By Lori Schrameck and Celine Rodriguez
CSR Professional Services Inc.
In an attempt to push European data protection into the future of digital data handling, the European Union approved the General Data Protection Regulation (GDPR) which includes Article 17, the Right to Erasure or more commonly known as the Right to be Forgotten. Under this article, if there is no legitimate reason for a data controller to continue to process an individual's personal data, the individual can request to have his or her personal data removed by the data controller. Upon the debut of the Right to be Forgotten, legal experts focused on the compliance of search engines and their roles as data controllers, which might have led business owners to believe that this "Right to be Forgotten" applies only to entities with a large and overarching digital or online presence. However, this could not be further from the truth. The Article 17 requirement applies to all EU personal data held by the data controller.
For businesses in the United States that will fall under the GDPR's jurisdiction in May 2018, this may be a complete game changer. All U.S. companies that conduct business within the European Union, regardless of any physical presence, should determine now if they will be held to GDPR requirements. Preparation to meet these new laws may be substantial and with noncompliance fines of up to 4 percent of global annual turnover, it is an important consideration.
Businesses held by the obligations of a data controller must fully acknowledge and address the implications of the Right to be Forgotten. But where should a business begin? Admittedly, the GDPR has provided some specification for personal data removal. For instance, businesses are expected to establish a functional system for verifying the identity of the data subject making the removal request, as well as a system for accepting, processing or responding to removal requests within one month.
A business will need to recognize every type of personal data it possesses and exactly where that data is located in order to process the request; hence, a controller must meticulously track its personal data so it can later be removed upon request. There may be several locations for which businesses must keep track of their data, especially when companies have several branches or third-party vendors. The locations of personal data may be dependent on the type of personal data. Obvious data would be a name, address, email address, payment information and data of birth, but other data could include website or mobile device user information (IP address, page views, mobile device ID, geolocation, etc.), marital status, email or other correspondence, answers to surveys, or customer complaints. Also, you may have a record of services provided over a number of years, a transaction history, preference information, social network data or data obtained during security monitoring.
Data permanency, which has plagued businesses since the establishment of digital processing, may now contribute to issues in locating personal data. Previously, ensuring your business could save every kilobyte of data was considered a good thing. If pertinent information was deleted, there were backups and even backups for those backups. Nevertheless, unrestricted data retention will now be problematic not only for addressing erasure requests, but also for data retention restrictions.
The GDPR demands that businesses notify their third-party vendors about any data removal requests. After vendors have been notified, the businesses must then ensure that these vendors comply with these requests. Thus, a system for data tracking and removal should be sufficiently guaranteed in vendor contracts.
Tracking is not an easy task, especially online. Is the average small business owner aware of all the first- and third-party cookies his or her website utilizes? Has said business owner addressed restrictions for onward transfer of personal data by vendors? The GDPR also has a provision for data portability; in other words, an individual can ask a company to remove and transfer any of his or her personal data from the company's database to the individual's possession or directly to another controller. Of course, achieving data portability for all files and guaranteeing safe data transit can potentially be a massive undertaking.
In aggregate, all of these requirements are unfamiliar territory for most U.S. businesses. Creating and implementing the processes and procedures necessary for compliance may require an outside privacy consultant or appointment of an in-house data protection officer (which may be mandatory); yet, most businesses are undoubtedly reluctant to take this leap. In their defense, the tremendous amount of time, money and effort necessary, as well as other issues, make this hesitancy understandable.
The Right to be Forgotten has the potential to greatly decrease a company's customer database and historical data, which could be detrimental to that business's ability to adequately market to a larger consumer base or analyze consumer trends. This alone could be a sticking point, but that's not all: there may be data collected by a business that gives it an edge over its competition – are they now supposed to transfer that data to a competitor? Businesses can examine alternative methods, however, for continued preservation of at least part of the data. Pseudonymization would remove the identifying elements, allowing for continued trend analysis, storage of competitive data or other data as long it does not permit for re-identification.
Alternatively, what if the Right to be Forgotten were actually worth the trouble? Consider this, Article 17 is a call for a much needed spring cleaning. Flushing out those one-time purchasers or customers who may not desire to do further business with a company might be beneficial in avoiding a large-scale breach, saving in digital data room or physical record storage, and creating marketing materials true to your current target. Sufficiently identifying and tracking personal data will also help to identify areas lacking in security or that you really don't need.
There are circumstances in which a business should not provide or remove personal data. Perhaps the information of more than one individual is combined, or it might contain certain health, social work, adoption or other similar data. In such cases, businesses should be prepared to document and explain their reasoning for not providing or removing personal data, and be able to address a response to the individual.
The Right to Erasure/Right to be Forgotten is part and parcel of future business, and the time for businesses to examine their personal data practices is now. Businesses should identify their need set and consider contracting with certified privacy professionals to assist with this monumental requirement. For additional information on the GDPR, see "GDPR: Why it affects businesses even outside of the EU," by Lori Schrameck, The Green Sheet, Sept. 26, 2016, issue 16:09:02.
Lorie Schrameck, CIPP/US, is Manager of Operations and Celine Rodriguez is Operations Associate at CSR Professional Services, Inc., the home of Readiness Pro Edition and SIPO. Lorie can be reached at firstname.lastname@example.org. For more information applicable to your merchant customers' business, contact CSR at 866-294-6971 or online at www.csrps.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next