GDPR Right to be Forgotten, CCPA Right of Erasure (RtbF/RoE) and Data Subject Access Requests (DSAR)
Forget about forgetting
Without the right technical capabilities, efforts to enable the ‘right to be forgotten’ under CCPA and GDPR may be doomed to fail
The right to be forgotten/right of erasure (RtbF/RoE) is a legal concept whereby individuals have a statutory right to have personal information erased from the Internet. The notion isn’t new, but on the back of a European Court of Justice ruling in 2014, the principle of right to be forgotten (or right of erasure) has gained significant traction. The concept is easy enough to understand, it’s the execution many organisations are finding difficult.
An RtbF has been enshrined in European law for more than twenty years – first in the EU’s Data Protection Directive of 1995, and more recently under the sweeping rules of GDPR.
The first high-profile legal case came in 2014, when a Spanish court case asked Google to remove links to an old newspaper article about an individual’s previous bankruptcy. The European Court of Justice ruled in the individual’s favour, saying search engines are data controllers, and as such are required to take requests to remove old or irrelevant information seriously. As widely resulted in the press at the time, Google suddenly found itself managing a flurry of take-down requests to remove links from search queries.
Now with California’s CCPA set to expand the application in US law next year, organizations of all sizes will have to work out how to operationalize the right to be forgotten – and fast.
What are the challenges?
Under CCPA, RtbF/RoE enables consumers to have businesses delete any personally identifiable information (PII) it has about them – so long as the data isn’t covered by one of nine exceptions (for example, to ensure compliance with a separate legal obligation).
The majority of US privacy laws don’t currently have a formal right to be forgotten, however the Children’s Online Privacy Protection Act (COPPA) has a provision regulating the online collection of information from children under the age of 13. CCPA dramatically expands the number of people able to formally request their information be forgotten, and the number of organizations that have to address those requests.
CCPA also places obligations on data controllers that go beyond the requirement to take individual erasure requests seriously. Organisations must also determine a time limit for automatically erasing all the different categories of PII that they hold.
Easy to legislate, less easy to action
When you imagine a right to be forgotten, asking search engines and web sites to remove outdated or inaccurate info is likely the first thing that comes to mind. Under CCPA and GDPR it goes well beyond that, and will have significant implications for organizations as consumers and employees seek to limit the amount of personal information companies can retain.
If we consider all the different types of data companies hold about their customers, social media followers, employees, contractors, suppliers, and so on, the right to erasure isn’t something that can easily be switched on. Most organisations are digital to one extent or another now, using data they’ve collected themselves, as well as publicly available data, for marketing, accounting, HR and other business purposes.
That data is held in a variety of locations, systems, and data formats that make mapping all the personally identifiable information in company systems extremely difficult. For example, a host of biometric information is covered under CCPA, as is any record of an individual’s browsing history or other interactions with a company website or app.
Adding to the complexity is an evolving data landscape. How do you erase personal data held in a blockchain (where transaction inputs and outputs are deliberately masked)? What if there are paper documents with PII that haven’t yet been digitized? What if the PII exists in a small segment of a corporate video or webinar? Those are significant challenges but perhaps the biggest is simply knowing where all the PII in company systems lives. And even if you can map your PII accurately, how will you know if it is covered by one of the nine exemptions, or ensure timely communication to applicants, regulators, or other relevant third parties?
Drilling down deeper, removing or destroying data – even when obligated to do so – can bring its own set of problems. Not only does PII need to be identified, it then needs to be destroyed in a way that doesn’t damage the integrity of other data. Simply deleting data from a complex relational database, for example, risks corrupting the records where that data was found, as well as causing index and search irregularities across the system.
Not all solutions are the same
Enabling the right to be forgotten/right of erasure is complex and needs to happen at a granular level, understanding where your all your PII sits and considering the potential knock-on effects of data deletion.
Companies that have already implemented a date loss prevention (DLP) system may find themselves in a stronger position to achieve CCPA (and GDPR) compliance when January 2020 arrives.
DLP is essential for tracking enterprise data and organizing it. This includes classifying files and data streams to determine the presence of PII and other data with regulatory sensitivities. That capability is important both for data protection and to understand in detail where, and what type, of CCPA-covered information sits across your systems.
DD or DP? Accurate detection is the key to success
Not all Discovery / DLP systems are calibrated for the complexities of PII however, and that will make a difference to compliance success where RtbF/RoE is concerned.
Common DLP & Discovery programs rely on pre-set algorithms and regular expression patterns to determine what sensitive data is – a generic approach that can throw up numerous false positives, all requiring investigation and time. GTB’s data protection and Next-Gen Data Loss Protection programs use an intelligent, scientific-based approach to find and manage sensitive data. Rather than rely on broad definitions, GTB programs analyze data dynamically to identify relevant files.
Regulatory compliance and data security
Sensitive Data Detection – that’s accurate
Do you know where your data is? Can you meet DSAR requests in 30 days or less? With data held across the organization, it can be a real challenge.
GTB’s Data Discovery that Workstm platform discovers sensitive information, regardless of the file format, across multiple data repositories in just one platform, with:
- Accurate and automated searches for Personally Identifiable Information (PII), Payment Card Information (PCI), and health records to comply with HIPAA, GDPR, PCI, etc.
- Apply policies to discover, classify and protect the organization’s assets, including Intellectual Property, Patents, Source-Code, and Trade secrets.
- The flexibility to handle custom-made rule sets and complex queries.
Speed-up Data Subject Access Requests (DSAR) and Right to be Forgotten requests
Confirm compliance and speed up Data Subject Access Requests (DSARs) and Right-to-be-Forgotten requests. Some of the many built-in policy templates for DSAR compliance provide coverage for:
- Australia Privacy Act
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
- General Data Protection Regulation (GDPR) – EU
- Information Technology Act 2000 – India
- Act on the Protection for Personal Information (APPI) – Japan
- Protection of Personal Information Act (POPIA) – South Africa
Visibility: Accurately, discover sensitive data; detect and address broken business process, or insider threats including sensitive data breach attempts.
Protection: Automate data protection, breach prevention and incident response both on and off the network; for example, find and quarantine sensitive data within files exposed on user workstations, FileShares and cloud storage.
Notification: Alert and educate users on violations to raise awareness and educate the end user about cybersecurity and corporate policies.
Education: Start target cyber-security training; e.g., identify end-users violating policies and train them.
- Employees and organizations have knowledge and control of the information leaving the organization, where it is being sent, and where it is being preserved.
- Ability to allow user classification to give them influence in how the data they produce is controlled, which increases protection and end-user adoption.
- Control your data across your entire domain in one Central Management Dashboard with Universal policies.
- Many levels of control together with the ability to warn end-users of possible non-compliant – risky activities, protecting from malicious insiders and human error.
- Full data discovery collection detects sensitive data anywhere it is stored, and provides strong classification, watermarking, and other controls.
- Delivers full technical controls on who can copy what data, to what devices, what can be printed, and/or watermarked.
- Integrate with GRC workflows.
- Reduce the risk of fines and non-compliance.
- Protect intellectual property and corporate assets.
- Ensure compliance within industry, regulatory, and corporate policy.
- Ability to enforce boundaries and control what types of sensitive information can flow where.
- Control data flow to third parties and between business units.
They are highly impressed with GTB’s all-in-one DLP solution and its ability to discover, classify, detect, and protect companies from threats in a seamless manner.”
We see GTB’s platform as a direct response to address this problem, and we feel it is a best-in-class solution.
Nov. 16, 2022 lkin
For these reasons, GTB is a top choice among those who take data protection seriously and is used by major players across industries, including finance, healthcare, defense contractors, and government.