Enterprises doing business in the European Union need to be able to address the General Data Protection Regulation's right to be forgotten clauses or face hefty fines. The new regulations expand the definition of personally identifiable information to include data like IP addresses and pictures. This can be challenging, since data managers may not know where all PII data is stored or how to easily delete it. Furthermore, employees may generate shadow data containing PII that also needs to be reduced or eliminated.
Some good practices for complying with the GDPR include coming up with a clear policy and surveying business intelligence. In addition, it's important to set a practice for indexing emails that include PII. Enterprises should also consider improving understanding of the use of PII outside the normal IT infrastructure in order to comply with the GDPR right to be forgotten.
1. Define what to forget
The GDPR right to be forgotten does not mean enterprises need to delete everything related to an individual. For example, an enterprise needs to maintain a record of an individual's desire not to be tracked, which would include personally identifiable information (PII). In some industries, companies are required by other laws related to anti-money laundering regulations to keep comprehensive data about individuals. However, enterprises do need to come up with a clear policy about what data is deleted in response to a request to be forgotten.
Jeff Nicholsonvice president of CRM product marketing, Pegasystems
"Every business must come up with their own declared interpretation of what constitutes proper compliance," said Jeff Nicholson, vice president of CRM product marketing at Pegasystems. Some businesses may argue that their company may have a legitimate interest to PII such as names, addresses, email addresses, as they need this information to bill customers for services rendered. It may also be a good practice to erase the PII and assign a random identifier to anonymize the data, so that the remainder may still be used for the training of analytical training models. In other instances, some companies may erase the data all together.
2. Survey business intelligence systems
Modern enterprises are creating complex business intelligence and AI analytics tools to make better decisions and improve the customer experience. This could make it more difficult to adhere to GDPR right to be forgotten clauses since the data is stored outside of a customer record.
"Manually searching and mapping out where the data originated through its lifecycle and finding all the places it landed is extremely time-consuming and inaccurate," said Amit Rahav, vice president of marketing and customer success at Secret Double Octopus, an authentication vendor. In some cases, it is impossible to know this information, which leaves enterprises noncompliant and vulnerable to hefty fines. A metadata management tool and process can identify many uses of data, but it's important to ensure that they also extract metadata from reporting systems.
"Data managers need to know where all a data subject's data is stored in order to be able to delete it," said Andrew Burt, chief privacy officer and legal engineer at Immuta, a data management platform for data science. Any opportunity to inject efficiencies into the process of data governance will help inject visibility into the data science environment, which will help enable data subjects to assert their GDPR right to be forgotten.
"There's a 'memos and meetings' approach to granting access to data, which is how we at Immuta refer to the antiquated way of accessing and controlling data," Burt explained. "It's highly manual, it's highly analog and it simply doesn't scale." Data managers need to move away from that model, so they can integrate and manage the volume of data they're being asked to manage, and do so in a compliant way.
3. Don't forget the emails
Employees sometimes need to include PII in emails as part of their work processes. "Keeping tabs on personal data exchanged in emails will be a huge challenge for data managers," said Oussama El-Hilali, vice president of products at Arcserve, a data privacy management vendor. The GDPR right to be forgotten means that these emails must be found and deleted if they receive a subject access request from an individual exercising their right to see the personal data that a company has collected on them.
Finding and retrieving these files can quickly become challenging because of the massive volume of emails sent and received daily by organizations. This will affect the way that companies process, archive and access emails. Data managers should consider creating or using tools to easily organize and search email archives for this data. Once records have been located, a data manager can respond to an inquiry to share what records exist, and then the individual can decide whether to request action. A good practice is to implement a process for automatically deleting emails when requested.
4. Educate employees about shadow data
One of the challenges data managers face in addressing the GDPR right to be forgotten is the generation of shadow data that contains PII outside of normal business processes. Employees often unknowingly generate shadow data during everyday online activities such as checking emails, scanning credit cards or engaging in social media. "Shadow data is difficult to track, and thus difficult to forget," said Colleen Huber, product manager of content design and development at MediaPro, a security and privacy training provider.
A key way to address this issue is employee education. This involves facilitating a shared understanding around the dangers of oversharing data, using unapproved cloud apps and general mismanagement of sensitive data. All of these can contribute to the shadow data issue and exacerbate the larger data management challenges that IT departments attempt to overcome daily, Huber said.