Right to be forgotten requests: how to ensure your business doesn’t grind to halt

GDPR is the most comprehensive data protection legislation to date and it's revolutionizing the information security landscape. The impending enforcement of the regulation is forcing organizations to understand, and transform, the way they collect, process and store data. One of the most challenging aspects of the legislation is the ‘right to be forgotten’ (RTBF), the ruling that dictates organizations must remove or delete upon request an individual’s data, as long as there is no compelling requirement to keep it.

For most organizations, handling the right to be forgotten is expected to be time and resource intensive, and it’s likely that businesses will be inundated with requests from consumers and employees alike. We recently surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany, and Australia to find out whether they would be exercising their right to be forgotten and the impact this would have on their organizations.

According to our research, a staggering 75% of employees are likely to request an organization to delete their data. Receiving and processing such a large volume of requests is something most organizations will have zero experience in handling. So much so that almost half (48%) of business decision-makers believe that the sheer number of requests will have serious consequences for their business, slowing down productivity as resource is allocated to dealing with these requests. 

The expected RTBF deluge is comparable with DDoS attacks, with companies becoming overloaded with so many requests that their services stop entirely. A small number of business decision-makers have suggested that this will be the case, with 5% saying that their organization would grind to a halt.

Holding back the flood: ensuring you’re prepared for the incoming requests

The time it takes to hunt through your systems, networks, back-logs and of course, your wider supply chain for a single individual’s data could take days, varying by how much, how old and how difficult the data is to find. 

Preparing for something that most organizations have never had to deal with before is a challenge, but getting it right will mean better data governance across your organization, improved data security, and subsequently, an increase in trust amongst your employee, partner and customer bases. Below are some considerations and actions you can take to help you prepare for RTBF requests: 

People

Storing information in the wrong places, using shortcuts and sharing information with the wrong people are just some of the mistakes employees make that can make it harder to conduct RTBF requests. Companies need to understand how their employees process, share and store information, and then look at implementing education or awareness programmes to develop correct processes for handling critical data. You need visibility of where the relevant data is before you can delete it and people are critical to doing this. 

What’s more, educating employees about how to safeguard critical information and why, will develop a sense of data consciousness across departments to help you reach GDPR compliance.

Process

Organizations need to balance an understanding of their data landscape with a wider knowledge of the day-to-day practices of the business, including the possible pitfalls. For example, the duplication of data makes finding and deleting it that much harder. If you’re not aware that your staff are copying data (eg. to USB’s, personal devices or email accounts) then you’re unlikely to conduct RTBF request correctly.

Define approaches for how you will locate and manage GDPR relevant data and assign responsibility for actioning the request in different departments.  Remember, even when information goes outside of your organizations, it’s still your responsibility.

Technology

Certain technologies will be invaluable for helping organizations achieve GDPR compliance and handle RTBF requests.  Leveraging technology to undertake a ‘data discovery’ exercise will help you obtain visibility of where all GDPR relevant data is stored across your organization – on desktops, notebooks, servers, networks and Cloud shares. Once you know where critical data is located, it will be far easier to conduct a RTBF request further down the line.

Adaptive email and web solutions can be used to maintain visibility of critical data flowing in and out of your organization, and control over what data can be shared. Policies can be created to automatically strip or redact PII data out of any messages or files shared across email or the web, before that data can be exposed to unauthorized recipients, ultimately protecting your organization from inadvertent or malicious data breaches. 

When receiving RTBF requests, you should be aware that the right to erasure does not provide an absolute ‘right to be forgotten’. If that data has a legitimate use, then you will not need to delete it. For example, transaction data cannot be deleted in an arbitrary manner. Similarly, if you run a doctors surgery, then you wouldn’t be required to delete a patient’s data.

Contact the Clearswift team for a discussion to learn about how we can help your organization discover where critical data resides, prepare for a right to be forgotten request and become compliant with the GDPR before it is enforced.

Additional Information

Data Discovery with the Clearswift Critical Information Protection (CIP) Management Server and Agent

Clearswift SECURITY+: when you need more, but can’t afford to throw out what you have

Information Governance and Compliance

Getting ready for GDPR: key actions to ensure your organization is compliant