The General Data Protection Regulation (GDPR) is designed to give EU citizens more control over their private data, while requiring companies to boost data protection and limit the processing of personal information.
Although the regulation is far reaching, one of the biggest implications, and potentially biggest headaches for companies, is a person’s right to erasure, which is what we’re focussing on here.
What you need to do
When the regulation comes into force on 25 May 2018, individuals will be able to request a copy of the personal data you hold on them for free, and they have the right to erasure (also known as the right to be forgotten), asking for their data to be deleted.
As simple as these statements are, the onus to deliver on them is firmly placed on each company, and implementation of the required processes may not be straightforward.
There are two main difficulties. First, providing information may not be simple, as personal data is typically present across multiple systems.
Secondly, complying with the right to erasure can be tricky, as some data has to be retained legally. As the UK’s Information Commissioner’s Office (ICO) states, “The right to erasure does not provide an absolute ‘right to be forgotten’.” Rather, individuals can only request that certain information can be deleted, and your company can refuse to comply with a request for any of the following reasons:
- To exercise the right of freedom of expression and information
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- Archiving purposes in the public interest, scientific research, historical research or statistical purposes
- The exercise or defence of legal claims
The reality is that the receipt of a request for deletion will require personal data to be removed from some systems, but not others.
For example, your company may have 10 data stores, including a finance system and tax-compliant system. To fulfil a request to delete an individual’s details, you may legally need to save the finance and tax details, only deleting information from the remaining eight systems.
How we can help
Manually performing the data deletion can be very time-consuming, and smart automation is required. Red Olive can help in a number of ways:
- We can apply our compliance check to assess your organisation’s current level of readiness and identify where your biggest gaps lie.
- Based on the compliance check, we can help you redesign your business processes to ensure future compliance. For example, we can provide data management processes that either store and update data centrally or propagate required changes to customer records throughout your organisation.
- Where the business value of information is high, such as in investment and insurance, Red Olive can implement complex policies through a control plane that sits above all your data across many systems. The data seen by your marketers, data scientists or finance team can then differ, depending on the usage allowed.
With this approach, we can flag data that must be retained for HMRC compliance. In our data deletion example, our technology would be able to delete data from the eight redundant systems, leaving it available on the two crucial systems. Importantly, this would reduce the exposure of the remaining private data, helping you meet your GDPR and legal requirements.
Implementing a system goes towards proving your GDPR compliance, while reducing the management burden that that new regulations could otherwise impose.