Taking advantage of a consumer-protection regulation, I recently requested a complete record of my financial history through Lexis-Nexis’ RiskView Consumer Disclosure Report, a free service anyone can use. The 638-page printout that thunked onto my desk a week later stunned me, not just for its size but for its scope. It contained transactions dating back to 1985, covering loans that I had long forgotten about with financial institutions that no longer exist.
Is all this data necessary? Should it even still be on file after more than three decades? I’m not a lawyer, so I can’t say, but questions like these will soon be put to the test when the European Union’s General Data Protection Regulation (GDPR) goes into effect next May. One of GDPR’s privacy stipulations is the “right to erasure,” which gives EU citizens the power to demand that an organization that holds personal information about them expunge it if it’s no longer needed for regulation, contractual, legal, public interest or freedom of expression purposes. How many organizations would know where to find all those records? Are the people that acquired them even around to help with the search?
In most organizations, there are a variety of places personal information might reside: old spreadsheets on backup tapes, email archives on employees’ PCs, mailing lists on CD-ROMs, contact files on flash drives — and that’s just to name a few. Then there’s data that people cart home from the office or download to home computers while telecommuting. Records may also be misfiled, stuck in the back of old file cabinets or committed to unlabeled media. The fact that they aren’t in your control anymore doesn’t make you any less liable for them.
To get an idea of the disruption this GDPR clause could create, consider what Google went through three years ago when the EU imposed its “right to be forgotten” regulation. The need to manually process millions of deletion requests tied Google up for months — and they knew where all of that information was. How many companies can say that?
No one knows how stringently the EU will enforce the new regulation or the onerous penalties it provides, which can cost a company up to four percent of global revenues for each infraction. Some experts say the fines are more symbolic than punitive. But they also caution that you can’t be too careful.
There has never been a more important time for businesses and their records management providers to work together to understand what is and isn’t known about the information that they store. Now is a good time to not only create an inventory of that information but to identify data that is no longer required for compliance purposes and should be erased. Regulation is no longer an issue for healthcare and financial institutions only. GDPR will apply to all organizations that do business with EU citizens. And these days, that’s all of us.