A person’s right to be forgotten, or erasure as it’s now called under the GDPR, has received a lot of attention as part of the bigger legislative overhaul. It sounds simple enough, and if we look at it from a consumer’s perspective, the right to be removed from a company’s data bank, if the transaction or relationship between them is complete, is a fair ask. But, from a business’s perspective, managing that change without good data management systems, will be anything but simple.
The legislation states:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data has been unlawfully processed;
(e) the personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data has been collected in relation to the offer of information society services referred to in Article 8(1).
What does that actually mean?
Organisations will be required to fully erase a person’s data from all repositories when:
- The person revokes their consent
- The purpose for which the data was collected is complete or
- When compelled by the law
‘Right to be forgotten’ at a glance
- The right to be forgotten (erasure) and for processing to be restricted is an extensive and challenging change.
- Individuals can require data to be ‘erased’ when there is a problem with the underlying legality of the processing or where they withdraw consent.
- The individual can require the controller to restrict data processing while complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.
- Not all data subjects will have an unconditional right to erasure. If, for example, there are legitimate, legal reasons for the organisation to retain and process data, the right to be forgotten won’t be enforced.
- Controllers who have made data public, which is then subject to a right to erasure, are required to notify others who are processing that data with details of the request.
How will businesses manage this?
Full data erasure isn’t straightforward and a standard ‘delete’ won’t always remove data from every source. That’s the important bit.
When a person requests that their data be removed, every piece of information on every file, register, index or mailing list must go, and never be recoverable, and that includes the data held on your back-up server. In order to do this, a business first needs to be able to identify, locate, and access that personal data, so a comprehensive data mapping solution needs to be put in place. Then, they need to take the required action to securely remove it from their system. And that’s just the company the customer has business with.
In today’s world, consumer data is shared constantly with suppliers, delivery agents, resellers, partner companies and a long list of third parties that have been given consent somewhere down the line.
That adds a whole new level of complexity, because erasure takes in that wider circle, and how can an organisation guarantee data is deleted by every party, completely and safely?
Encryption to the rescue
Encryption is one way to meet the GDPR erasure obligation, ensuring data cannot be mapped back to any one person or prove usable in any way.
How does it work?
Encryption alters data by using an algorithm-defined key that makes the data unreadable, and the only way to return it back to a readable state, is by providing the original, corresponding key.
If, however, that key was deleted. It would be impossible to convert or decrypt that data, making encryption and key deletion (also known as cryptographically erasing the data) not just a viable solution to ‘the right to be forgotten’, but a quick and effective one.
Flexibility and control
A well-managed encryption tool can also give an organisation a lot of flexibility, because it can be applied at different parts of the data management journey, whether that’s collection and data file creation, resting or shared data.
Getting help from the experts
Businesses that adapt to meet the GDPR requirements on this issue, and do it well, are the businesses most likely to prosper after the May 2018 deadline drops. It’s about taking the new requirements and designing solutions that tick multiple boxes at once, creating slicker, more efficient business processes that take the new regulations into consideration, so you thrive, as opposed to survive.
Millions of small businesses will be frozen with fear and larger organisations with legacy systems and IT infrastructure hurdles to overcome will need a lot of time and money to meet the new standards. So, if you’re not already on it, the time to act is now!
GDPR compliance is an organisation-wide project that will take up valuable resources if done in-house, but getting help from a certified GDPR consultant could be the better move. Smart businesses are working with us to help them:
- Better understand their obligations regarding data protection and the rights of the individual, and bring their workforce up to speed on the new requirements
- Identify the gaps in existing data management processes
- Avoid the danger of multiple, short-term fixes resulting in a collection of difficult security issues down the line
- Find a long-term, reliable and affordable solution
- Integrate the software or hardware required to power new compliance processes
- Design procedures that give businesses full confidence on everything from data management and security to compliance and vendor selection
GDPR is non-negotiable, but being able to prove you understand and respect the rights of your customers, can only add to your business reputation and brand value, so maybe this is one part of the legislation that can benefit everyone.
As certified GDPR experts, pebble.it can help you meet GDPR compliance across your organisation, assessing the systems and policies you have and advising on what you need to do to avoid the risk of regulatory fines.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist:
