There used to be a saying in business, “You can have it cheaper, faster or better. Pick two.” “Pick two” is no longer competitive. Customers, shareholders and stakeholders expect all three—all the time.
In the early 2000’s, companies invested heavily in information technology at the expense of information governance. The result? Most are now finding it difficult to retrieve complete customer information in one search. Some information is in System A, some in System B, some in System IDK, some in hardcopy (still!). The hardcopy then has to get duplicated (scanned, photocopied) in some way so it can be shared.
This type of information governance was commonplace for years, but new laws and compliance regulations are causing some of the top CEOs to re-evaluate their current systems due to a variety of factors that 2021 promises.
California Consumer Privacy Act is Born
With the advent of the California Consumer Privacy Act, this lack of governance in the past is resulting in data reconciliation/normalization/standardization projects now.
The GDPR, in the European Union, resulted in the development of tools to help find and reconcile information silos in order to meet the regulatory requirements of that privacy act and they can be used now with the CCPA. And, since they are not cutting edge, they are relatively inexpensive to use and maintain. Adhering to the CCPA is not going to be a “one and done” deal, but rather a perpetual burden of proving compliance.
Search tools used in litigation, robotic process automation, information validation at the time of capture or receipt, and, information analytics allow a company to improve the quality of the information in the existing information systems and keep the quality high going forward. The total cost of ownership of these tools is less than starting up a new department to manually find the information that needs to be disposed as a standard business practice (important in litigation).
How Good is Your Existing Information System?
In addressing the quality of the information systems, you’ll also improve customer service levels because the customer’s data will be complete and accurate in the first search. This will eliminate the common response of, “I’ll have to get back to you. What number can I call you at?” by your customer service representative. Time to market is reduced because all the people involved can find what they’re looking for, the first time. Complaint resolution time is reduced. “Right to be forgotten” requests can be completed quickly and confirmed to be completed.
And, you don’t have to replace your current systems of record and line of business applications. The tools were designed to interface and overlay existing software and applications; the challenge will lie in how well your current systems were designed and implemented in the first place. Data and information flow process maps are step one deliverables in identifying what exists where and how it’s labeled.
Forgotten, but Not Gone
Step two is paramount and includes identifying the current owners of the data. It’s a sure bet that the original owners of boxes from 1894 are not still alive. Subsequently, it’s a safe bet that the original owners of floppy disks from 1984 are in retirement or don’t work for that organization anymore.
If your organization receives a CCPA request to be forgotten from a long-time customer—or their heirs—you have to know that relevant data doesn’t exist in those boxes or on those floppy disks. If the original owners didn’t leave an inventory behind, then the current owners need to get it done, or, consult with legal counsel about how to defensibly dispose of the redundant, obsolete or transitory (ROT) information.
The Right to be Forgotten
These requests have become more frequent as the right to be forgotten gains traction amongst consumers. Many were unaware of how much of their personal data was being collected by various organizations. In article 17 of the GDPR, the right to be forgotten is described as “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” The controller must also take reasonable steps to ensure the individual requesting the right to be forgotten is in fact the data subject to prevent against fraudulent requests.
If it sounds like a big job, it is if sufficient controls were not put in place to begin with. A good place to determine the extent of your need may be to take ARMA International’s Maturity Matrix (arma.org) and see where you land. If you’re not satisfied with your scores, give Western Integrated Systems a call to plan out your roadmap to a ROT-free organization.