How the new privacy laws will help you through the disposition approval logjam
Getting disposition done isn’t easy.
In my experience, the challenges aren't technical, they're getting a subject matter expert (someone in a business unit with appropriate authority) to approve the disposition.
The problem has always been that there's just not enough pressure in the other direction - there's no effective cost to continuing to retain.
In Australia where I live, the fines under the privacy act have now been significantly upgraded.
With PII at least, this should mean there is some back pressure.
Every disposition form should includes a new branch - the acceptance of the risk associated with the PII. Thanks to the new privacy act - this is now a very large risk.
This is also likely to include an escalation of the sign off level - not many team leaders are likely to have the delegated authority to accept a $50M risk.
If it's not enough that they have to accept the liability, the fact that they'll likely have to explain this to a director or senior executive should generate some action in the right direction.
Of course, we have to keep in mind that this is likely to generate some disposition that shouldn't happen, but after many many years of nothing but inaction in many organisations I can only think this is a positive step.
A very interesting suggestion, Karl. Given that records management is often considered a form of risk management, risk "appraisal" and formal acceptance of accountability for the risk as part of the disposition process could indeed be a very useful addition.