GDPR & Correspondence Management: How to store, locate & extract personal information to ensure compliance
As of May 2018, every organization – public or private, large or small – operating within the EU or having any business affiliations with members of the union, will be subject to a fine of up to 4% of its worldwide turnover if they fail to comply with the upcoming General Data Protection Regulation (GDPR).
With an incentive like this, it’s time to understand the implications and how to put systems in place to ensure compliance. This upcoming regulation will impact any organization which holds personal data, which is pretty much every organization. Such data might include a letters, credit enquiry, contracts, email correspondence, etc. The regulation states that upon request, an organization must confirm within 30 days that they hold the personal data of an individual. Moreover, copies of all such data must be provided, if demanded by the individual. Sounds like an easy task, does it? Let's dig a little deeper.
What data is affected by GDPR?
The short answer is: all data. Official documents, records, correspondence, etc. - it all falls under the scope of this upcoming regulation.
Fast forward to the last quarter of 2018 and imagine a case scenario where an individual requests access to all his/hers personal information contained within the entire structure of your organization. Where do you look? There's the obvious - all documentation and information stored about that particular individual is likely to be found relatively easy (assuming the organization does a proper information & records management). The directive goes even further - “personal data†includes any information about a person, whether in their work or personal lives, which can lead to their identification. And that data, includes correspondence too.
There's physical correspondence assets lying around somewhere, not to mention countless emails that are spread across multiple folders on office servers and various other content repositories. Needless to say, the amount of data will certainly be more than anticipated.
Regulatory compliance will require integrated correspondence management
An effective and robust correspondence retention policy will be essential to ensure GDPR compliance. Most organisations that have a correspondence management system have the ability to audit the usage of records and files. But the scope of a retention policy is far greater. A retention policy includes both physical paper and digital assets and this is where the complexity of enforcing GDPR becomes problematic for organisations. Routinely, employees make print copies of digital files. So if based on the retention policy, a digital file is destroyed, and a paper version of same resides in an office drawer, the rule is breached.
With correspondence data including everything from email to physical and formal correspondence adopting integrated management processes is essential. This ensures that retention policies can be applied automatically to physical files, formal and email correspondence. Such technologies embed good governance practices so that policies can be enforced in both controlled and uncontrolled environments, from a range of device types.
How ProjectVault can help you ensure GDPR compliance
For OpenText Content Server users looking to streamline their correspondence management practices and ensure GDPR compliance, ProjectVault has the ideal solution - the Correspondence Management Suite. It is an end-to-end correspondence management solution designed to enable Content Server users to capture, store, and process all types of business correspondence. The Correspondence suite includes modules for both Electronic and Physical correspondence tracking, thus covering all types of correspondence flowing within your organization. If you are a Content Server user looking to ensure GDPR compliance on the correspondence management side, ProjectVault's Correspondence Management Suite is the only complete correspondence management solution for OpenText ECM users.