This is the third post in our blog series about the European Union’s General Data Protection Regulations, which came into full effect 25th May 2018. Last time we looked briefly at the lawful basis for holding personal data, consent and capturing consent through preferences.
In this post we consider what it takes for organizations to ensure their data processing and records management policies are aligned. In particular we look at this in relation to customer communications, which for many organizations continue to be managed in ways that are contrary to GDPR requirements.
Fine Grained and Coarse Grained Records Management
Records management practices often reflect the underlying tools and technologies used to automated these policies. The challenge for most organizations is that traditionally communications with customers have been handled with coarse grained records management. That is to say batches of customer communications – all the bills and statements on a particular day – are often managed collectively over time.
The regulation for managing records differ widely based on industry. For banks, statements need to be retained for 7 years to comply with banking regulation. For insurance providers, policy documents need to be retained for 3 years after the expiration of the policy, in the event that a claim may arise. In the case of life insurance, policy documents must be retained for up to 8 years after the death of the policy holder. The practice in most industries is to treat the batch of documents that was printed and posted as the unit of records management. After the regulated period expires, common practice is to dispose of all those documents in the batch.
The challenge is that some records need to be kept for longer. There may be a long running dispute, for which customer records need to be kept outside the regulated times. And now with GDPR the right to be forgotten allows customers to request the disposal of customer communications at virtually any time.
Most large organizations currently digitizing customer communications and storing them as coarse grained batches in an archive are almost certainly not compliant with GDPR regulations. In mid-2011 Clydesdale Bank fell afoul of UK financial regulations because Payment Protection Insurance complaint handlers were not taking into account all relevant documents when deciding how to deal with complaints. That is because documents were not subject to fine grained records management and were thought to be deleted, but were in fact still stored by the bank.
GDPR in many ways places more onerous obligations on financial services providers, because any communication with a consumer may need to be taken into account under the right to be forgotten.
In our next blog we’ll look further ways of delivering GDPR compliance with digital archives. We’ll examine how to capture, store and manage customer communications in systems and archives and explore techniques for fine grained records management in customer communication archives.
For more information about CrawfordTech’s customer communication archiving solutions see Riptide Conversion Services for CMOD, PRO Archiver for Documentum, PRO Archiver for InfoArchive, CCM Gateway for Alfresco, CCM Gateway for Box and CCM Gateway for SharePoint, all available here.
For more information about data security, you can access the recording from our recent webinar.