In an ironic twist of fate, the European Commission (EC) became one of the first victims of its newly-enforced General Data Protection Regulation (GDPR) a few days ago. According to news reports, the EC had several spreadsheets posted on its web site that displayed personal information of EU data subjects – including names, email addresses and physical addresses – without consent.
The fallout for this disaster is still being sorted out. For it’s part, the EC said it will take down the spreadsheets, but, in essence, it doesn’t have to comply with its own regulation. Only time will tell if this rationale can hold up. Meanwhile, the EC’s reputation has taken an embarrassing hit.
We can use this “cobbler’s son has no shoes” moment to highlight a major challenge many businesses are facing as they develop their GDPR compliance strategies: how to handle the data subject’s right to erasure.
Right to Erasure 101
Under Article 17 of the GDPR, individuals have the right to have their personal data erased upon request, or after a period of inactivity. This is also known as the “right to be forgotten”.
Consumers can exercise this right any time they want, and the burden is on the business to respond within one month of the request with:
- Confirmation that the request has been met, or;
- An explanation for the reasons why the request has not been met, including instructions on how the consumer can make a complaint to a supervisory authority
For global enterprises with wide-ranging third-party systems and legacy data stores of customer data, enforcing this right is a complex problem. To show why, let’s take the European Commission’s story a few steps into the future.
“Right to Erasure” Customer Data Challenges Through the EC Use Case
Meet Jane. She’s a fictitious attendee of the 2013 Scientific Colloquium Series hosted by the European Food Safety Authority. More recently, she’s learned that she’s one of the 101 attendees of this event who have had their personal data posted to the EC’s web site without consent. In her anger, she has visited the Commission’s “Write to us” page, filled out the form, and sent a message with a simple request: “Delete all my data immediately.”
First, let’s look at why this is a valid request for erasure. According to the U.K.’s Information Commissioner’s Office, an individual can make a request for erasure verbally or in writing. It can be made to any part of an organization and does not have to be directed toward a specific person or point of contact. In addition, the request does not have to include the phrase “request for erasure” or “Article 17 of the GDPR”.
This highlights one of the major challenges businesses face when dealing with these requests: capturing and recording them. In our example, the EC would need a process for flagging the request in its repository of messages received through its public “Write to us” page. It would then need a process to verify that Jane was indeed a data subject who had made the valid request. Lastly, it would need a way to record the event for auditing purposes (if the EC was playing by its own rules.)
Under the GDPR, requests for erasure apply for a multitude of reasons. One of the most typical: the personal data is no longer necessary to fulfill the purpose for which the organization originally collected or processed it. Since the EC originally collected Jane’s information to include her on an attendee list for an event several years ago, her request definitely needs to be honored.
This shines light on another major challenge: enforcing the request. Does the EC have Jane’s data stored anywhere else? What about third-party or downstream systems? As a “data controller” under the GDPR’s definition, it’s the EC’s responsibility to ensure that Jane’s data gets erased from every system it may have been propagated to. Without a centralized data store for its consumers’ personal data, the EC is facing a “needle in a haystack” search across all its internally- and externally-facing systems.
Lastly, there’s the question of maintaining a durable record of this event. While Jane has requested to be forgotten, the EC still needs to maintain her erasure request and a customer ID for her so it can prove it acted in accordance with GDPR requirements. This requires encrypted storage of certain attributes for deleted accounts, such as an email address and a history of consent. Without a strategy for accommodating the erasure request while saving the requisite data for potential audits, a business is at risk of being caught out of compliance with the GDPR.
Want to Learn More?
As you can see, the right to erasure means much more than deleting data. It is a prime example of why global organizations need a holistic approach to addressing consumer data privacy that begins with centralized and comprehensive management of customer data.
Sign up for our upcoming webinar with Fatemeh Khatibloo, Principal Analyst for Forrester, to learn how your business can balance best-in-class consumer privacy with relevant, personalized digital experiences for customers.
By Natalie Monetta