GDPR Right to be Forgotten, CCPA Right of Erasure (RtbF/RoE) and Data Subject Access Requests (DSAR)
Forget about forgetting
Without the right technical capabilities, efforts to enable the ‘right to be forgotten’ under CCPA and GDPR may be doomed to fail
The right to be forgotten/right of erasure (RtbF/RoE) is a legal concept whereby individuals have a statutory right to have personal information erased from the Internet. The notion isn’t new, but on the back of a European Court of Justice ruling in 2014, the principle of right to be forgotten (or right of erasure) has gained significant traction. The concept is easy enough to understand, it’s the execution many organisations are finding difficult.
An RtbF has been enshrined in European law for more than twenty years – first in the EU’s Data Protection Directive of 1995, and more recently under the sweeping rules of GDPR.
The first high-profile legal case came in 2014, when a Spanish court case asked Google to remove links to an old newspaper article about an individual’s previous bankruptcy. The European Court of Justice ruled in the individual’s favour, saying search engines are data controllers, and as such are required to take requests to remove old or irrelevant information seriously. As widely resulted in the press at the time, Google suddenly found itself managing a flurry of take-down requests to remove links from search queries.
Now with California’s CCPA set to expand the application in US law next year, organizations of all sizes will have to work out how to operationalize the right to be forgotten – and fast.
What are the challenges?
Under CCPA, RtbF/RoE enables consumers to have businesses delete any personally identifiable information (PII) it has about them – so long as the data isn’t covered by one of nine exceptions (for example, to ensure compliance with a separate legal obligation).
The majority of US privacy laws don’t currently have a formal right to be forgotten, however the Children’s Online Privacy Protection Act (COPPA) has a provision regulating the online collection of information from children under the age of 13. CCPA dramatically expands the number of people able to formally request their information be forgotten, and the number of organizations that have to address those requests.
CCPA also places obligations on data controllers that go beyond the requirement to take individual erasure requests seriously. Organisations must also determine a time limit for automatically erasing all the different categories of PII that they hold.
Easy to legislate, less easy to action
When you imagine a right to be forgotten, asking search engines and web sites to remove outdated or inaccurate info is likely the first thing that comes to mind. Under CCPA and GDPR it goes well beyond that, and will have significant implications for organizations as consumers and employees seek to limit the amount of personal information companies can retain.
If we consider all the different types of data companies hold about their customers, social media followers, employees, contractors, suppliers, and so on, the right to erasure isn’t something that can easily be switched on. Most organisations are digital to one extent or another now, using data they’ve collected themselves, as well as publicly available data, for marketing, accounting, HR and other business purposes.
That data is held in a variety of locations, systems, and data formats that make mapping all the personally identifiable information in company systems extremely difficult. For example, a host of biometric information is covered under CCPA, as is any record of an individual’s browsing history or other interactions with a company website or app.
Adding to the complexity is an evolving data landscape. How do you erase personal data held in a blockchain (where transaction inputs and outputs are deliberately masked)? What if there are paper documents with PII that haven’t yet been digitized? What if the PII exists in a small segment of a corporate video or webinar? Those are significant challenges but perhaps the biggest is simply knowing where all the PII in company systems lives. And even if you can map your PII accurately, how will you know if it is covered by one of the nine exemptions, or ensure timely communication to applicants, regulators, or other relevant third parties?
Drilling down deeper, removing or destroying data – even when obligated to do so – can bring its own set of problems. Not only does PII need to be identified, it then needs to be destroyed in a way that doesn’t damage the integrity of other data. Simply deleting data from a complex relational database, for example, risks corrupting the records where that data was found, as well as causing index and search irregularities across the system.
Not all solutions are the same
Enabling the right to be forgotten/right of erasure is complex and needs to happen at a granular level, understanding where your all your PII sits and considering the potential knock-on effects of data deletion.
Companies that have already implemented a date loss prevention (DLP) system may find themselves in a stronger position to achieve CCPA (and GDPR) compliance when January 2020 arrives.
DLP is essential for tracking enterprise data and organizing it. This includes classifying files and data streams to determine the presence of PII and other data with regulatory sensitivities. That capability is important both for data protection and to understand in detail where, and what type, of CCPA-covered information sits across your systems.
DD or DP? Accurate detection is the key to success
Not all Discovery / DLP systems are calibrated for the complexities of PII however, and that will make a difference to compliance success where RtbF/RoE is concerned.
Common DLP & Discovery programs rely on pre-set algorithms and regular expression patterns to determine what sensitive data is – a generic approach that can throw up numerous false positives, all requiring investigation and time. GTB’s data protection and Next-Gen Data Loss Protection programs use an intelligent, scientific-based approach to find and manage sensitive data. Rather than rely on broad definitions, GTB programs analyze data dynamically to identify relevant files.
Regulatory compliance and data security
Sensitive Data Detection – that’s accurate
Do you know where your data is? Can you meet DSAR requests in 30 days or less? With data held across the organization, it can be a real challenge.
GTB’s Data Discovery that Workstm platform discovers sensitive information, regardless of the file format, across multiple data repositories in just one platform, with:
- Accurate and automated searches for Personally Identifiable Information (PII), Payment Card Information (PCI), and health records to comply with HIPAA, GDPR, PCI, etc.
- Apply policies to discover, classify and protect the organization’s assets, including Intellectual Property, Patents, Source-Code, and Trade secrets.
- The flexibility to handle custom-made rule sets and complex queries.
Speed-up Data Subject Access Requests (DSAR) and Right to be Forgotten requests
Confirm compliance and speed up Data Subject Access Requests (DSARs) and Right-to-be-Forgotten requests. Some of the many built-in policy templates for DSAR compliance provide coverage for:
Visibility: Accurately, discover sensitive data; detect and address broken business process, or insider threats including sensitive data breach attempts.
Protection: Automate data protection, breach prevention and incident response both on and off the network; for example, find and quarantine sensitive data within files exposed on user workstations, FileShares and cloud storage.
Notification: Alert and educate users on violations to raise awareness and educate the end user about cybersecurity and corporate policies.
Education: Start target cyber-security training; e.g., identify end-users violating policies and train them.
They are highly impressed with GTB’s all-in-one DLP solution and its ability to discover, classify, detect, and protect companies from threats in a seamless manner.”
If you have sensitive information on your enterprise, you need GTB –
if for no other reason than that you’ll sleep much better knowing your data is protected.
Peter Stephenson, SC Magazine
For these reasons, GTB is a top choice among those who take data protection seriously and is used by major players across industries, including finance, healthcare, defense contractors, and government.