The GDPR Right to Be Forgotten: How Will It Work?
With less than two months to go before the GDPR effective date, companies around the world are beginning to flip the switches on the new products, business processes, and communication campaigns they’ve implemented in hopes of complying with the law.
Despite the EU’s efforts over the last two years to explain what the regulation requires and how it will be enforced, a great deal of uncertainty remains. Until GDPR supervisory authorities begin to issue fines for noncompliance—and organizations begin to challenge those fines in court—no one can say for sure which of the law’s provisions deserve the most attention.
The GDPR’s much-publicized “right to be forgotten,” however, seems certain to generate interest on the part of consumers, corporations, and supervisory authorities from day one.
Organizations might believe (accurately or not) that their existing business processes are already in compliance with many GDPR requirements, such as provisions that call for protecting data against cyber threats, or building data protection into their operations by design. The right to be forgotten, on the other hand, is an entirely new concept for most organizations, and one that they may need to take action on immediately.
Although the concept of a right to be forgotten already exists in Europe, until now it’s been limited mainly to search engines, and hasn’t been consistently enforced. Starting on May 25, however, the law gives every EU citizen “the right to obtain from [a company that has collected personal data] the erasure of personal data concerning him or her without undue delay.”
There are some situations in which a company can claim that it’s exempt from the requirement, or that it’s actually required to retain an individual’s data, but the grounds for individuals making a request are very broad. Individuals can request deletion because they believe there is no legitimate reason for a company to process their data, because they object to the processing, or simply because they withdraw their consent for their data to be processed.
Given the growing level of concern about data collection by corporations and the misuse of personal data, it seems all but certain that EU citizens will be lining up around the block to request the deletion of their information, and to file lawsuits against companies they believe have failed to carry out the request.
Pressing the Delete Button
The question, then, is what a company is expected to do once it receives a deletion request. The answer will depend on what type of data the company has and where that data is.
Structured data—information stored in a database—should be fairly manageable for most organizations. Database administration tools give companies the ability to find and delete records based on certain criteria, and to generate audit trails showing that the records were deleted.
But what about unstructured data—the information contained in documents, spreadsheets, email messages, images, and everything else outside the orderly world of a database?
Unstructured data poses a much bigger challenge for a number of reasons. Even though it accounts for 80 percent of the data at a typical organization, most companies lack visibility into the amount, location, and content of their unstructured data. Many organizations would have no way of knowing whether a given individual’s information was stored in its file servers, cloud storage services, or employee laptops. If an individual were to discover that his or her data existed in one of those places after submitting a request to be forgotten, a complaint or lawsuit would be almost sure to follow.
If a company does find an individual’s information in its unstructured data, it faces another challenge: How can it delete the data without losing data it needs to retain? Some files might pertain only to a single individual, but other files would likely contain data on many other people in addition to the person requesting deletion. In these situations, organizations may need to use a manual process to delete specific individuals’ data, or implement a solution that can do the job automatically.
PK Protect Can Help
Until further guidance is issued, and until the remaining questions are answered in the courts, companies may not know exactly what their obligations are with respect to the GDPR’s right to be forgotten. Whatever the answers turn out to be, organizations that do business in the EU will need more visibility into their unstructured data and more control over what happens to it.
In addition to facilitating enterprise-wide encryption, the PK Protect suite provides capabilities that organizations can use to gain unprecedented visibility and control over their data. PK Protect’s automated data protection workflow allows companies to scan desktops, laptops, and shared file locations for a wide variety of data types, including specific strings of text or numbers.
Once PK Protect detects sensitive data via PK Discovery, it offers a range of options for remediation. Files containing sensitive information can be encrypted, moved, quarantined, or deleted. Organizations can also configure PK Masking to mask or delete certain text within files, potentially addressing the complex challenges posed by the GDPR’s right to be forgotten.