Architecting for GDPR: The right to be forgotten
As companies work through the checkboxes on their GDPR compliance plans, at some point they all come up against the issue of how to technically address the rights given to data subjects by the GDPR. One such right is the right to erasure, also known as the right to be forgotten.
It pays to have a healthy dose of paranoia about GDPR. Feeling some unease about whether or not your company is compliant with all its requirements makes sense. The regulation’s personal data definition is broad by design, and many companies are unaware that the GDPR applies to them. Those firms are headed toward potential fines that could reach $23MM, or 4 percent of the prior year’s worldwide revenue — whichever is higher. There are two tiers of fines: While fines of up to $11.5MM or 2 percent of revenue can be imposed for various administrative infringements, such as failing to keep adequate records, the more significant fines of $23MM or 4 percent of revenue apply for more serious wrongdoing, including not providing data subjects with their rights.
So what is the right to be forgotten? Basically, if someone protected by GDPR asks you to erase their personal data, or withdraws their consent, or if the data is no longer needed for its original purpose, you must delete the data “without undue delay” (see full text of the regulation here). Locating and tracking personal data and understanding how you are processing it can be the biggest challenge in fulfilling erasure requests. Poor data management practices and improper handling/storage of data are potential roadblocks to “Right to be Forgotten” compliance.
How to truly erase data for GDPR
If a data subject decides to exercise his right to be forgotten, you need to be prepared to comply with this request in a timely manner. Data is typically dispersed across multiple applications and multiple environments (development, test, production), BI and analytics, as well as secondary storage systems for data protection and backup — both on premise and in cloud applications. There are several measures that you’ll need to address before architecting a solution to ensure GDPR compliance.
- • Evaluate and understand
- • what personal data you have (both structured and unstructured)
- • where that data is located (in which applications, on premises or in the cloud)
- • where the data is primarily managed and processed within your organization
- • who has access to it
- • how long you hold the data
- • whether other data retention regulations apply
- • Gain a complete understanding of data movement — that is, where, when, and how data entities and attributes travel not only within your organization, but also to external service providers and partners or to other data processors.
The challenge: Data proliferation
Consider how data can spread both inside and outside of your organization. The challenge with the right to erasure lies in dealing with data proliferation due to a lack of proper data management and fragmentation of data stores. Key data that should be maintained and accessed from a central location can end up in other locations, intentionally or unintentionally. The normal, everyday course of running your business and using data to make decisions is often enough to cause data proliferation. While data proliferation may be necessary, many organizations do not adequately track the movement, replication, and access to this data.
Under these conditions, a data subject’s personal data may be fed into a dozen or more separate systems. If you don’t know where that data is, where it travels and where it ends up, you could be hurtling toward non-compliance, and worse, a potentially massive fine.
The solution: Architect for the right to be forgotten
The first step is identifying privacy-protected data across applications, servers, storage, endpoint devices, and cloud locations. If you are creating an automated solution for the right to erasure under GDPR, you need a solid, well-developed strategy that’s both realistic and efficient — one that accounts for source data, data that is on premise and cloud applications as well as data on endpoint devices, and one that includes both structured and unstructured data.
If you have highly distributed personal data — intentionally or not — you may want to take a federated approach by architecting individual services that “sit on top of” the distributed data stores, providing erasure and auditing functionality compliant with GDPR.
Organizations that manage the sourcing, editing, querying, access, and projection of EU subject data centrally using data management services (e.g. MDM, data access management, and data encryption) will have an easier time complying with the “right to be forgotten.” While this architecture approach is more complex to implement, it greatly simplifies the ability to centrally erase all data pertinent to an EU subject while also improving the quality of all key enterprise data.
Data erasure solution considerations
To comply with GDPR, an erasure system must be auditable. The interface must include the ability to query a specific data set and in turn, generate a list of data location(s). Then, the personal data in question may be purged, creating an audit trail of the process. This audit trail shows that a query was performed, leading to the identification of the data in question and the subsequent deletion of the data.
Lastly, one often overlooked area is source data. One must make sure the data erasure solution purges any personal information used to instantiate EU data subject records in your systems. This can include the following:
- • Scanned documents
- • Bulk data feeds
- • Data collected by customer support/help desk personnel
- • Input from third parties such as marketing firms and partner organizations
- • Voice recordings from IVR systems
Need help with data privacy compliance?
See how Logic20/20 can help.
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.
Follow Jill on LinkedIn