In May of 2018, the European Union’s General Data Protection Regulation (GDPR) went into full force and remains the most comprehensive and influential data privacy regulation globally. Although it has been several years since the GDPR was enacted, businesses large and small, still struggle with compliance with Article 17 of the GDPR, which is the “Right to Be Forgotten.” The Right to be Forgotten, or the Right to Erasure, is an individuals’ Right to request specific data about themselves be erased or deleted by organizations. The IAPP-EY Annual Governance Report in 2019 stated that businesses find complying with Erasure Requests the most difficult of all the GDPR requirements to manage. This article will explore critical ways that companies can conquer issues with the Right to be Forgotten by knowing what types of personal data you may have, developing a process to identify personal data, and finding the best ways to delete personal data.
-
Know what personal data you have about data subjects and what data can be “forgotten” under the GDPR
Once a company has a “big picture” of the data they retain about individuals, it is critical to determine what data, if requested, can or cannot be deleted according to Article 17 of the GDPR. For example, the GDPR has exceptions to the Right to be Forgotten, like the Right to Freedom of Expression, data used to comply with EU legal obligations or claims, public health matters, and data archived for the public interest, scientific or historical research, or statistical purposes. Knowing what can or cannot be forgotten may be a good starting point for determining the scope of data you may need to forget.
Aparavi gives you a high level overview of the amount of personally identifiable information (PII) or sensitive data your company collects that is subject to the GDPR or other European data privacy laws, and where that information is located across your entire organization, from one easy-to-use dashboard.
-
Develop a process to locate personal data
The Aparavi Platform also functions as a search engine for all of your enterprise’s unstructured data, enabling you to quickly search for a particular piece of PII, with customizable confidence levels, and promptly respond to an Erasure Request or other data access request. In addition, you can build complex queries easily, no coding or IT background needed.
-
Develop a process to “forget” data
How do you “forget” the data once you locate it? Once the company has a data access request and can confirm they have data eligible for deletion, companies can manage how and when this deletion occurs. Data deletion is also a considerable challenge depending on how much of an individual’s data must be erased and how to create ways to automate some of the deletion processes using technology. Companies should also look toward developing a strategy to delete data on a schedule to avoid the business disruption of doing data deletion on an ad hoc basis. It is important to still keep a log of the requests for deletion and the action taken, whether you complied or you have an alternate basis for keeping the data, as in step 1 above, so you can demonstrate GDPR compliance.
The Aparavi Platform allows you to take action on your data, whether to delete or archive the information to a more secure location. In addition, Aparavi automates your data governance policies to enable you to take bulk action on your data, in accordance with your company’s deletion schedule.
Although the Right to be Forgotten is a concept in the GDPR, we continue to see other countries implementing these deletion rights into data privacy legislation, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Companies that develop processes and procedures around the Right to be Forgotten will be better positioned to respond to these requests as they continue become part of future data privacy laws.