If you\u2019re like me, you\u2019re still waiting for a check from Google and all the other companies that benefit from using my data. While I understand the premise is that I give up my data for the ease of use Google provides, it\u2019s still my data\u2026isn\u2019t it?\nWell it turns out that in the US, I in fact do not own my data. Instead, it belongs to the data collector, like Google. Conversely in Europe, it\u2019s quite the opposite as the ownership of data goes to the entity who the data is about, and specifically NOT the collector.\nIt\u2019s unlikely that Google will send checks to people in Europe anytime soon, but this issue has resulted in some tricky privacy legislation called General Data Protection Regulation, or GDPR. It is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).\nIf you have heard about GDPR, there is no doubt that it\u2019s been discussed with a tone of fear. There are two primary reasons for the angst in the business community:\n\nUncertainty: the penalties for violating GDPR are among the stiffest business penalties ever imagined.\nThe rules are still somewhat \u201cunder construction,\u201d so there remain considerable unknowns in how to proceed.\n\nHowever, one law that is somewhat defined is the \u201cRight to be Forgotten,\u201d which goes back to the idea that individuals own their data and not the collector. So, if a person wants to be forgotten, companies must comply. The principle is simple enough, but once you start thinking about how to guarantee that forgotten record, there is no doubt angst will again be the result.\nLet\u2019s embark on this thought exercise and see if we can\u2019t get make some headway on how to approach such a problem. Assuming we work for Company A and the person whose data is in question is Mr. John Doe. There are some questions that we must ask ourselves upfront:\n\nWhere is all of Mr. Doe\u2019s data? Do we know how it\u2019s being used?\nIf we do know where all his data is, is it physically possible to track it down and delete it all?\nIf I do delete it, is it truly gone, or have I simply marked the indicative data?\nWhat happens to the transactional history?\nHow do I prove the company has forgotten Mr. Doe?\u00a0\n\nWhere is Mr. Doe\u2019s data and how is it being used?\nThis first question hopefully points you to the data technology that normally manages this tracking: your Master Data Management system. Indeed, MDM systems, or the more modern MDM lite or Data Curation systems, are exactly what\u2019s called for here. More modern MDM systems have very easy-to-use historical data management. Utilizing No-SQL databases, these newer systems can operate like a \u201cTime Machine\u201d (the Apple sort, not the Jules Verne sort) and take you back to an exact point in time where it will lay out in specific detail every source, change, changer, or use of that data. They can do this since no-SQL databases are unconcerned by schema changes and they can handle enormous amounts of data, track changes, and perform at ridiculous speed. The newer MDM systems are indeed a core advantage for companies to adhere to the Right to be Forgotten.\nCan I delete all of Mr. Doe\u2019s data?\nThis is where the details get a bit hairy. The legislation is not completely clear whether it\u2019s a delete or a masking of the data. But in either case, what does that do to the transactional data associated with Mr. Doe? That part of Mr. Doe\u2019s data most definitely can NOT be deleted or masked. As a public company, Company A must maintain accurate revenue records for reporting and accounting. In addition, summarized amounts can\u2019t just be lugged in from the deleted record as this would be an 8-lane highway to corporate fraud.\nLet\u2019s assume then that the transactional records all stay in place but with marked indicia. Again, some of the modern MDM systems can handle this quite nicely as the MDM system can easily issue a delete file to the operational systems since they know where the data is. However, this is much harder than it sounds. If Company A does not have the right internal services infrastructure, it is difficult to delete that data from the operational systems. The best approach is to have the operational systems perform the delete and not try to force it from the outside.\nIf Mr. Doe asks, how do I prove to him that he has indeed been forgotten?\nThis task may sound like it will require some time travel, but fortunately, there is a much simpler solution than building a time machine. As the requests to delete data come in, and the data is either deleted or masked, a one-way hash is used to encrypt those forgotten records. This allows Company A to simply input Mr. Doe\u2019s name into the one-way hash, and if there is a match, he has indeed been forgotten.\nWe have given the Right to be Forgotten some lighthearted consideration here, but the powers that be are not at all lighthearted about enforcing the rules. For all US-based companies that might have EU data, it\u2019s time to segregate that data and initiate proper protocols to ensure fines don\u2019t come your way after May. The clock is ticking, so consider investigating some of the new MDM technology on the market, as the modern approaches to this rather old problem have found some very relevant applications in managing GDPR regulations.