First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Learning the basics on GDPR’s right to be forgotten

right to be forgottenNow that the European Union’s General Data Protection Regulation is nearly here, it’s time for ethics and compliance officers to panic more efficiently about all the challenges that lie ahead. One good place to start: how to fulfill the GDPR’s right to be forgotten.

Conceptually, that right is easy to understand — which is what makes it such a formidable compliance challenge. EU citizens will assume they can first exercise their right of access under the GDPR, to see all the personally identifiable information (PII) your company has collected about them.

Then they should be able to hit the delete key and the PII vanishes, right? How hard can that be?

Of course, in reality the right to be forgotten is a jenga puzzle of policy management headaches, IT capabilities, exception clauses, and customer service demands. Configure any one of those concerns the wrong way, and the whole contraption can come crashing down.

The customer may not always be right

Organizations have two fundamental challenges with the right to be forgotten. First, you need to provide some way for consumers to request that their data be destroyed.

That process should be designed for simplicity, because the GDPR also stipulates that EU citizens can submit their requests verbally. Yes, you’ll also need a policy, procedure and training so employees know how to field those verbal requests, but let’s not kid ourselves — the main goal should be to design some self-service vehicle for consumers, so they can view their PII and delete it themselves.

The GDPR has numerous exceptions to the right to be forgotten. For example, you cannot delete data that might be necessary to fulfill regulatory compliance obligations. You can also deny a request if the data is necessary to establish or defend legal claims.

Now, litigation holds and regulatory record-keeping obligations are nothing new to compliance officers. But balancing litigation holds on one side and consumers wanting to delete their PII immediately on the other — that is new.

At a practical level, that tension means this: the easiest IT solution to alleviate your right-to-be-forgotten workload increases the importance of getting your e-discovery and litigation hold processes right.

Yes, your organization can take some time to confirm that a consumer’s data can be forgotten, but the GDPR also specifies that a request must be answered “without undue delay.” Consumers tend to interpret that phrase as “right now.”

That’s going to require delicate work developing new policies and procedures for identifying data that can be deleted, long before a consumer actually asks for deletion.

Enter the data governance

A separate challenge will be to know where all a person’s PII resides within your organization. For example, the credit department might store customers’ financial information in one database hosted by a third party; while the sales team records customers’ birthdays in a spreadsheet on a shared corporate server.

How would the company know that? How would it ensure that when a customer does demand to be forgotten, the PII will be struck from both locations?

This underlines the importance of data governance to fulfill GDPR compliance. The company will need to understand the business practices that result in the creation of PII; plus the secondary business practices that process and store PII.

A company can take (and already should have taken) preliminary steps such as doing an inventory of all PII in your possession; or auditing third parties that store or process PII on your behalf. Others have discussed those elements of GDPR compliance already.

From here forward, compliance officers need to consider two other questions. First, how can you address PII leakage — the possibility that an employee or third party stores PII in an unapproved location? Second, how can you reduce the amount of PII you have by eliminating the “PI” part?

For example, you could address leakage through policies and compliance training to tell employees: “don’t download PII and store it on your laptop.” Or you could team with the IT security department to implement strict end-user controls that prevent downloads. The former still allows the risk of employees violating policy; the latter is more expensive. The compliance officer’s job is to figure out which choice makes the most sense, given your data collection practices and the company’s tolerance for compliance risk.

If you stop collecting information that’s personally identifiable, you cut GDPR risk. You also lose the ability to personalize outreach campaigns. Again, the compliance officer’s job is to figure out which choice is best, given the risks your company has and your organizational appetite for them.

What to remember about the right to be forgotten

  • Build an ability for customers to access their PII and request that it be deleted
  • Understand the circumstances when you don’t need to fulfill the right to be forgotten
  • Develop the right data governance processes to identify and monitor PII
  • Adopt policies for managing PII that fit your company’s risk appetite

By Matt Kelly

Follow me

Ethics &Compliance Matters ™, Navex Global ®

Ethics & Compliance Matters™ is the official blog of NAVEX Global®. All articles posted on the Inside Internal Controls blog originally appeared on NAVEX Global’s Ethics and Compliance Matters Blog. The blog leverage the news, insights and best practices you find here to stay ahead of GRC trends, and take your compliance program to the next level. Read more
Follow me
Send to Kindle

, , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.