According to Article 17 of the European Union’s General Data Protection Regulation (GDPR), all personal data that is no longer necessary must be removed and deleted. This aspect of the law, also known as “the right to erasure,” grants any user or customer the right to request that an organization deletes all data related or associated to them without undue delay, within 30 days. Moreover, the regulation carries heavy fines if a business does not comply.
These guidelines and rules have been in effect for the entire EU since May 25 but now the EU government is cracking down further on international enterprises, attempting to extend the EU’s right to erasure laws to all websites, regardless of where the traffic originates from. Companies are beginning to fight back on this ruling because they believe it would place an undue burden on them and would significantly alter the way these companies currently use and hold private data.
There are a several reasons why a data subject may request their private information be erased, such as: the original purpose for which that data was obtained has been fulfilled and there is no need to hold onto it any longer, the data was collected unlawfully, or the data subject is withdrawing their consent to use of their private information. When a right to erasure request is received, organizations must fulfill the request in a timely manner, following these steps:
1. Locate the person’s information.
2. Identify all processors that have used the personal information.
3. Identify any third-party companies that may have the person’s data.
4. Remove the personal data from the environment.
5. Respond to the person and confirm that all their data was erased from their infrastructure.
This five-step list may seem simple but in actuality is a major challenge for international companies with hundreds of thousands, if not millions, of customers around the world. Many companies suffer from an acute lack of infrastructure visibility, leaving them with a limited idea of where their data is located, making it extremely difficult to know where to start if they were asked to delete specific information.
It is clear that US privacy legislation is coming sooner than later, given California’s newly enacted privacy law, which will take effect January 2020. The bill raced through the State Legislature without opposition. As new data privacy laws begin to pop up across the US, here are some best practices that companies can follow to prepare and several policies to leverage so businesses can provide transparency to data subjects.
- The company should conduct a full environment configuration audit to see the true layout of their infrastructure. Knowing exactly where data resides is step one in ensuring IT and security professionals can comply with GDPR.
- Organizations, should set up a formal procedure for company employees to follow to ensure all data is saved where it should be. Determining and completing a hefty amount of right to erasure requests is difficult, especially in 30 days.
- Another major GDPR challenge comes in the form of third-parties. Businesses should consider keeping an updated list of all third-parties that receive customer data, and which data they have access to – these are subprocessors. Identifying a key individual at each partner company to serve as a contact to communicate erasure requests, and dump and discard any data that is no longer in use will be extremely helpful.
- A good tip is to regularly purge information using proactive retention policies and procedures since It’s not essential to hold onto private information that isn’t necessary.
Lastly, don’t forget about your backups. Best practices dictate that organizations backup data and systems regularly in case they get destroyed or an outage occurs. Access to backups may be limited to administrators and key security individuals, but some organizations have easy access to the data they store in backup instances, even on a granular level. Per the right to erasure regulation, if your organization can easily delete individual subject data from backups without undue hardship, they will be required to do so to completely fulfill erasure requests.
In other cases where backup tapes are stored at an off-site location and are securely overwritten, organizations may have a difficult time complying with an erasure request – instead, they may ensure that access is tightly controlled, and data will be destroyed in accordance with a documented data retention policy.
Transparency within the organization and with customers is the cornerstone to the right to erasure compliance. Every organization, and every piece of data, will continue to require a case-by-case assessment to distinguish where the data is exactly stored and how to fully erase the information. IT and security practitioners should focus on their organization’s reasoning and validation posture if faced with audits. The organization should be able to appropriately justify that policies, procedures and efforts are in place to handle data erasure requests and personal data management as a whole.