that requires destruction. Readers will remember that was covered
in Customer Misconception #3. So, when you hear a data controller
say they don’t need a records destruction service because they
keep everything, you probably have two misconceptions to
overcome – and good use for the new textbook.
Customer Misconception #10:
A Compliance Officer is Unnecessary
NAID members rated this issue as tenth in our survey of
misconceptions that prevent them from providing service to their
customers and prospects. Personally, I think it is in reality much
higher. I believe that if every company had a person on staff
responsible for the organization’s compliance, there would be a lot
more data destruction occurring.
Information Disposition makes it very clear that the assignment of
a compliance officer should be a major priority. It not only describes
why all data protection regulations require it, it describes what will
happen if there is a data breach and it is discovered that there was
no compliance officer appointed.
As early as page 14 of Chapter 1, we read:
Designation of Accountability
HIPAA and GLB require organizations to appoint an individual
to be responsible and accountable for compliance. Of course,
from a practical perspective, it is easy to understand why
that is important. Without a person assigned accountability
for compliance, it would be very difficult if not impossible to
achieve and enforce.
In the event of a data security breach or an audit, regulators
will almost certainly first ask to speak to the individual
responsible for the organization’s compliance. Of course,
admitting that accountability has not been designated, in
addition to being non-compliant with the regulation, is also
very likely to be considered negligent, and, in the case of
HIPAA, could well rise to the level of Willful Neglect.
Not all regulations are as clear as HIPAA and GLB on the
issue of assigning internal compliance accountability.
However, even where that is the case (FACTA and state laws),
practically speaking, it is still incumbent on an organization
to assign such accountability. Were there an investigation
into a violation of a data protection regulation, an
organization should still expect investigators to be interested
in speaking to the person who is responsible for compliance.
Though having not designated such a person may not
technically violate the law, it would certainly reflect poorly on
the organization simply because it is unreasonable to expect
that compliance could have been achieved without someone
responsible to make sure of it.
Assigned accountability, even when not required specifically,
is a de facto necessity insofar as the absence of such
accountability would likely be deemed unreasonable,
even negligent, if there were ever a non-compliance
How could any customer read that and ignore their responsibility
to assign such accountability? Certainly some will continue to
disregard this obligation (at their own peril), but they will no longer
do so with a clear conscience or with plausible deniability.
I came into this article with two intentions.
First, I wanted to demonstrate the fact that the new Information
Disposition textbook confronts the top ten misconceptions that
keep NAID members from best serving their customers. And that,
properly understood and used, it could help service providers
overcome those misconceptions.
Second, many field representatives still don’t know that there are
clear and concise arguments for overcoming these objections.
Too often, when we come upon a customer who is putting their
organization at risk because they harbor one or more of these
misconceptions, we simply throw up our hands or shrug our
shoulders, and walk away frustrated. Thanks to Information
Disposition that is no longer the case.
Whether it’s by using the textbook as a proof statement or simply
mastering the content, the responses to educate customers are now
readily available and it up to secure destruction service providers to
use the resources at their disposal to reduce customer risks and to
improve their businesses.
Get your copy of Information Disposition at www.NAIDonline.org
Bob Johnson is the Chief Executive
Officer of NAID.