GDPR might give people the right to be forgotten, but finding them, understanding the context of their conversations, and figuring out if they really can be deleted while still complying with other regulatory and legal obligations such as MiFID II is a quandary many organisations are going to remember for some time.
One of the problems is the way we communicate with customers, colleagues and partners nowadays. Using a myriad of communications tools from Skype for Business and now Facebook’s Workplace to Bloomberg and Reuters alongside internal collaboration software we switch across these channels as needs dictate. Sometimes to provide a more secure way of talking, sometimes because we change devices during the day from smartphone, to PC, to wearable tech down the gym. But although the channel may change, the topic of conversation frequently doesn’t.
What started off as an innocuous post on Twitter, may have turned into a transaction over email. A few months, or even years later, when a firm receives a request under the GDPR to have someone’s details erased from its systems, including archived documents, how is it possible to figure out from a Twitter post what the outcome of the conversation was or where it can be found?
Do you erase and hope for the best, or can you pinpoint exactly how the conversation continued and deny the request, because you have an overriding obligation to keep transactional data?
Most regulated firms today should have all relevant information stored for their compliance requirements. However, piecing together conversations that happened over different channels, stored in different mediums and most likely using different user names can be time consuming.
This is because many traditional archives convert and retain all communications as emails and there has been a trend for organisations to operate a multi-silo-archiving infrastructure to maintain different archives for separate parts of the business or types of communications. This often results with multiple copies of the same data stored over and over again.
When it comes to reconstructing conversations this creates a few issues. Not only in managing, maintaining and de-duplicating content in multiple archives, running the same search across all of them and then somehow merging the results, but also because once again these are all usually email-based.
Shoe-horning the dynamic communications of today into a legacy email format for long-term storage doesn’t work properly. Firms need to be sympathetic to the content; understand what it is and preserve it in its native format. This will allow for the context or motivation behind a user’s post on Facebook or response to a comment on Sharepoint to be understood, or even explain why they switched from Skype for Business to LinkedIn InMail or SMS. By looking through a single pane of glass onto all of an organisation’s communications it is possible to quickly discover the end to end story.
Rather than just knowing that a tweet was sent at a certain time, with contextual archiving reviewers can see far more information including which other communication platforms were used by the person during the same time frame, and who they were conversing with.
Many of today’s messaging systems are not managed by the employer, so ambiguous usernames make it an up-hill struggle to identify who actually owns the content. Firms need to provide a way of mapping those usernames to their corporate employees, so when a search for Robin Smith’s content is carried out the reviewer sees everything across all channels. This eliminates the need to memorise all of his identities. In addition, if the reviewer filtered by a particular network, they can see all of his identities, not just the one they know about.
Armed with far more information than a simple date and time stamp, it’s far easier for reviewers to build a complete picture and make an accurate decision on whether or not they can erase someone from their systems. A fault tolerant content store that understands the different types of data being stored will allow firms to move away from multiple email-based silos and maintain a single authentic copy of the data. This can then be referenced for use across several lines of business whether that be for eDiscovery, legal hold or Supervision needs. When the decision is made to delete information, a firm can be certain that it has all versions of that data and therefore less silos to query.
GDPR is just the beginning. Let’s remember that although it is a European regulation, it applies to any organisation world-wide that stores a European citizen’s data. Whether it affects you immediately or not, it is highly likely that the rest of the world’s regulators will start to implement similar regulations as consumer concerns over privacy grows. As with most regulation the best defence against potentially astronomical fines is to be able to demonstrate that an organisation has the appropriate policies and processes in place, and they are backed by technology to enforce them.
If you’re implementing changes in your operation to comply with other regulations coming into force, then it makes sense to consider now how a GDPR type regulation might affect it long term. Otherwise you may end-up spending more resources later undoing the changes you’re making now just to comply with newer guidelines.