With the threat of enormous fines for losing personal data belonging to EU citizens, most businesses are rushing to strengthen their security provisions before GDPR go-live in 2018. Attracting significantly fewer headlines however, is the “Right to be Forgotten” aspect of the new regulations.
Under Article 17 of the GDPR, any European or UK citizen will have the right to ask any organisation to delete any personal data they hold. There are several specific conditions under which these requests may be made, but the reality is that people can simply choose not to share their personal information with your business any more.
Data removal must be completed quickly
When an organisation receives a request from an individual, they must complete the deletion operation “without undue delay”. The GDPR wording does not specify an exact time frame, but most experts believe that businesses will have 30 days to comply; requests that take longer will begin to attract the attention of the Information Commissioner’s Office (or other local EU equivalent).
As well as deleting the data, your business will also need to inform the individual when your business has completed the operation.
Not just “live data”
Deleting data from live systems is relatively straightforward once a protocol has been established. But the right to erasure covers all data held by your business – and herein lies the real challenge.
In order to meet the requirements of GDPR Article 17, your business needs to completely eradicate every instance of an individual’s data. Which means that all of your archives and cold-storage backups will also need to be cleaned. When dealing with several year’s worth of backup tapes, deletion requests are going to be time and resource intensive – and therefore quite expensive – to fulfil. Importantly, GDPR makes no provision for recompense – your business will not be able to bill individuals making erasure requests under Article 17.
You should also note that GDPR does not provide any additional time for erasure requests from archives. Technical complexity is not a valid reason for delaying deletion – so you should assume that the same 30-day window applies to every copy of every information asset held in every data store.
Plan for erasure requests
Clearly any business handling personal data will need to seriously consider the processes required to delete data. They may also need to look at ways to streamline technology so that they can retrieve and delete data from archive media more quickly.
Moving forwards, mechanisms for retrieving and deleting data will have to be a factor in purchasing considerations for new systems and services. This is relatively straightforward for in-house systems, but the same requirements also apply to Cloud-based systems and Software as a Service (SaaS) applications. Your business must establish how data will be deleted from these remote data centres too.
To further protect your business, details of the procedure for logging an Article 17 erasure request should be included in your terms of service and contracts. In this way, you not only set out what customers can expect from your business moving forwards, but also secure the ‘opt in’ required to store and process personal data.
GDPR – data retention and destruction
In the remaining months before GDPR comes into force, your business needs to take a holistic approach to customers’ personal data. Your plans must cover how information is to be deleted, as well as protected – or you may still find yourself on the receiving end of a sizeable fine.
To learn more about GDPR and the effect this legislation will have on your field sales team, please get in touch.