Two-Word Concepts that Define Data Protection Regulations

Two-Word Concepts that Define Data Protection Regulations

Here at Shred America, we believe that the more our clients know about regulatory compliance, the more they’ll value what we do for them. With that in mind, we are sharing these basic concepts that help explain what regulatory compliance looks

Before we get started, though, we’d like to frame the issue.

The first thing to keep in mind is that the topic of data protection and privacy compliance applies only to personal information. Clearly, it is also critically important to protect proprietary information as well, but that’s a corporate governance issue, not a regulatory one.

Second, the two-word regulatory concepts referenced below are not shorthand or colloquial nicknames, but rather the actual words used within the regulations themselves.

And finally, keep in mind that fully explaining the meanings and nuances of each of these concepts could fill a small book. We invite anyone seeking more information on these topics to reach out to us.

And so, with the caveats out of the way, the following two-word terms will hopefully go a long way in helping businesses understand what data protection and privacy regulations require and what regulators expect.

The first and, arguably, most important two-word concept is “unauthorized access,” since preventing it has always been the essential imperative of all data protection regulations. As a result, it remains the regulatory common denominator across all
jurisdictions. Preventing unauthorized access to personal information is the prime directive.

The compliance concept known as “incident response” doesn’t date back quite as far but is a close second in order of importance. It refers to the requirement to officially investigate and remedy any situation or circumstance that could, or may already have, resulted in unauthorized access. 

To be fair, a required “incident response” often gets a bad rap for being closely related to our third two-worder, “breach notification.” The fact is, however, that while investigating possible incidents of unauthorized access may indeed result in
notifying authorities and data subjects, the vast majority of incident responses don’t. In fact, far more often than not, they end up proving that breach notification is not necessary. Their purpose is simply to demonstrate that the organization conducted the appropriate follow-up on a potential risk. 


As mentioned, “breach notification” is third on our list. As the name suggests, it requires organizations to report unauthorized access to personal information. Most of the time such reporting is only necessary when there is a material risk to the
individuals involved. The important thing to know here is that ignoring this requirement is a little bit like playing Russian Roulette. The majority of the time, nothing bad happens. On the other hand, if it later discovered that a material data
security breach was ignored, things can get very uncomfortable. 

Ironically, the fourth and final two-word data protection regulatory concepts - “due diligence” - is both the most widely applicable and the most overlooked. It simply means that an organization should be able to demonstrate that it has approached its compliance responsibilities with the appropriate seriousness and effort. It applies to every aspect of compliance, from the processes used to select and contract data processors (like Shred America) to how employees are trained and the quality of written data protection policies and procedures. 

To be sure, there are other concepts, such as “​​legal basis,” “explicit consent,” “implicit consent,” “contextual advertising,” and “data minimization,” and many others that have increasing applicability in the new state regulations sweeping the country.
As we said at the outset, we value educated clients, and we take our responsibilities in that regard very seriously. We also believe our clients have a right to expect their data security and records management vendors are capable of providing such advice.

If you have questions about regulatory issues…

If you want to explore how we can help your organization achieve compliance…

Or, if you just want information on our secure records storage and media destruction

Contact Shred America today!

© 2024 Shred America, LLC - All rights reserved.