Click to learn more about author Lindsey Ullian.
When it went into effect in May 2018, Europe’s General Data Privacy Regulations (GDPR) enacted important protections around consumer data, something that has been sorely needed for some time. For too long, businesses had been playing fast and loose with what personally identifiable information they chose to aggregate and lax in informing people when their information had been compromised. GDPR brought about badly needed regulations for what personal information companies can store, how and when they notify impacted parties that they’re information has been compromised, and perhaps most importantly, it gave consumers the opportunity to “opt out” of having their information collected. However, despite all the good it has done, the GDPR’s “Right to Erasure” requirement remains a source of confusion for organizations and consumers today. Vague language within the legislation has raised concerns around who the requirements are applied to and the proper process for enabling a request.
According to GDPR regulations, there are several key factors that go into a right to erasure request:
- The GDPR introduces a right for individuals to have personal data erased
- Individuals can make a request for erasure verbally or in writing
- Companies have one month to respond to a request
- The right is not absolute and only applies in certain circumstances
Confused yet? Let’s walk through some of the issues that have arisen in response to the right to erasure requirements.
The SMB GDPR Challenge
GDPR applies to ALL companies who have personal information from a European citizen. While we tend to think of major multinational companies when considering who is impacted by GDPR, the Internet has made it possible for smaller organizations to tap into foreign markets. So even some of the smallest organizations need to be GDPR compliant, which can be incredibly difficult for resource-strapped SMBs. Small businesses are constantly understaffed, particularly within the IT and security departments, which makes GDPR compliance a huge undertaking because it is often the responsibility of a single person or a small group. There have been some rumblings about adjusting the size of the company that this legislation applies to, but for now everyone from small Mom and Pop shops and startups have the same compliance requirements as the world’s largest companies.
Transparency is the Key to Request Fulfillment
Most organizations have only a vague idea of where all their data is stored. So deleting a specific person’s information when you don’t even know where it’s housed is obviously an enormous challenge for most companies.
The best way to prepare the organization for right to erasure requests is to map out where all personal information is located within an organization’s infrastructure – whether that be on-premise or in the cloud. In order to establish a single version of the truth, security and IT teams need to proactively align policies and technology to create transparency within their IT environment. And it’s important for organizations to apply policies that mend any gaps in their cybersecurity processes while also creating an inventory of tools that interact with personal information.
Visibility is incredibly helpful in allowing businesses to move quickly and efficiently to comply with right to erasure requests. A best practice is to centrally collect and view data from all environments, comprehensively leveraging the visibility tool to detect, deny, and disrupt threats. If you choose to use a visibility tool, ensure it has host-based, behavioral detection to give you complete wide spread visibility into your environment.
Once the data mapping exercise is complete, security and IT teams should conduct a stress test to determine if the system works. GDPR requires all right to erasure requests to be processed within a month so it’s important for IT and security teams to make sure they can execute efficiently on any such request.
The Consumer isn’t Always Right
It’s important that businesses understand that if GDPR is confusing for them, it’s also confusing for the average consumer. When GDPR was first enacted we were deluged with right to erasure requests that clearly demonstrated the person’s knowledge (or lack thereof) of the statute. A few lessons that we learned working our way through right to erasure requests thus far:
- Make it easy for people to differentiate between web email opt-outs and legitimate right to erasure requests. Businesses with effective marketing and communications programs deliver a valid service that many people are willing to offer their personal information for. Security leaders shouldn’t throw the baby out with the bath water and make clear delineations in their compliance plans to differentiate between when someone just doesn’t want to receive a company’s weekly newsletter and when they want their data to be erased entirely.
- GDPR doesn’t allow for group right to erasure requests. We received a handful of right to erasure inquiries that tried to also cover their co-workers, spouse, children, parents, friends, and just about everyone else the person knew. The legislation requires one request directly from an individual.
We know that EU legislators intentionally wrote GDPR in overly broad language because they wanted to see how businesses acted before they made modifications. This pragmatic approach is great in theory but there’s no timetable on when many of these issues will be ironed out. So, while changes may be coming, organizations need to make sure that they are GDPR compliant now to avoid penalties. And while there are challenges to GDPR compliance, there are also opportunities to create visibility and control over consumer data in corporate systems. Rather than being overwhelmed by the requirements, companies should view GDPR as an opportunity to take responsibility over their infrastructure which will not only help with right to erasure requests but also improve their security posture.