Picture a bright sunny morning in June of 2018. A user of your web site, application, or online services walks through your front door — or more likely, sends you an email or snail-mail letter — invoking Article 17 of the recently-enacted EU General Data Protection Regulation (GDPR), the “right to erasure,” a/k/a/ the “right to be forgotten.” In plain English, the individual requests that as the “data controller,” you erase all their personal information in your possession, down to every last digitally-stored 1 and 0. Why, you ask? They don’t have to tell you, so practically speaking, it doesn’t matter.
What does matter is that you comply, without undue delay, and at no cost to the requesting party. Specifically, you must erase all their personal data wherever it exists: in files, databases, replicated copies, backup copies, and archived copies too — the whole digital nine yards. You also have to demonstrably prove that you’ve done so. And if you’ve ever shared this person’s data with another organisation, it’s on you to contact them and convey the erasure demand.
Welcome to a brave new world in which data privacy is regulated in every way you could possibly imagine… and some you probably couldn’t. The GDPR places these burdens on the data controller, defined as “the individual or legal person who controls and is responsible for keeping and using personal information on computer or in structured manual files.” Effectively, this means your company’s IT department.
In addition to creating the right to be forgotten, Article 17 restricts the use of people’s personal data to the original purpose it was collected it for. If you want to process or use it in any other way, you must get the data subject’s fresh, clear consent.
These are daunting decrees. A deeper dive reveals just how potentially disruptive and expensive their repercussions may be.
Comply with GDPR…
First of all, the GDPR has a decidedly global domain. It doesn’t matter where the data is stored or where your company is located. If the “data subject” resides in the EU, the GDPR in general and Article 17 in particular apply. Secondly, “without undue delay” means days, not months. No excuse, justification, or defence is acceptable for non-compliance with an EU citizen’s erasure request. Every instance and copy of their data in your possession must be expunged, and quickly. Never mind that right now, most companies couldn’t track down every one of these instances — even if their corporate lives depended on it. The thing is, it well may:
… Or Else
It’s safe to say that IT has rarely seen fines of this magnitude. Just for a single case of failing to purge someone’s data, you can be assessed up to 4% of annual global revenues, or €20 million (about $23.7 million). Whichever is — gulp — greater. Another penalty example: If you’re unable to prove that you’ve indeed removed a requester’s data, the fine is 2% or €10 million. It’s no wonder IT is getting serious boardroom pressure to deploy robust erasure and verification schemes.
Just to cap off the grim news, the GDPR will not have a gradual or rolling adoption. Neither is there a grace period. The deadline is hard and fast. At this juncture, IT had better interpret “fast” quite literally. Hopefully your company is already well on its way to developing and deploying a compliance strategy.
Rising to the Challenge of GDPR Right to Erasure
Before you can erase someone’s personal data, you have to locate every instance of it. Just how do you go about that? If the information is housed in a database, how many copies of the data store exist, and where? Personal info also resides in systems like CRM and marketing automation, which have their own distinct databases. And the information often finds its way into various and sundry PowerPoints, spreadsheets, Word documents, and the like. IT has to understand this and know how to quickly locate the data everywhere it resides. The trouble is, today’s infrastructures and applications weren’t designed for universal indexing and search. And then there are archiving systems. Imagine yourself manually combing through a roomful of dusty cassette tapes to find every instance of a single customer’s information. It’s enough to prompt IT executives to consider alternative careers.
Not surprisingly, there is no generally accepted GDPR solution in widespread use today. Enterprises are working on concocting one. It’s a necessary but complex and expensive undertaking that won’t produce any revenue in return.
Ironically, some key Digital Age innovations further complicate Article 17 compliance. One such is mobile business apps. Picture an insurance adjuster using one on his phone, snapping photos of a damaged house and then appending the homeowner’s name, contact information, property value, and other details. One click and the entire record is uploaded to his laptop, with copies to several claims-related systems. As estimates, invoices, and other follow-on documents roll in, they’re scanned and added too. If and when the homeowner ever asks to be “forgotten,” all of this must be erased everywhere, including on the estimator’s mobile phone.
Do you utilise third-party IT providers for cloud services or other functions? If so, you face another set of Article 17 conundrums. “If you use third parties for any of this, you’ve got to make sure you understand what they’re doing, because you’re kind of jointly liable for all of it,” says senior IT executive Gary Watson. Even if you are the third party, you could get into serious trouble if people are storing this data on your systems and you don’t understand your role in this.”
Plummeting hard disk prices have created another paradox: Storage is now so inexpensive that it’s cheaper to hold onto all data forever rather than periodically sift and cull selected portions. When GDPR Article 17 comes into force, you’ll need the ability to scour overstuffed repositories to isolate and delete very specific data sets — on demand.
Numerous compliance schemes are being proposed and assessed, including encryption of personal data with individual keys. Application-centric techniques, however, have downstream drawbacks. Storage-level strategies do not.
By Paul Turner, CMO, Scality
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/