Skip to main content

Five steps to deal with the torrent of data requests in regulated industries

(Image credit: Future)

The Covid-19 pandemic has given a huge blow to economies worldwide. Quick responses from regulated industries, including the public sector and healthcare have been vital in suppressing the death toll, but have created a gateway for data privacy infringements.

In the aftermath of the pandemic, we can expect a surge in the number of eDiscovery requests and litigation cases.

Most people affected by the coronavirus will want to know whether their privacy has been compromised and in what ways. And this goes beyond the healthcare sector.

These will include people who lost their jobs, as well as parents whose kids used unsafe communication tools to attend classes. They will also want to know how healthcare institutions, regulatory bodies, and school districts handled their data.

Time to prepare for data requests is now

Whatever could be said of the preparedness of healthcare institutions and government agencies, we should give them the benefit of the doubt that they did their best to preserve as many lives as possible. Still, this won’t abolish them from individual cases of data retrieval.

People will want to get access to their medical files, whether to get a better understanding of their symptoms or to seek evidence of data mistreatment.

And that’s not all: individual requests are only one part of the issue. On the other hand, regulatory bodies will check for compliance with regulations on business records preservation. This affects a broad range of sectors, including K12 schools and higher education institutions, legal companies, financial organisations and firms, construction companies, and so on.

So what can organisations do to prepare for the inevitable rise in the amount of data requests? We’ve compiled a list of steps that can help companies prepare.

Step 1: Assign a responsible person

While this is something that might sound trivial, companies often fail at this step. But it’s essential: unless there is someone in your firm specifically tasked with the responsibility to ensure data compliance, chances are no one will pick up that responsibility.

This could potentially lead to some use cases/files slipping through the cracks, which could expose the entire company to non-compliance. There are hundreds of regulations on information archiving in the US, so you should really prioritise your compliance, no matter how large your organisation is.

So first get your compliance officer, who will interpret the rules alongside your legal team. They should then work on creating and implementing comprehensive policies that will define the data that needs to be archived, as well as how this information will be captured.

They should also perform in-house random checks to ensure all data is backed up securely and that all personnel know how to handle sensitive data and which communication tools to use.

Step 2: Identify which data needs archiving

This step requires thorough research but pays off in the long run. The key outcome here is to make a list of all channels of communications used among your employees and then decide on the ones acceptable for your businesses.

You need to understand where your business records are discussed. Is it WhatsApp or Slack? Do you use Zoom or Skype? Can you capture all this information? In a worst-case scenario, will you have concrete evidence to prove you didn’t disclose your clients’ data?

Once you know the range of business communication channels you use, you will be much better at tracking, capturing, and retaining all this data.

Step 3: Automate information capturing

The number of communication channels has been expanding vastly, and large organisations often find it difficult to keep track of all places and information exchanged. But once you know where to look for business records, you still need to make sure no piece of information gets lost in the way.

To this end, you need to rely on robust technology that can do this process for you automatically, without disrupting the work of your core departments.

You need to find a solution that can capture and search through not just email messages, but also video calls, voice calls, instant messaging, sipped files, attachments, and all other places where often vital business information lies.

Step 4: Keep all data unaltered

To face the rising number of data retrieval requests, you need to keep all communication intact. The reason for this is that your organisation will need to present proof of the authenticity and integrity of information in case this information is used in a legal proceeding.

With a tamper-proof archiver, you can preserve the original content and metadata for all messages pertaining to a particular case.

So, in cases where you expect an audit or investigation, you should implement a technology that will allow you to apply the legal hold. That way, you will be able to preserve business communication for an indefinite period of time, even after the expiry of its retention period.

Step 5: Train your employees on best practices

As a rule, organisations in regulated industries work with sensitive information, such as health records, financial data, education records, and so on. And what we often see in practice is that no technology is good enough to prevent the mishaps that can happen due to employees being unaware of regulations they need to follow.

That’s why in the period when the number of these requests is likely to rise, you need to make sure all your employees understand their role in the process.

Thousands of pictures and videos taken in hospitals during the Covid-19 pandemic have swarmed social media, showing staff working endless shifts to save lives. In most cases, there was no bad intention: these scenes can help people understand why they need to respect the precautionary measures.

However, all of this information can contain some sensitive data: what if someone’s identity is revealed? In that case, the person affected can rightly ask for legal action against the hospital or clinic for disclosing their personal information.

Stefan Vucicevic, tech writer, Jatheon Technologies