GDPR Right to be Forgotten CCPA Right of Erasure (RtbF/RoE)

GDPR Right to be Forgotten, CCPA Right of Erasure (RtbF/RoE) and Data Subject Access Requests (DSAR)

 

Forget about forgetting

Without the right technical capabilities, efforts to enable the ‘right to be forgotten’ under CCPA and GDPR may be doomed to fail

The right to be forgotten/right of erasure (RtbF/RoE) is a legal concept whereby individuals have a statutory right to have personal information erased from the Internet. The notion isn’t new, but on the back of a European Court of Justice ruling in 2014, the principle of right to be forgotten (or right of erasure) has gained significant traction. The concept is easy enough to understand, it’s the execution many organisations are finding difficult.

An RtbF has been enshrined in European law for more than twenty years – first in the EU’s Data Protection Directive of 1995, and more recently under the sweeping rules of GDPR.

The first high-profile legal case came in 2014, when a Spanish court case asked Google to remove links to an old newspaper article about an individual’s previous bankruptcy. The European Court of Justice ruled in the individual’s favour, saying search engines are data controllers, and as such are required to take requests to remove old or irrelevant information seriously.  As widely resulted in the press at the time, Google suddenly found itself managing a flurry of take-down requests to remove links from search queries.

Now with California’s CCPA set to expand the application in US law next year, organizations of all sizes will have to work out how to operationalize the right to be forgotten – and fast.

What are the challenges?

Under CCPA, RtbF/RoE enables consumers to have businesses delete any personally identifiable information (PII) it has about them – so long as the data isn’t covered by one of nine exceptions (for example, to ensure compliance with a separate legal obligation).

The majority of US privacy laws don’t currently have a formal right to be forgotten, however the Children’s Online Privacy Protection Act (COPPA) has a provision regulating the online collection of information from children under the age of 13.  CCPA dramatically expands the number of people able to formally request their information be forgotten, and the number of organizations that have to address those requests.

CCPA also places obligations on data controllers that go beyond the requirement to take individual erasure requests seriously. Organisations must also determine a time limit for automatically erasing all the different categories of PII that they hold.

Easy to legislate, less easy to action

When you imagine a right to be forgotten, asking search engines and web sites to remove outdated or inaccurate info is likely the first thing that comes to mind.  Under CCPA and GDPR it goes well beyond that, and will have significant implications for organizations as consumers and employees seek to limit the amount of personal information companies can retain.

If we consider all the different types of data companies hold about their customers, social media followers, employees, contractors, suppliers, and so on, the right to erasure isn’t something that can easily be switched on.  Most organisations are digital to one extent or another now, using data they’ve collected themselves, as well as publicly available data, for marketing, accounting, HR and other business purposes.

That data is held in a variety of locations, systems, and data formats that make mapping all the personally identifiable information in company systems extremely difficult.  For example, a host of biometric information is covered under CCPA, as is any record of an individual’s browsing history or other interactions with a company website or app.

Adding to the complexity is an evolving data landscape. How do you erase personal data held in a blockchain (where transaction inputs and outputs are deliberately masked)? What if there are paper documents with PII that haven’t yet been digitized?  What if the PII exists in a small segment of a corporate video or webinar?  Those are significant challenges but perhaps the biggest is simply knowing where all the PII in company systems lives.  And even if you can map your PII accurately, how will you know if it is covered by one of the nine exemptions, or ensure timely communication to applicants, regulators, or other relevant third parties?

Drilling down deeper, removing or destroying data – even when obligated to do so – can bring its own set of problems. Not only does PII need to be identified, it then needs to be destroyed in a way that doesn’t damage the integrity of other data. Simply deleting data from a complex relational database, for example, risks corrupting the records where that data was found, as well as causing index and search irregularities across the system.

 

Not all solutions are the same

 

Enabling the right to be forgotten/right of erasure is complex and needs to happen at a granular level, understanding where your all your PII sits and considering the potential knock-on effects of data deletion.

Companies that have already implemented a date loss prevention (DLP) system may find themselves in a stronger position to achieve CCPA (and GDPR) compliance when January 2020 arrives.

DLP is essential for tracking enterprise data and organizing it. This includes classifying files and data streams to determine the presence of PII and other data with regulatory sensitivities.  That capability is important both for data protection and to understand in detail where, and what type, of CCPA-covered information sits across your systems.

DD or DP?  Accurate detection is the key to success

Not all Discovery / DLP systems are calibrated for the complexities of PII however, and that will make a difference to compliance success where RtbF/RoE is concerned.

Common DLP & Discovery programs rely on pre-set algorithms and regular expression patterns to determine what sensitive data is – a generic approach that can throw up numerous false positives, all requiring investigation and time.   GTB’s data protection and Next-Gen Data Loss Protection programs use an intelligent, scientific-based approach to find and manage sensitive data.  Rather than rely on broad definitions, GTB programs analyze data dynamically to identify relevant files.

Regulatory compliance and data security

Sensitive Data Detection – that’s accurate

Do you know where your data is?  Can you meet DSAR requests in 30 days or less? With data held across the organization, it can be a real challenge.

GTB’s Data Discovery that Workstm platform discovers sensitive information, regardless of the file format, across multiple data repositories in just one platform, with:

  • Accurate and automated searches for Personally Identifiable Information (PII), Payment Card Information (PCI), and health records to comply with HIPAA, GDPR, PCI, etc.
  • Apply policies to discover, classify and protect the organization’s assets, including Intellectual Property, Patents, Source-Code, and Trade secrets.
  • The flexibility to handle custom-made rule sets and complex queries.

Speed-up Data Subject Access Requests (DSAR) and Right to be Forgotten requests

Confirm compliance and speed up Data Subject Access Requests (DSARs) and Right-to-be-Forgotten requests. Some of the many built-in policy templates for DSAR compliance provide coverage for: 

 

Forcepoint Investor - Private Equity
"I head the Investment and Strategy team at ###. I have been working closely with Forcepoint,...

They are highly impressed with GTB’s all-in-one DLP solution and its ability to discover, classify, detect, and protect companies from threats in a seamless manner.”
Best in Class Solution!
I am an investor at Bain Capital specializing in cybersecurity and infrastructure ... We have been doing a deep dive into the enterprise data space since our investment in Ata#####, and have found data loss prevention one of the largest pain points. Many firms lack comprehensive data privacy policies and solutions.

We see GTB’s platform as a direct response to address this problem, and we feel it is a best-in-class solution.

Nov. 16, 2022 lkin
City & County of San Francisco
"Each department faces unique regulatory challenges and data security must both protect vital data without interfering with critical business. That's why the City replaced its previous DLP and encryption solution with Avanan Data Protection and Encryption. Within days of deployment, the City saw a 30% improvement in the use of data encryption. " GTB catches the events which others missed! CISO City & County of San Francisco, using GTB Inspector for Data in Motion via GTB OEM Avanan 2020
Best company to work with
GTB continues to be the best company to work with in our entire portfolio. I’m happy for GTB’s great success while still making MIDFLORIDA feel like your most important customer. Please consider me for a reference anytime.
IT Security Manager
Best company to work with
GTB continues to be the best company to work with in our entire portfolio. I’m happy for GTB’s great success while still making MIDFLORIDA feel like your most important customer. Please consider me for a reference anytime.
IT Security Manager
Blue Cross ... Meeting our complicated needs
Over the years, our environment has become increasing complicated as we continue to improve our security and data protection posture. GTB Technologies has demonstrated time and time again its ability to be agile in meeting our needs. We have seen other (larger) companies struggle to understand issues and communicate them within their company to work toward delivering a solution. This has not been the case with GTB.
LA Metro
“Security is a large initiative for LA Metro, as we continue to grow our network and infrastructure to meet our growing needs that support those living, working and exploring LA County,” said Los Angeles County Metropolitan Transportation Authority Senior Director of Engineering Richard Bezjian. “Our existing email protection would simply not be enough on its own to deliver the strength of protection required to identify and stop today’s cyberattacks. SonicWall delivers additional security efficacy with a competitive TCO.” utilizing GTB Inspector for Data in Motion OEM solution
Best DLP Solutions 2021
Best DLP Solutions 2021
Best DLP Solutions Provider 2020
Best DLP Solutions Provider 2020
CISO - Global Financial Institution
I can't wait till you go public to buy your company shares!
Winner 2019 Best DLP Solutions
Winner 2019 Best DLP Solutions, the Global 100 program is a benchmark of the very best industry leaders, exemplary teams and distinguished organisations.
Great Job All
From all the DLP solutions we have seen, yours Stands out and I believe you and the team are in for a great one. The new UI is so impressive. Great Job All
Winner - Top Microsoft Solution Provider 2019
GTB Technologies is the Data Protection solution that can prevent the loss of data from Malware and trusted insiders by blocking sensitive data. 2020, January
GTB Gets The W-I-N For DLP In 2019
GTB Technologies was recently crowned the winner of Acquisition International’s cyber security award in the data loss prevention (DLP) category for its anti-malware and insider threat capabilities. AI noted specifically that, “[o]ver the past 14 years, GTB Technologies has delivered unparalleled innovations to the data protection and governance market,” which has culminated in a “data recognition platform that couples the power of proprietary intelligent processes with mathematical science.”

For these reasons, GTB is a top choice among those who take data protection seriously and is used by major players across industries, including finance, healthcare, defense contractors, and government.
Most Advanced DLP
"GTB has one of the most advanced DLP solutions on the market and we are proud to have them as a partner. As soon as we added them to the Avanan Cloud Security Platform we started seeing our customers testing and then purchasing their solution on our platform" Gil Friedrich, CEO Avanan
Click Here
Previous slide
Next slide
Comments are closed.