Table of Contents
What is the GDPR right to be forgotten?
The basic right to be forgotten (a.k.a. erasure) is quite simple: People should be in control of their data. This includes the right to demand that information about them be removed from company databases.
This right may follow other data privacy rights, such as the right to access data. After all, it makes sense that when customers learn what information companies gathered about them, they might want to remove at least some of it.
The right to be forgotten appears in both CCPA and Article 17 of GDPR, which determines that if the information is no longer necessary, information gathered on this specific individual must be deleted from every public, or business, database - including backup systems.
So what makes it tough? The right to be forgotten presents several legal, ethical, and technical challenges.
Challenge 1: Regulatory nuances
Under both GDPR and CCPA, a request for erasure can be fully, or partially, denied in specific cases. So you need to understand when the right applies, when you can refuse a request, and what information you need to provide to individuals in such cases. Exemptions to deletion requests fall under 4 main categories:
The personal data your company holds is needed to exercise the right of freedom of expression
There is a legal obligation to keep that data
For reasons of public interest, such as public health, scientific, statistical, or historical research purposes
The request is manifestly unfounded or excessive. For example, the requesting individual systematically sends different requests to you on a weekly basis.
It is important to note that not all the exemptions apply in the same way, and you should look at each exemption carefully, to see how it applies to a particular request.
Challenge 2: Ethical considerations
A number of ethical questions arise from the right to erasure. We might wonder if this a form of Internet censorship or if the public (in this case, anyone using the web) has a right to know.
In one case, the EU's top court ruled that Google does not have to apply the right to be forgotten globally. When Europeans request to remove links containing personal information about them, only links to search results in Europe must be removed - and not elsewhere. This ruling followed Google’s argument that the GDPR right to be forgotten obligation could be abused by authoritarian governments, in trying to cover up human rights abuses, were it applied outside of Europe.
Another case, recently discussed, involved cancer survivors’ right to delete medical information, which could create obstacles when applying for health insurance, or bank loans. The Netherlands announced that it would implement the right to be forgotten for cancer survivors following an agreement reached by the Dutch Council of Ministers. Still, many regions struggle with this, and other, complex dilemmas.
Challenge 3: Technical complexity
The right to be forgotten is also hard for enterprises to execute for technical reasons.
Here is why.
To delete data, first you need to know where it is. The IT landscape in enterprises is fraught with silo’ed systems across disparate on-premise, and cloud, platforms. And an individual’s data is typically fragmented, scattered, and inconsistent.
To exacerbate the situation, regulatory exemptions may apply to part of the data. In other words, the right to erase is not a binary (all or nothing) decision, but rather a complex decision-making process, that requires you to erase everything, except what is essential, or exempt.
And that’s not all. There are interdependencies between the fragmented pieces of an individual’s data. So, to ensure data integrity and consistency, the deletion process must be executed across all relevant IT systems – carefully, and in the right order. Roll-back capabilities should be built into the process to mitigate risks of possible system failures at any point in the process.
Overcoming the challenges
The right to be forgotten is just one of multiple rights granted to individuals under data protection laws. And these rights are but one aspect of privacy regulation requirements. Today's companies must navigate in a sea of complex ethical issues, and under rapidly changing regulatory conditions. To effectively face these challenges, enterprises need an integrated framework of internal controls that set the ethical tone for the organization, align employees, and manage their customers' data transparently.
When it comes to implementing regulatory compliance – like right to be forgotten requests – GDPR and CCPA compliance software based on a data fabric architecture, provides the agility and scalability needed for enterprise-scale privacy compliance. It provides advanced capabilities, including: Data Discovery, to find an individual’s Personal Information (PI), and Personally Identifiable Information (PII); Orchestrated Deletion procedures, based on complex business rules and policies; and complete Tracking for Audit purposes. These capabilities provide companies with the precision they need to erase the requested information, while eliminating the need to invest many hours of work, and hefty budgets, to this task.