Since the EU’s General Data Privacy Regulation (GDPR) was introduced in 2018, some UK companies have faced fines of up to €20 million, or 4% of annual worldwide revenues, for violation of data protection regulations.
In a proactive move to reduce the risk of violating these regulations, one of the largest business and commercial banks in the UK wanted to implement compliance with GDPR as part of an ongoing program to improve transparency, accountability and security, and to limit the amount of data stored. The bank needed three outcomes: a sound methodology and systematic way of identifying and deleting personal data no longer needed for a specific business purpose; better visibility and control; and the ability to easily demonstrate compliance.
Deletion of over-retained data is a complex problem
Different retention and deletion rules are in place for multiple jurisdictions and record types, such as CEO meeting notes, account closures, loan applications and staff records. Added to this already complex problem, data and documents are held across many disparate systems, which presents the additional challenge of determining who is accountable for the retention and deletion of records.
Most organizations take the approach of anonymizing data, fearing that over-deletion might occur or doubtful of their ability to identify all of the related data that needs to be deleted. This bank wanted instead to be a leader by systematically deleting data in an industrialized way.
Business outcome drove the solution design
The bank was struggling to determine how to apply GDPR compliance. The sheer volume of systems (more than 1,000), and the complexity of how the data is interconnected, led to a fear of deleting data in any one system without understanding the potential impact on other systems downstream.
DXC Technology suggested an approach which enabled the bank to apply its already mature record management methodology. We started with understanding each business process and breaking it into components that could be addressed through the development of a central record orchestration engine. With a detailed understanding of business processes, products and customer interactions, we were able to unpick the complexity of the interconnected data and provide clear data lineage to facilitate deletion.
DXC’s Information Governance specialists then worked in close partnership with the bank’s record management specialists, to design a business methodology and framework for the systematic deletion of records mapped to the bank’s retention policies and schedule. This business-led approach informed the iterative development of an industrialized, automated information life-cycle management (ILM) solution, with data lineage mapped so that when an event trigger is activated, such as an account closure, related data can be deleted from all systems.
The componentized, technology solution, was built using a combination of commercial, off-the-shelf software and IP developed to manage and automate very specific processes. While deletions are mostly automated, manual validation is built in as a safeguard: ownership of the business record data mapping is in the hands of three key stakeholders who represent the business, record management and technical delivery. The final decision to delete data lies with a records management specialist. Manual validation, supported by automated recommendations, augments the system’s decision, thereby improving timeliness and accuracy. Once the decision to delete has been approved, the system automatically deletes the data based on the data mappings already established.
Benefits beyond compliance
Implementing the ILM solution has not only facilitated the bank’s achievements in evidenced-based GDPR compliance. It has also provided a solid data foundation that continues to add value and deliver an ongoing return on investment. The iterative, evolutionary approach has delivered a highly sophisticated solution that will support future record management initiatives and policy changes.
The bank now has much greater control and visibility over its data estate. Systematic reporting against key performance indicators is provided to senior executives and regulators, and compliance can now be forecasted, enabling the bank to recognize where it may need to make adjustments.
As focus grows on environmental, social and governance (ESG) issues, the systematic deletion of records reduces the size of data that needs to be stored. This has an impact not only on lowering data storage costs, but also on the bank’s carbon footprint.