2019 to 64% in 2021 and then 71% in 2023. In another positive sign, nearly two-thirds of respondents assessed their organisation’s IG maturity as intermediate or advanced.

More respondents considered their organisation to have a proactive stance (50%) than a reactive one (40%), although clearly there is significant room for improvement here. Our third new question asked respondents their opinion as to whether the board and/or leadership team of their organisation had sufficient understanding of IG. Concerningly, only one-third of respondents believed this was the case.

“As recent high-profile data breaches have shown, boards and governing authorities of organisations need to have in place robust information governance to reduce information risks across the enterprise”, said Susan Bennett. Boards need to ensure they are actively monitoring the governance of data and information lifecycle – from collection to use and disposal – to comply with privacy regulations and reduce overall risks, including reputational and legal risks and costs to the organisation.

Key Survey Highlights

The three main drivers of IG projects are external regulatory, compliance or legal obligations (81%), good business management practices (66%), mitigating risks associated with data that could have been defensibly deleted (49%),
Half of the survey respondents indicated that changes to privacy laws were 50% or more of the reason behind IG projects underway or planned in the next year.
Recent high-profile data breaches impacted IG activities in a ‘major’ way for 20% of the respondents’ organisations and had a minor impact on 57% of respondent organisations.
55% of respondents indicated that their organisation had or was planning to make changes to information lifecycle management policies and/or procedures in the last 12 months.
64% respondents said their organisations govern IG with a formal IG framework with policies and procedures.
82% respondents said their organisations have IG projects underway or planned in the next year.
65% assessed their IG programs as intermediate or advanced in maturity.
Nearly 50% assessed their IG programs as proactive and 40% as being reactive, event-driven and unplanned.
Only 34% of respondents assessed their board and/or leadership team to have sufficient understanding of IG.

About InfoGovANZ

Established in 2016, InfoGovANZ is a community of international professionals across the data and information sphere – Information Governance, Legal, Data Privacy, AI and Ethics, Cyber and Information Security, Records Management, FOI, eDiscovery, Data and Infonomics, Risk and Compliance – with a multi-disciplinary focus to collaborate and share best practices and promote global information governance innovation.

The report can be accessed here – Information Governance Industry Report 2023

For further information

Please contact Susan Bennett, Executive Director

susan.bennett@infogovanz.com or on +61 2 8226 8546.

The IAPP Global Summit Privacy Summit this year was a huge event with over 5,000 attendees and a smorgasbord of keynotes and seminars on a wide range of topics – from privacy and AI compliance to the recent Generative AI developments together with predictions, the status of EU-US data transfers post Schrems II, and the latest in international data transfers. There were also very interesting sessions on privacy and ESG, and privacy and holistic data strategy.

Keynotes on AI and Privacy Developments

An exceptional keynote was given by FTC Commissioner, Alvaro Bedoya on Generative AI pointing out that AI is regulated. Commissioner Bedoya noted that section 5 of the FTC Act, unfair or deceptive practices, applies to companies making, selling, using or making representations about AI. The Commissioner emphasised that ‘there is no AI carve out’ in tort, civil rights, product liability and common law. You can read more here Remarks of Commissioner Alvaro M. Bedoya.

The closing keynote panel moderated by Joe Jones, with EDPB Chair Andrea Jelinek, former UK ICO Commissioner @Liz Denham CBE, and NOYB Chair Max Schrems, covered a number of topical issues including the following:

Liz Denham CBE suggested a Bretton Woods on cross-border data transfers given ‘adequacy’ is not working and EDPB Chair, while Andrea Jelinek opined that the GDPR is the best solution we have and it should be the global standard.
Max Schrems reported that NOYB has 800 outstanding cases and enforcement is taking time to occur, partly due to delays caused by differing national procedural laws. Andrea Jelinek indicated that the EDPB had presented a “wish list” on this issue to the European Commission and to expect an announcement about measures to streamline and harmonise national procedures in northern hemisphere summer this year.
Max Schrems said that while the EU US Data Protection Framework was an improvement, it did not provide adequate protection for EU data subjects, particularly around proportionality and redress, and indicated that Schrems III is likely to be filed.

Nina D. Schick gave an astonishing keynote on the tipping point of Generative AI, predicting that 90% of internet content will be created by Generative AI by 2025 and calling for an authentication standard to address the challenge of information integrity. Ms Schick pointed out that ChatGPT took only took five days to reach 1 million users and two months to reach 100 million users. Unsurprisingly, ChatGPT is now being looked at by several data protection authorities, including South Korea and Italy, which is investigating whether it violates the GDPR.

Professor Danielle Citron, author of ‘The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age’, gave a thought-provoking keynote about the price we pay as technology migrates deeper into every aspect of our lives, arguing that citizens, lawmakers and corporations have the power to create a new reality where privacy is valued and individuals are protected as they embrace what technology offers. Professor Citron argues that ‘intimate privacy is a human, civil and moral right’.

Professor Dan Bouk author of ‘Democracy’s Data – The Hidden Stories in the US Census’ made the point that #privacy and #confidentiality protect personal data against uses beyond its inherent capacities. From his study of the 1940 census, Professor Bouk explained that ‘human robots’ (as they were called) standardized hand-written information in accordance with government policy, for example, replacing ‘partner’ with ‘lodger’ and changing racial designations and country of birth – which raises questions about identity.

Cross-border personal data transfers

Multiple sessions addressed the status of cross-border data transfers between the EU-US and globally with the trend towards data globalisation. While some sessions focused on the proposed EU US Data Privacy Framework and the challenge of personal data transfers from the EU to the US, others discussed the broader issue of government access to personal data for national security and public safety and the work of the OECD.

Dylan Cors, International Director, Office of Law & Policy, National Security Division, US Department of Justice, Bruno Gencarelli, European Commission, Audrey Plonk, Head of Digital Economy Policy Division, OECD Directorate for Science, Technology and Innovation and Kate Goodloe, Managing Director, Policy, BSA The Software Alliance discussed the OECD’s workstream on trusted government access to personal data, which was started by a December 2020 statement highlighting the urgent need for international collaboration to develop high-level principles or guidance on trusted government access to personal data, and its relevance to any company that sends data across international borders. This has led to the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities in December 2022, which clarifies how member countries’ security and policing agencies can access this data under existing legal framework in an effort to improve trust in cross-border data flows.

A panel comparing ASEAN and Ibero-American regional model contractual clauses with GDPR SCCs discussed challenges of data flows in regions with uneven data protection maturity, and on the topics convergence and interoperability ended with an intriguing note from Zee Kin Yeong, CEO of Singapore Academy of Law and Infocomm Media Development Authority, to watch for a forthcoming announcement.

Co-regulation and regulatory sandboxes

Another interesting panel looked at whether co-regulation is the future of privacy, which was discussed in a session with Bertrand du Marais, Commissioner, CNIL and Councillor of State, Isabelle Vereecken, Head of Secretariat, European Data Protection Board, Marie-Charlotte Roques-Bonnet, Data Protection Legal Advisor, ENISA, Yannick Bailly, DPO, Nissan AMIEO, and moderated by Fabrice Naftalski, CIPP/E, CIPM, Partner, Attorney at Law, Global Head of Data Protection, EY Société D’Avocats. The clear benefit of co-regulation and regulatory sandboxes is that it enables regulators to keep up to date with technology innovations and industry developments and allows companies to improve and demonstrate compliance.

Anonymization – ISO/IEC

Audience polls conducted at the anonymization panel underscored the need for lawyers and technologists to be able to communicate effectively when developing anonymization strategies. There was discussion about the new ISO/IEC 27558-2022 standard, which may help to facilitate understanding and to focus on assessing data in its context when defining appropriate technical solutions. Although it may be required by law, it was pointed out that aggregation has limited application and rarely gets you to where you need to be.

Data Subject Access Requests (DSARs)

It was very interesting to learn that with the privacy legislation now in force in several US States, companies are already being inundated with DSARs. Not only the panelists but also a large number of the attendees were engaged in responding to these requests, and provided great insights and tips. Amber Cordover, Kelly Peterson Miranda, Jennifer Ruehr and Jena Valdetero discussed their different approaches to DSAR issues like authentication thresholds, authorised agent requests, whether to expand individual rights beyond what is required, balancing of individual rights, the differences between US and EU requirements, post-Dobbs consumer expectations, and automation. One clear issue that has emerged is the number of requests from employees using DSARs as a ‘sword’, which is time consuming and can require a costly eDiscovery-like approach, including review for relevance and privilege. In light of this known issue, the UK ICO has issued guidance on responding to employee DSARs.

Data and Privacy – Governance, Compliance and ESG

There were a number of interesting sessions covering holistic governance, privacy compliance and ESG.

‘The Privacy in ESG’ was a new addition this year. In this discussion, Julia B. Jacobson, Seth Berman, and Shari Piré explained that privacy and data use practices are gaining importance in the ESG framework as investors and other stakeholders seek to better understand how businesses treat privacy and data use practices in the context of their other responsible business practices. One of the key challenges is how to report and benchmark on privacy and that the GRI global reporting standards are currently being reviewed. A recent development is that some states, such as Texas, are now introducing legislation to ban ESG reporting, on the basis that it discriminates against some companies, such as oil companies.

Privacy was discussed in the broader context of the ‘datafication’ of businesses and the need for privacy and corporate leaders to overcome the data silos and have a holistic approach in the session on ‘Getting companies to embrace a holistic data strategy’ with Bojana Bellamy, Keith Enright, Christina Montgomery, Courtney Stout, and Keith Enright. The focus on this session was providing insights into how privacy leaders can work within their organisations to be effective business enablers, including tips on effective communication across the organisation and in dealings with the audit and risk committees and the board. One of the interesting points to emerge is the challenge around measuring privacy KPIs and ensuring that privacy activities and performance are measured.

The compliance trifecta of data discovery, data inventory and data retention was discussed in a session moderated by Rebecca Perry, Daniel Christensen and Billee McAuliffe. This session focused on how to architect a plan to develop a smart data inventory, operationalise data retention, and leverage data discovery to be ready for the changing privacy landscape. The mantra of – say it, do it and prove it – was very effectively conveyed to attendees!

Congratulations to IAPP and the team who put together a fabulous event! It was great to be able to reconnect in person with so many privacy professionals from around the globe!

The Hill We Climb by Amanda Gorman

‘For there is always light if only we’re brave enough to see it if only we’re brave enough to be it’.

Read by Amanda Gorman at the inauguration of President Biden and Vice-President Harris.

The White House on the President’s Spring Day Walk, 2 April 2023

Authors: Susan Bennett, Founder & Executive Director InfoGovANZ

Denise Backhouse, Shareholder, Littler Mendelson, InfoGovANZ International Council

Information Governance maturing with developments in Privacy Laws being a key driver: Findings of the Information Governance Industry Report 2023