ASG is now part of Rocket Software! Please visit to learn more. Follow our journey
Blog > May 2019 > Right to be Forgotten: Part 2

Right to be Forgotten: Part 2

In our last blog post on the Right to be Forgotten, we discussed how businesses benefit from complying with data regulations. From avoiding fines to securing market share and improving productivity—what’s the downside? Well, reaching compliance most often means modernizing your information management strategy, which can be a significant undertaking. In fact, while compliance is a universal issue, the path and processes needed to achieve it can vary for each organization.
Challenge: There Isn’t One Silver Bullet
Consumer information residing in organizations is vast, wide and varied—and not to mention, growing at an alarming rate. Most organizations have 6 to 10 content repositories deployed in the organization, not to mention a vast array of other locations and applications that also maintain customer’s personal information, including: ECMs, ERPs, CRMs, LOBs, shared drives and collaborative systems, email systems and even paper.
What’s more, the dividing line between structured and unstructured data is being erased by regulations like the Right to be Forgotten. Whether a consumer’s personal information lives in a document (unstructured) or in databases or data lakes (structured), organizations need to prove they’re in compliance. Bottom line. A comprehensive information management strategy that encompasses all data and documents is required.
Advanced Retention and Redaction
Retention and redaction help with compliance across several use cases. ASG’s financial services customers, for example, want to make sure unstructured content—namely transaction print streams— is not maintained longer than required by law. Not only are these financial institutions concerned about GDPR compliance, but they want to remove any liability that exposes them to future class action lawsuits or legal cases. ASG worked on a recent project that took the following steps: 
  • First, the bank needed an automated process for event-based retention. That way, when a customer account was closing—an event that occurs in the bank’s CRM—it automatically triggers updates to retention dates on all applicable customer documents in their enterprise content services platform, Mobius.
  • Next, the bank required an easy approach to apply legal holds to customer documents. In the past, if there was a lawsuit or legal request, the bank’s team manually gathered those documents and maintained them on shared drives for the length of the lawsuit. Not only was this inefficient, but it also meant the documents were not encrypted at rest, did not have redaction functionality and were difficult to manage. With Mobius, the deletion process could simply be frozen until the lawsuit came to fruition.
  • Finally, the bank implemented extensive logging and tracking capabilities. With these practices in place, knowledge workers could quickly respond to audit requests for how the bank adhered to governance policies around retention schedules, the redaction of personal information and who was granted access to customer documents.
These governance capabilities are also critical for sharing personal information outside the organization. Human resources, which handles employee data, is one of the departments most affected by the GDPR. For example, contracting companies need to make sure each individual they hire has the necessary paperwork to comply with federal and state law—for example a work visa, a driver’s license or a social security card. This process requires sharing a lot of personal information; yet in most cases, the company doesn’t need the specific details, such as the digits in a social security number. They only need to confirm that the documents are valid and current. In this case, redaction plays an important role in ensuring only the appropriate information is exposed as it is shared.
Data Regulation versus Industry Regulation
Organizations need to actively consider all regulatory requirements, not just those around data privacy. In some cases, data regulations and industry regulations are at odds with one another. For example, a consumer may ask an organization to delete their personal information—evoking their right under the CCPA—but the organization is obligated to keep a document for seven years under specific industry regulation. Redaction and retention capabilities help organizations navigate this complex field of overlapping, and at times competing, regulations. Redaction allows organizations to mask the personal information, and event-based retention allows them to get rid of it when it’s no longer legally necessary.
As the number and breadth of data regulations continue to evolve, it will be even more important for organizations to identify and implement a compliance strategy that works for their business. Organizations that set up for continuous review and ongoing efforts to address compliance by making this a part of their culture now will make better IT decisions and investments—and be more prepared to handle future complexity.
For more information on the retention and redaction capabilities offered by ASG’s Content Services, visit the Mobius product page, or click here to watch our webinar on the Right to be Forgotten. To learn how ASG helps our customers comply with regulatory standards and more, read this case study on Clemson University.