Updated September 2020. Originally published as “Architecting for GDPR: The right to be forgotten” in November 2017.
As companies work through their data privacy compliance plans, at some point they all come up against the issue of how to technically address the rights given to data subjects. One of these rights is the right to erasure, also known as the right to be forgotten.
About the right to erasure
What is the right to erasure?
The right to erasure is a concept introduced in Europe’s 1995 Data Protection Directive. More recently, it was featured in GDPR, but it also exists in CCPA as a “qualified right to deletion.” Essentially, it requires companies to expunge an individual’s personal data “without undue delay” if that person is protected by one of these laws and:
- asks that their personal data be erased
- withdraws their consent
- if the data is no longer needed for its original purpose, or
- the data was unlawfully collected
Exceptions to the right to erasure/right to deletion
There are exceptions to when companies must comply with erasure/deletion requests. Under GDPR Article 17, data can be retained:
- for exercising the right of freedom of expression and information
- for compliance with a legal obligation
- for reasons of public health interest
- for archiving purposes in public interest, scientific or historical research purposes, or statistical purposes
- if it pertains to the establishment, exercise, or defense of legal claims
Under CCPA Section 1798.105, data can still be retained following a deletion request if it is used:
- to complete a transaction, perform a contract, or continue an existing business relationship
- in relation to security incidents or illegal activity
- as a tool to fix errors in intended functionality
- to exercise other rights given by law
- to comply with the California Electronic Communications Privacy Act
- in research that is in the public interest
- internally to further expected business functions
- to comply with legal obligations, or
- in a reasonably expected way for internal purposes only
Though they may seem numerous, these exemptions should not encourage businesses to be lax about compliance or their ability to fully respond to erasure requests.
Why companies struggle with the right to erasure
Many organizations are challenged by erasure/deletion requests due to their data management practices and handling/storage of data—specifically in regard to data proliferation. Key data that should be maintained and accessed from a central location can end up in other locations, intentionally or unintentionally. Data is typically dispersed across
- multiple business units, applications, and environments (development, test, production)
- BI and analytics
- secondary storage systems for data protection and backup—both on-premise and in cloud applications
In short, the normal, everyday course of running a business and using data to make decisions is often enough to cause data proliferation, resulting in a data subject’s information being fed into a dozen or more separate systems.
While data proliferation may be necessary, many organizations do not adequately track the movement, replication, and access to this data across internal lines of business (LOBs). These LOBs often have varying levels of data maturity, day-to-day processes, and data usage. This lack of documentation and unification across LOB’s puts the organization at risk of non-compliance, and worse, a potentially massive fine.
What happens if an organization can’t comply with a request for erasure?
Companies unable to accommodate a request for erasure face steep fines that vary depending on three things: the regulation in question, the offender’s behavior, and the offender’s intent.
Right to erasure fines for GDPR vary, but data subject rights requests may result in fines of $23MM or 4 percent of revenue.
Like GDPR, CCPA fines vary. There are two tiers of fines, each of which are incurred per violation. Businesses that fail to rectify their non-compliance within 30 days of notification face:
- Fines of up to $2,500: These are imposed for unintentional violation.
- Fines of $7,500: These apply for intentional violations.
While GDPR is the standard for regulations worldwide, and CCPA for the U.S. to date, upcoming regulations may have stricter or more particular stipulations. Companies should remain aware of proposed and pending regulations that could affect their practices and compliance. In fact, CPRA (sometimes referred to as CCPA 2.0) is currently on the California November ballot and has a strong likelihood of passing. A newly revised Washington Privacy Act, which also contains deletion rights, is also back in play.
How to erase personal data
If a data subject decides to exercise their right to be forgotten, companies should be prepared to comply with this request in a timely manner. There are several measures that you’ll need to address before architecting a solution:
1. Evaluate and understand:
- what personal data you have (both structured and unstructured)
- where that data is located (in which applications, on premises or in the cloud)
- where the data is primarily managed and processed within your organization
- what data retention regulations apply
2. Gain a complete understanding of data movement, including:
- where, when, and how data entities and attributes travel within your organization, and
- how this data travels to external service providers, partners, and other data processors
This includes all data across applications, servers, storage, endpoint devices, and cloud locations. Documenting data flows (inside and outside your organization) is a great first step to understand the data lifecycle and contribute to your organization’s data privacy readiness.
Architect for erasure
First, identify which of this data is privacy protected. If you are creating an automated solution for the right to erasure under GDPR, you need a solid, well-developed strategy that’s both realistic and efficient — one that accounts for source data, data that is on premise and cloud applications as well as data on endpoint devices, and one that includes both structured and unstructured data.
Organizations that centrally manage the sourcing, editing, querying, access, and projection of data, using data management services (e.g. MDM, data access management, and data encryption) will have an easier time complying with the “right to be forgotten.” While this architecture approach is more complex to implement, it greatly simplifies the ability to centrally erase all data pertinent to an EU subject while also improving the quality of all key enterprise data.
Data privacy software can help your organization automate this process. However, while data privacy software can expedite the creation of data inventories and data maps, it’s important to acknowledge that it can’t deliver the complete picture. Any data privacy software you use must be supplemented to account for orphaned data and business context that only interviews can reveal.
One often overlooked area is source data. To comply with data regulations, your data erasure solution must include any sources used to instantiate records in your systems, such as:
- Scanned documents
- Bulk data feeds
- Data collected by customer support/help desk personnel
- Input from third parties such as marketing firms and partner organizations
- Voice recordings from IVR systems
Ensure your system is auditable
To comply with regulations like GDPR and CCPA, an erasure system must be auditable. The interface must include the ability to query a specific data set and in turn, generate a list of data location(s). Then, the personal data in question may be purged, creating an audit trail of the process. This audit trail shows that a query was performed, leading to the identification of the data in question and the subsequent deletion of the data.
Architecting for the future
As new privacy regulations continue to be introduced across the United States, the right to erasure remains an important element of current compliance requirements. Architecting your infrastructure to enable swift and thorough responses to data erasure requests can minimize the long-term time and effort required to maintain compliance.
Like what you see?
Executive Team member Jill Reber is a nationally recognized expert on data privacy — particularly GDPR, CCPA, and other data protection laws — and has spoken on the topic at conferences sponsored by American Banker, International In-House Counsel Journal, and other national and international organizations.