by George Corugedo

5 must-ask questions for complying with GDPR’s ‘Right to be Forgotten’

Apr 02, 2018
Data and Information SecurityGovernmentLegal

For all US-based companies that might have EU data, it’s time to segregate that data and initiate proper protocols to ensure fines don’t come your way after May.

If you’re like me, you’re still waiting for a check from Google and all the other companies that benefit from using my data. While I understand the premise is that I give up my data for the ease of use Google provides, it’s still my data…isn’t it?

Well it turns out that in the US, I in fact do not own my data. Instead, it belongs to the data collector, like Google. Conversely in Europe, it’s quite the opposite as the ownership of data goes to the entity who the data is about, and specifically NOT the collector.

It’s unlikely that Google will send checks to people in Europe anytime soon, but this issue has resulted in some tricky privacy legislation called General Data Protection Regulation, or GDPR. It is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

If you have heard about GDPR, there is no doubt that it’s been discussed with a tone of fear. There are two primary reasons for the angst in the business community:

  1. Uncertainty: the penalties for violating GDPR are among the stiffest business penalties ever imagined.
  2. The rules are still somewhat “under construction,” so there remain considerable unknowns in how to proceed.

However, one law that is somewhat defined is the “Right to be Forgotten,” which goes back to the idea that individuals own their data and not the collector. So, if a person wants to be forgotten, companies must comply. The principle is simple enough, but once you start thinking about how to guarantee that forgotten record, there is no doubt angst will again be the result.

Let’s embark on this thought exercise and see if we can’t get make some headway on how to approach such a problem. Assuming we work for Company A and the person whose data is in question is Mr. John Doe. There are some questions that we must ask ourselves upfront:

  1. Where is all of Mr. Doe’s data? Do we know how it’s being used?
  2. If we do know where all his data is, is it physically possible to track it down and delete it all?
  3. If I do delete it, is it truly gone, or have I simply marked the indicative data?
  4. What happens to the transactional history?
  5. How do I prove the company has forgotten Mr. Doe? 

Where is Mr. Doe’s data and how is it being used?

This first question hopefully points you to the data technology that normally manages this tracking: your Master Data Management system. Indeed, MDM systems, or the more modern MDM lite or Data Curation systems, are exactly what’s called for here. More modern MDM systems have very easy-to-use historical data management. Utilizing No-SQL databases, these newer systems can operate like a “Time Machine” (the Apple sort, not the Jules Verne sort) and take you back to an exact point in time where it will lay out in specific detail every source, change, changer, or use of that data. They can do this since no-SQL databases are unconcerned by schema changes and they can handle enormous amounts of data, track changes, and perform at ridiculous speed. The newer MDM systems are indeed a core advantage for companies to adhere to the Right to be Forgotten.

Can I delete all of Mr. Doe’s data?

This is where the details get a bit hairy. The legislation is not completely clear whether it’s a delete or a masking of the data. But in either case, what does that do to the transactional data associated with Mr. Doe? That part of Mr. Doe’s data most definitely can NOT be deleted or masked. As a public company, Company A must maintain accurate revenue records for reporting and accounting. In addition, summarized amounts can’t just be lugged in from the deleted record as this would be an 8-lane highway to corporate fraud.

Let’s assume then that the transactional records all stay in place but with marked indicia. Again, some of the modern MDM systems can handle this quite nicely as the MDM system can easily issue a delete file to the operational systems since they know where the data is. However, this is much harder than it sounds. If Company A does not have the right internal services infrastructure, it is difficult to delete that data from the operational systems. The best approach is to have the operational systems perform the delete and not try to force it from the outside.

If Mr. Doe asks, how do I prove to him that he has indeed been forgotten?

This task may sound like it will require some time travel, but fortunately, there is a much simpler solution than building a time machine. As the requests to delete data come in, and the data is either deleted or masked, a one-way hash is used to encrypt those forgotten records. This allows Company A to simply input Mr. Doe’s name into the one-way hash, and if there is a match, he has indeed been forgotten.

We have given the Right to be Forgotten some lighthearted consideration here, but the powers that be are not at all lighthearted about enforcing the rules. For all US-based companies that might have EU data, it’s time to segregate that data and initiate proper protocols to ensure fines don’t come your way after May. The clock is ticking, so consider investigating some of the new MDM technology on the market, as the modern approaches to this rather old problem have found some very relevant applications in managing GDPR regulations.