Weaponizing GDPR: When Right to Be Forgotten (RTBF) Gets Ugly

It’s estimated that just 61% of UK businesses were ready for the enforcement of the General Data Protection Regulations (GDPR) on 25th May, meaning almost 40% of organizations are not compliant with the new regulations. Many of these companies are in the mindset that the authorities won’t be going after the smaller companies and will instead make an example of the big brands, so they won’t be fined for being non-compliant. However, organizations should be wary of the threat outside of official enforcers and look to the wider repercussions of GDPR.

An inadvertent and unfortunate consequence of the new GDPR rules is that the right to erasure is now free to submit, meaning it is much easier to have your data removed. With our research revealing that only 34% of organizations have actually successfully completed a ‘right to be forgotten’ (RTBF) request, there is a potential to weaponize the regulation, giving hacktivists a new opportunity to drain a company’s resources and grind the business to a halt.

One request is relatively easy to handle – as long as you know where your data is stored – and can be completed within a month of receiving the request, but if an organization is inundated with requests that come in on the same day, it becomes more difficult to manage. This turns into a backlog which in turn starts to drain resources and, ultimately, can cause any activity within the organization to be stopped or – in some cases – cause the shut down of the company because of an inability to handle the situation. This is comparable to Distributed Denial of Service (DDoS) attacks, with companies becoming overloaded with so many requests that their services stop entirely.

In order to prepare for a flurry of RTBF requests coming in, it is essential that all organizations have a plan in place which streamlines processes and makes it as easy as possible to deal with:

Education is key

  • The first thing to consider is whether or not your workforce is aware of what to do should one RTBF request comes in, let alone hundreds. Educating all employees on what to do if a request comes in – including who in the company to notify and how to respond to the request – will be essential in guaranteeing they are dealt with correctly. Once there is a clear process in place for handling one request, it will also be easier to deal with multiple coming in.

Know your data

  • In addition to knowing what to do if a request comes in, it is vital that the team that will deal with completing it is fully aware of where all the data is stored. This will be even more essential if multiple requests come in as it will ensure that valuable resources are not wasted tracking down stray data. Technologies, such as ‘data discovery’, will be invaluable in helping organizations achieve an awareness of where data is. This gives visibility of where all GDPR-relevant data is stored across the company, whether that is on desktops, notebooks, servers, networks or the cloud. Once you know where critical data is located, it will be much easier to remove all traces of a customer and complete the request.

Understand data flows

  • Once your GDPR team understands where data is stored, it will be easier to respond to a RTBF request, but it doesn’t stop there. GDPR preparation is constant and it doesn’t finish once you’ve conducted a data discovery exercise, it’s also about knowing how data is handled at all times. Adaptive email and web solutions can be used to maintain visibility of the critical data flowing in and out of the company and control what data can be shared with who. Our Secure Email Gateway, for example, allows you to create policies which automatically redact sensitive data from any messages or files shared across a network before that data has the chance to be exposed to unauthorized recipients. Ultimately, this protects your organization from having stray data which could affect the completion of a RTBF request. This will also ensure that if multiple requests do come in at one time, further resources will not be wasted trying to track down unstructured data.

The thing to remember if your organization is attacked by hacktivists is not to panic. With all the processes and technologies in place, dealing with a request should be a straightforward process as you will have complete visibility and a handle on the data. Streamlining the data retrieval process will make it easier for your business to complete a RTBF request and ultimately defend the organization again malicious uses of GDPR.

Contact the Clearswift team to learn more about how we can help you protect your business against malicious GDPR activity.